Accurate vulnerability-inducing commit identification serves as a foundation for a series of software security tasks, such as vulnerability detection and affected version analysis. A straightforward solution is the SZZ algorithm, which traces back through the code history to identify the earliest commit that modify the vulnerable code. Unfortunately, neither the customized V-SZZ nor state-of-the-art LLM4SZZ perform satisfactorily due to the incorrect anchor selection and inadequate backtracking capability, making them far beyond a reliable usage in practice. To overcome these challenges, we propose a multi-agentic SZZ algorithm, named MAS-SZZ, that facilitates the identification of vulnerability-inducing commits through collaboration among agents. Specifically, given a CVE description and its corresponding fixing commit, MAS-SZZ summarizes the root cause of the vulnerability and employs a structured step-forward prompting strategy to localize vulnerability-related statements based on the change intent of each patch hunk. These vulnerable statements serve as anchors from which MAS-SZZ autonomously traces backward through the repository's history to find the commit that first introduced the vulnerability. Extensive experiments show that MAS-SZZ outperforms the state-of-the-art baselines across datasets and programming languages, achieving F1-score gains of up to 65.22% over the best-performing SZZ algorithm.

翻译：精确识别漏洞诱导提交是漏洞检测和受影响版本分析等一系列软件安全任务的基础。一种直接的解决方案是SZZ算法，该算法通过追溯代码历史来识别最早修改漏洞代码的提交。不幸的是，由于错误的锚点选择和不充分的后向追溯能力，无论是定制的V-SZZ还是最先进的LLM4SZZ方法表现均不理想，远未达到实际应用中的可靠标准。为克服这些挑战，我们提出了一种名为MAS-SZZ的多智能体SZZ算法，通过智能体间协作促进漏洞诱导提交的识别。具体而言，给定一个CVE描述及其对应的修复提交，MAS-SZZ首先总结漏洞的根本原因，并采用结构化的前向提示策略，基于每个补丁块的变更意图定位与漏洞相关的语句。这些易受攻击的语句作为锚点，MAS-SZZ在此基础上自主向后追溯仓库历史，以找到最初引入漏洞的提交。广泛实验表明，MAS-SZZ在数据集和编程语言上均优于最先进的基线方法，相比性能最佳的SZZ算法，F1分数提升最高达65.22%。