In software development, developers extensively utilize third-party libraries to avoid implementing existing functionalities. When a new third-party library vulnerability is disclosed, project maintainers need to determine whether their projects are affected by the vulnerability, which requires developers to invest substantial effort in assessment. However, existing tools face a series of issues: static analysis tools produce false alarms, dynamic analysis tools require existing tests and test generation tools have low success rates when facing complex vulnerabilities. Vulnerability exploits, as code snippets provided for reproducing vulnerabilities after disclosure, contain a wealth of vulnerability-related information. This study proposes a new method based on vulnerability exploits, called VESTA (Vulnerability Exploit-based Software Testing Auto-Generator), which provides vulnerability exploit tests as the basis for developers to decide whether to update dependencies. VESTA extends the search-based test generation methods by adding a migration step, ensuring the similarity between the generated test and the vulnerability exploit, which increases the likelihood of detecting potential library vulnerabilities in a project. We perform experiments on 30 vulnerabilities disclosed in the past five years, involving 60 vulnerability-project pairs, and compare the experimental results with the baseline method, TRANSFER. The success rate of VESTA is 71.7\% which is a 53.4\% improvement over TRANSFER in the effectiveness of verifying exploitable vulnerabilities.

翻译：在软件开发过程中，开发人员广泛使用第三方库以避免重复实现已有功能。当新的第三方库漏洞披露时，项目维护者需要判断其项目是否受该漏洞影响，这要求开发人员投入大量评估工作。然而，现有工具面临一系列问题：静态分析工具会产生误报，动态分析工具需要现有测试用例，而测试生成工具在面对复杂漏洞时成功率较低。漏洞利用代码作为漏洞披露后提供的复现代码片段，包含丰富的漏洞相关信息。本研究提出一种基于漏洞利用的新方法，称为VESTA（基于漏洞利用的软件测试自动生成器），该方法提供漏洞利用测试作为开发人员决定是否更新依赖的依据。VESTA通过添加迁移步骤扩展了基于搜索的测试生成方法，确保生成的测试与漏洞利用之间的相似性，从而增加在项目中检测潜在库漏洞的可能性。我们对过去五年披露的30个漏洞进行了实验，涉及60个漏洞-项目对，并将实验结果与基线方法TRANSFER进行对比。VESTA的成功率为71.7%，在验证可利用漏洞的有效性上比TRANSFER提升了53.4%。