Version control systems are commonly used to manage open-source software, in which each commit may introduce new vulnerabilities or fix existing ones. Researchers have developed various tools for detecting vulnerabilities in code commits, but their performance is limited by factors such as neglecting descriptive data and challenges in accurately identifying vulnerability introductions. To overcome these limitations, we propose CommitShield, which combines the code analysis capabilities of static analysis tools with the natural language and code understanding capabilities of large language models (LLMs) to enhance the accuracy of vulnerability introduction and fix detection by generating precise descriptions and obtaining rich patch contexts. We evaluate CommitShield using the newly constructed vulnerability repair dataset, CommitVulFix, and a cleaned vulnerability introduction dataset. Experimental results indicate that CommitShield improves recall by 76%-87% over state-of-the-art methods in the vulnerability fix detection task, and its F1-score improves by 15%-27% in the vulnerability introduction detection task.
翻译:版本控制系统常用于管理开源软件,其中每次提交都可能引入新漏洞或修复现有漏洞。研究人员已开发多种工具用于检测代码提交中的漏洞,但其性能受限于忽略描述性数据及准确识别漏洞引入的挑战等因素。为克服这些局限性,本文提出CommitShield,该工具结合静态分析工具的代码分析能力与大型语言模型(LLMs)的自然语言和代码理解能力,通过生成精确描述和获取丰富的补丁上下文来提升漏洞引入与修复检测的准确性。我们使用新构建的漏洞修复数据集CommitVulFix及经清洗的漏洞引入数据集对CommitShield进行评估。实验结果表明,在漏洞修复检测任务中,CommitShield相比前沿方法将召回率提升了76%-87%;在漏洞引入检测任务中,其F1分数提升了15%-27%。