Nowadays, software development progresses rapidly to incorporate new features. To facilitate such growth and provide convenience for developers when creating and updating software, reusing open-source software (i.e., thirdparty library reuses) has become one of the most effective and efficient methods. Unfortunately, the practice of reusing third-party libraries (TPLs) can also introduce vulnerabilities (known as 1-day vulnerabilities) because of the low maintenance of TPLs, resulting in many vulnerable versions remaining in use. If the software incorporating these TPLs fails to detect the introduced vulnerabilities and leads to delayed updates, it will exacerbate the security risks. However, the complicated code dependencies and flexibility of TPL reuses make the detection of 1-day vulnerability a challenging task. To support developers in securely reusing TPLs during software development, we design and implement VULTURE, an effective and efficient detection tool, aiming at identifying 1-day vulnerabilities that arise from the reuse of vulnerable TPLs. It first executes a database creation method, TPLFILTER, which leverages the Large Language Model (LLM) to automatically build a unique database for the targeted platform. Instead of relying on code-level similarity comparison, VULTURE employs hashing-based comparison to explore the dependencies among the collected TPLs and identify the similarities between the TPLs and the target projects. Recognizing that developers have the flexibility to reuse TPLs exactly or in a custom manner, VULTURE separately conducts version-based comparison and chunk-based analysis to capture fine-grained semantic features at the function levels. We applied VULTURE to 10 real-world projects to assess its effectiveness and efficiency in detecting 1-day vulnerabilities. VULTURE successfully identified 175 vulnerabilities from 178 reused TPLs.

翻译：当前，软件开发为集成新功能而快速发展。为促进这种增长并为开发者创建和更新软件提供便利，复用开源软件（即第三方库复用）已成为最有效且高效的方法之一。然而，由于第三方库维护不足，复用第三方库的实践也可能引入漏洞（称为一日漏洞），导致许多易受攻击的版本仍在使用中。若集成这些第三方库的软件未能检测到引入的漏洞并导致更新延迟，将加剧安全风险。但第三方库复用复杂的代码依赖性和灵活性使得一日漏洞检测成为一项具有挑战性的任务。为支持开发者在软件开发过程中安全地复用第三方库，我们设计并实现了VULTURE这一高效检测工具，旨在识别因复用易受攻击的第三方库而产生的一日漏洞。该工具首先执行数据库创建方法TPLFILTER，其利用大型语言模型自动为目标平台构建专属数据库。VULTURE不依赖代码级相似性比较，而是采用基于哈希的比较方法来探索所收集第三方库之间的依赖关系，并识别第三方库与目标项目之间的相似性。考虑到开发者可以完全复用或自定义方式复用第三方库，VULTURE分别执行基于版本的比较和基于代码块的分析，以在函数级别捕获细粒度的语义特征。我们将VULTURE应用于10个实际项目，以评估其检测一日漏洞的有效性和效率。VULTURE成功从178个复用的第三方库中识别出175个漏洞。