To help application developers apply vulnerability patches timely, security researchers maintain vulnerability databases such as National Vulnerability Database (NVD). By directly monitoring NVD with the name of each used library, application developers can be aware of vulnerabilities and their patches. Given that the monitoring results of vulnerability patches are unreliable due to patch incompleteness of NVD, existing approaches employ deep-learning (DL) models to identify additional vulnerability patches by determining whether a code commit fixes a vulnerability. However, these approaches suffer from low accuracy due to not considering code commits' comprehensive contexts such as control/data-flow contexts or method-invocation contexts. To improve accuracy, we design CompVPD, the first approach to identify vulnerability patches by fine-tuning a large language model (LLM) named StarCoder to comprehend code commits with comprehensive contexts. Considering that including comprehensive contexts needs to balance the context size and the training costs of LLM, CompVPD includes our two novel algorithms to generate comprehensive contexts within the given window size by removing irrelevant components (i.e., files, methods, and statements) and adaptively expanding each context. We empirically compare CompVPD with four state-of-the-art/practice (SOTA) approaches that identify vulnerability patches. The results show that CompVPD improves the AUC score by 11% and the F1 score by 30% when compared with the best scores of the SOTA approaches. Additionally, CompVPD provides high value to security practice by helping identify 20 vulnerability patches and 18 fixes of high-risk bugs from 2,500 recent code commits of five highly popular open-source projects.

翻译：为帮助应用程序开发者及时应用漏洞补丁，安全研究人员维护着国家漏洞数据库（NVD）等漏洞数据库。通过直接监控NVD并比对所用库名称，应用程序开发者可获知漏洞及其补丁信息。鉴于NVD的补丁信息不完整导致其监控结果不可靠，现有方法采用深度学习模型通过判定代码提交是否修复漏洞来识别额外漏洞补丁。然而，这些方法因未考虑代码提交的全面上下文（如控制/数据流上下文或方法调用上下文）而准确率较低。为提升准确率，我们设计了CompVPD——首个通过微调大型语言模型StarCoder来理解含全面上下文的代码提交以识别漏洞补丁的方法。考虑到包含全面上下文需平衡上下文长度与LLM训练成本，CompVPD包含两种新颖算法，通过移除无关组件（文件、方法、语句）并在给定窗口内自适应扩展各上下文，生成全面上下文。我们将CompVPD与四种最先进/实用（SOTA）的漏洞补丁识别方法进行实证对比。结果表明，相较SOTA方法的最佳得分，CompVPD使AUC评分提升11%，F1评分提升30%。此外，CompVPD帮助从五个高人气开源项目的2500个近期代码提交中识别出20个漏洞补丁和18个高风险缺陷修复，为安全实践提供了重要价值。