Saved in:
Bibliographic Details
Main Authors: Gao, Amiao, Zhang, Zenong, Wang, Simin, Huang, Liguo, Wei, Shiyi, Ng, Vincent
Format: Preprint
Published: 2025
Subjects:
Online Access:https://arxiv.org/abs/2503.10877
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866909537129201664
author Gao, Amiao
Zhang, Zenong
Wang, Simin
Huang, Liguo
Wei, Shiyi
Ng, Vincent
author_facet Gao, Amiao
Zhang, Zenong
Wang, Simin
Huang, Liguo
Wei, Shiyi
Ng, Vincent
contents Understanding software vulnerabilities and their resolutions is crucial for securing modern software systems. This study presents a novel traceability model that links a pair of sentences describing at least one of the three types of semantics (triggers, crash phenomenon and fix action) for a vulnerability in natural language (NL) vulnerability artifacts, to their corresponding pair of code statements. Different from the traditional traceability models, our tracing links between a pair of related NL sentences and a pair of code statements can recover the semantic relationship between code statements so that the specific role played by each code statement in a vulnerability can be automatically identified. Our end-to-end approach is implemented in two key steps: VulnExtract and VulnTrace. VulnExtract automatically extracts sentences describing triggers, crash phenomenon and/or fix action for a vulnerability using 37 discourse patterns derived from NL artifacts (CVE summary, bug reports and commit messages). VulnTrace employs pre-trained code search models to trace these sentences to the corresponding code statements. Our empirical study, based on 341 CVEs and their associated code snippets, demonstrates the effectiveness of our approach, with recall exceeding 90% in most cases for NL sentence extraction. VulnTrace achieves a Top5 accuracy of over 68.2% for mapping a pair of related NL sentences to the corresponding pair of code statements. The end-to-end combined VulnExtract+VulnTrace achieves a Top5 accuracy of 59.6% and 53.1% for mapping two pairs of NL sentences to code statements. These results highlight the potential of our method in automating vulnerability comprehension and reducing manual effort.
format Preprint
id arxiv_https___arxiv_org_abs_2503_10877
institution arXiv
publishDate 2025
record_format arxiv
spellingShingle A Sentence-Level Approach to Understanding Software Vulnerability Fixes
Gao, Amiao
Zhang, Zenong
Wang, Simin
Huang, Liguo
Wei, Shiyi
Ng, Vincent
Software Engineering
D.2
Understanding software vulnerabilities and their resolutions is crucial for securing modern software systems. This study presents a novel traceability model that links a pair of sentences describing at least one of the three types of semantics (triggers, crash phenomenon and fix action) for a vulnerability in natural language (NL) vulnerability artifacts, to their corresponding pair of code statements. Different from the traditional traceability models, our tracing links between a pair of related NL sentences and a pair of code statements can recover the semantic relationship between code statements so that the specific role played by each code statement in a vulnerability can be automatically identified. Our end-to-end approach is implemented in two key steps: VulnExtract and VulnTrace. VulnExtract automatically extracts sentences describing triggers, crash phenomenon and/or fix action for a vulnerability using 37 discourse patterns derived from NL artifacts (CVE summary, bug reports and commit messages). VulnTrace employs pre-trained code search models to trace these sentences to the corresponding code statements. Our empirical study, based on 341 CVEs and their associated code snippets, demonstrates the effectiveness of our approach, with recall exceeding 90% in most cases for NL sentence extraction. VulnTrace achieves a Top5 accuracy of over 68.2% for mapping a pair of related NL sentences to the corresponding pair of code statements. The end-to-end combined VulnExtract+VulnTrace achieves a Top5 accuracy of 59.6% and 53.1% for mapping two pairs of NL sentences to code statements. These results highlight the potential of our method in automating vulnerability comprehension and reducing manual effort.
title A Sentence-Level Approach to Understanding Software Vulnerability Fixes
topic Software Engineering
D.2
url https://arxiv.org/abs/2503.10877