PatchFinder: A Two-Phase Approach to Security Patch Tracing for Disclosed Vulnerabilities in Open-Source Software
Open-source software (OSS) vulnerabilities are increasingly prevalent, emphasizing the importance of security patches. However, in widely used security platforms like NVD, a substantial number of CVE records still lack trace links to patches. Although rank-based approaches have been proposed for security patch tracing, they heavily rely on handcrafted features in a single-step framework, which limits their effectiveness.
In this paper, we propose PatchFinder, a two-phase framework with end-to-end correlation learning for better-tracing security patches. In the initial retrieval phase, we employ a hybrid patch retriever to account for both lexical and semantic matching based on the code changes and the description of a CVE, to narrow down the search space by extracting those commits as candidates that are similar to the CVE descriptions. Afterwards, in the re-ranking phase, we design an end-to-end architecture under the supervised fine-tuning paradigm for learning the semantic correlations between CVE descriptions and commits. In this way, we can automatically rank the candidates based on their correlation scores while maintaining low computation overhead. We evaluated our system against 4,789 CVEs from 532 OSS projects. The results are highly promising: PatchFinder achieves a Recall@10 of 80.63% and a Mean Reciprocal Rank (MRR) of 0.7951. Moreover, the Manual Effort@10 required is curtailed to 2.77, marking a 1.94 times improvement over current leading methods. When applying PatchFinder in practice, we initially identified 533 patch commits and submitted them to the official, 482 of which have been confirmed by CVE Numbering Authorities.
Thu 19 SepDisplayed time zone: Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna change
15:30 - 17:10 | Vulnerabilities and MalwareTechnical Papers at EI 10 Fritz Paschke Chair(s): Wei You Renmin University of China | ||
15:30 20mTalk | Silent Taint-Style Vulnerability Fixes Identification Technical Papers Zhongzhen Wen Nanjing University, Jiayuan Zhou Huawei, Minxue Pan Nanjing University, Shaohua Wang Central University of Finance and Economics, Xing Hu Zhejiang University, Tongtong Xu Huawei, Tian Zhang Nanjing University, Xuandong Li Nanjing University DOI | ||
15:50 20mTalk | FortifyPatch: Towards Tamper-Resistant Live Patching in Linux-Based Hypervisor Technical Papers Zhenyu Ye Hunan University, Lei Zhou National University of Defense Technology, Fengwei Zhang Southern University of Science and Technology, Wenqiang Jin Hunan University, Zhenyu Ning Hunan University; Xinchuang Haihe Laboratory, Yupeng Hu Hunan University, Zheng Qin Hunan University DOI | ||
16:10 20mTalk | Maltracker: A Fine-Grained NPM Malware Tracker Copiloted by LLM-Enhanced Dataset Technical Papers Zeliang Yu Huazhong University of Science and Technology, Ming Wen Huazhong University of Science and Technology, Xiaochen Guo Huazhong University of Science and Technology, Hai Jin Huazhong University of Science and Technology DOI | ||
16:30 20mTalk | PatchFinder: A Two-Phase Approach to Security Patch Tracing for Disclosed Vulnerabilities in Open-Source Software Technical Papers Kaixuan Li East China Normal University; Nanyang Technological University, Jian Zhang Nanyang Technological University, Sen Chen Tianjin University, Han Liu East China Normal University, Yang Liu Nanyang Technological University, Yixiang Chen East China Normal University DOI Pre-print | ||
16:50 20mTalk | An Empirical Study of Static Analysis Tools for Secure Code Review Technical Papers Wachiraphan (Ping) Charoenwet University of Melbourne, Patanamon Thongtanunam University of Melbourne, Thuan Pham University of Melbourne, Christoph Treude Singapore Management University DOI | ||