LocVul: Line-level vulnerability localization based on a Sequence-to-Sequence approach

IF 4.3 2区计算机科学 Q2 COMPUTER SCIENCE, INFORMATION SYSTEMS

Information and Software Technology Pub Date : 2025-10-24 DOI:10.1016/j.infsof.2025.107940

Ilias Kalouptsoglou , Miltiadis Siavvas , Apostolos Ampatzoglou , Dionysios Kehagias , Alexander Chatzigeorgiou

{"title":"LocVul: Line-level vulnerability localization based on a Sequence-to-Sequence approach","authors":"Ilias Kalouptsoglou , Miltiadis Siavvas , Apostolos Ampatzoglou , Dionysios Kehagias , Alexander Chatzigeorgiou","doi":"10.1016/j.infsof.2025.107940","DOIUrl":null,"url":null,"abstract":"<div><h3>Context:</h3><div>The development of secure software systems depends on early and accurate vulnerability identification. Manual inspection is a time-consuming process that requires specialized knowledge. Therefore, as software complexity grows, automated solutions become essential. Vulnerability Prediction (VP) is an emerging mechanism that identifies whether software components contain vulnerabilities, commonly using Machine Learning models trained on classifying components as vulnerable or clean. Recent explainability-based approaches attempt to rank the lines based on their influence on the output of the VP Models (VPMs). However, challenges remain in accurately localizing the vulnerable lines.</div></div><div><h3>Objective:</h3><div>This study aims to examine an alternative to explainability-based approaches to overcome their shortcomings. Specifically, explainability-based methods depend on the type and accuracy of the file or function-level VPMs, inherit possible misleading patterns, and cannot indicate the exact code snippet that is vulnerable nor the number of vulnerable lines.</div></div><div><h3>Method:</h3><div>To address these limitations, this study introduces an innovative approach based on fine-tuning Large Language Models on a Sequence-to-Sequence objective to directly return the vulnerable lines of a given function. The method is evaluated on the Big-Vul dataset to assess its capacity for fine-grained vulnerability detection.</div></div><div><h3>Results:</h3><div>The results demonstrate that the proposed method significantly outperforms the explainability-based baseline both in terms of accuracy and cost-effectiveness.</div></div><div><h3>Conclusions:</h3><div>The proposed approach marks a significant advancement in automated vulnerability detection by enabling accurate line-level localization of vulnerabilities.</div></div>","PeriodicalId":54983,"journal":{"name":"Information and Software Technology","volume":"189 ","pages":"Article 107940"},"PeriodicalIF":4.3000,"publicationDate":"2025-10-24","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Information and Software Technology","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0950584925002794","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q2","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

Abstract

Context:

The development of secure software systems depends on early and accurate vulnerability identification. Manual inspection is a time-consuming process that requires specialized knowledge. Therefore, as software complexity grows, automated solutions become essential. Vulnerability Prediction (VP) is an emerging mechanism that identifies whether software components contain vulnerabilities, commonly using Machine Learning models trained on classifying components as vulnerable or clean. Recent explainability-based approaches attempt to rank the lines based on their influence on the output of the VP Models (VPMs). However, challenges remain in accurately localizing the vulnerable lines.

Objective:

This study aims to examine an alternative to explainability-based approaches to overcome their shortcomings. Specifically, explainability-based methods depend on the type and accuracy of the file or function-level VPMs, inherit possible misleading patterns, and cannot indicate the exact code snippet that is vulnerable nor the number of vulnerable lines.

Method:

To address these limitations, this study introduces an innovative approach based on fine-tuning Large Language Models on a Sequence-to-Sequence objective to directly return the vulnerable lines of a given function. The method is evaluated on the Big-Vul dataset to assess its capacity for fine-grained vulnerability detection.

Results:

The results demonstrate that the proposed method significantly outperforms the explainability-based baseline both in terms of accuracy and cost-effectiveness.

Conclusions:

The proposed approach marks a significant advancement in automated vulnerability detection by enabling accurate line-level localization of vulnerabilities.

查看原文本刊更多论文

LocVul：基于序列到序列方法的行级漏洞定位

背景：安全软件系统的开发依赖于早期和准确的漏洞识别。人工检查是一个耗时的过程，需要专业知识。因此，随着软件复杂性的增长，自动化解决方案变得至关重要。漏洞预测（VP）是一种新兴的机制，用于识别软件组件是否包含漏洞，通常使用机器学习模型将组件分类为易受攻击或干净。最近基于可解释性的方法试图根据它们对VP模型（VPMs）输出的影响对行进行排序。然而，在准确定位脆弱线路方面仍然存在挑战。目的：本研究旨在探讨一种替代可解释性的方法，以克服其缺点。具体来说，基于可解释性的方法依赖于文件级或函数级vpm的类型和准确性，继承可能的误导模式，并且不能指示易受攻击的确切代码片段或易受攻击的行数。方法：为了解决这些限制，本研究引入了一种基于序列到序列目标微调大型语言模型的创新方法，以直接返回给定函数的脆弱行。在Big-Vul数据集上对该方法进行了评估，以评估其细粒度漏洞检测能力。结果：结果表明，所提出的方法在准确性和成本效益方面都明显优于基于可解释性的基线。结论：所提出的方法标志着自动化漏洞检测的重大进步，可以实现准确的行级漏洞定位。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Information and Software Technology 工程技术-计算机：软件工程

CiteScore

9.10

自引率

7.70%

发文量

164

审稿时长

9.6 weeks

期刊介绍： Information and Software Technology is the international archival journal focusing on research and experience that contributes to the improvement of software development practices. The journal''s scope includes methods and techniques to better engineer software and manage its development. Articles submitted for review should have a clear component of software engineering or address ways to improve the engineering and management of software development. Areas covered by the journal include: • Software management, quality and metrics, • Software processes, • Software architecture, modelling, specification, design and programming • Functional and non-functional software requirements • Software testing and verification & validation • Empirical studies of all aspects of engineering and managing software development Short Communications is a new section dedicated to short papers addressing new ideas, controversial opinions, "Negative" results and much more. Read the Guide for authors for more information. The journal encourages and welcomes submissions of systematic literature studies (reviews and maps) within the scope of the journal. Information and Software Technology is the premiere outlet for systematic literature studies in software engineering.