Dice Question Streamline Icon: https://streamlinehq.com

Automated Identification of Vulnerability-Fixing Commits

Develop an accurate, fully automated method that, given a known vulnerability in an open-source project, identifies the exact source-code commit or commits in the project's version-control history that fix the vulnerability, enabling reliable mapping from vulnerabilities to their precise patch changes without manual intervention.

Information Square Streamline Icon: https://streamlinehq.com

Background

The paper emphasizes that source-code patches are crucial for tasks such as patch detection and hot-patch generation, yet mapping vulnerabilities to their corresponding fixes remains difficult. Although revision control systems preserve historical changes, determining which specific commit resolves a vulnerability is challenging in practice.

Existing resources like CVE/NVD often lack reliable or complete patch mappings, and automated efforts such as CVEFixes rely on textual cues that do not guarantee correctness. Even OSV/OSS-Fuzz’s automated bisection can produce inaccurate mappings. The authors therefore highlight that automatic patch identification is not yet solved, motivating ARVO’s approach while acknowledging the broader open problem.

References

However, automatic identification of patches is an unsolved problem.

ARVO: Atlas of Reproducible Vulnerabilities for Open Source Software (2408.02153 - Mei et al., 4 Aug 2024) in Section 2.2 (Patch Locating)