PatUntrack: Automated Generating Patch Examples for Issue Reports without Tracked Insecure Code
Security patches are essential for enhancing the stability and robustness of projects in the open-source software community. While vulnerabilities are officially expected to be patched before being disclosed, patching vulnerabilities is complicated and remains a struggle for many organizations. To patch vulnerabilities, security practitioners typically track vulnerable issue reports (IRs), and analyze their relevant insecure code to generate potential patches. However, the relevant insecure code may not be explicitly specified and practitioners cannot track the insecure code in the repositories, thus limiting their ability to generate patches. In such cases, providing examples of insecure code and the corresponding patches would benefit the security developers to better locate and resolve the actual insecure code. In this paper, we propose PatUntrack, an automated approach to generating patch examples from IRs without tracked insecure code. PatUntrack utilizes auto-prompting to optimize the Large Language Model (LLM) to make it applicable for analyzing the vulnerabilities described in IRs and generating appropriate patch examples. Specifically, it first generates the completed description of the Vulnerability-Triggering Path (VTP) from vulnerable IRs. Then, it corrects potential hallucinations in the VTP description with external golden knowledge. Finally, it generates Top-$K$ pairs of Insecure Code and Patch Example based on the corrected VTP description. To evaluate the performance of PatUntrack, we conducted experiments on 5,465 vulnerable IRs. The experimental results show that PatUntrack can obtain the highest performance and improve the traditional LLM baselines by +17.7% (MatchFix) and +14.6% (Fix@10) on average in patch example generation. Furthermore, PatUntrack was applied to generate patch examples for 76 newly disclosed vulnerable IRs. 27 out of 37 replies from the authors of these IRs confirmed the usefulness of the patch examples generated by PatUntrack, indicating that they can benefit from these examples for patching the vulnerabilities.
Thu 31 OctDisplayed time zone: Pacific Time (US & Canada) change
13:30 - 15:00 | Code and issue reportResearch Papers at Magnoila Chair(s): Baishakhi Ray Columbia University, New York; AWS AI Lab | ||
13:30 15mTalk | PatUntrack: Automated Generating Patch Examples for Issue Reports without Tracked Insecure Code Research Papers Ziyou Jiang Institute of Software at Chinese Academy of Sciences, Lin Shi Beihang University, Guowei Yang University of Queensland, Qing Wang Institute of Software at Chinese Academy of Sciences DOI Pre-print | ||
13:45 15mTalk | Understanding Code Changes Practically with Small-Scale Language Models Research Papers Cong Li Zhejiang University; Ant Group, Zhaogui Xu Ant Group, Peng Di Ant Group, Dongxia Wang Zhejiang University, Zheng Li Ant Group, Qian Zheng Ant Group | ||
14:00 15mTalk | DRMiner: Extracting Latent Design Rationale from Jira Issue Logs Research Papers Jiuang Zhao Beihang University, Zitian Yang Beihang University, Li Zhang Beihang University, Xiaoli Lian Beihang University, China, Donghao Yang Beihang University, Xin Tan Beihang University | ||
14:15 15mTalk | An Empirical Study on Learning-based Techniques for Explicit and Implicit Commit Messages Generation Research Papers Zhiquan Huang Sun Yat-sen University, Yuan Huang Sun Yat-sen University, Xiangping Chen Sun Yat-sen University, Xiaocong Zhou School of Computer Science and Engineering, Sun Yat-sen University, Guangzhou 510006, China, Changlin Yang Sun Yat-sen University, Zibin Zheng Sun Yat-sen University | ||
14:30 15mTalk | RCFG2Vec: Considering Long-Distance Dependency for Binary Code Similarity Detection Research Papers Weilong Li School of Computer Science and Engineering,Sun Yat-sen University, Jintian Lu College of Computer Science and Engineering, Jishou University, Ruizhi Xiao School of Computer Science and Engineering,Sun Yat-sen University, Pengfei Shao China Southern Power Grid Digital Grid Group Information and Telecommunication Technology Co., Ltd., Shuyuan Jin School of Computer Science and Engineering,Sun Yat-sen University | ||
14:45 15mTalk | ChatBR: Automated assessment and improvement of bug report quality using ChatGPT Research Papers Lili Bo Yangzhou University, wangjie ji Yangzhou University, Xiaobing Sun Yangzhou University, Ting Zhang Singapore Management University, Xiaoxue Wu Yangzhou University, Ying Wei Yangzhou University |