Software vulnerabilities pose serious threats to the security of modern software systems. Automated vulnerability repair (AVR) has gained attention as a potential solution to accelerate the remediation of vulnerabilities. However, existing AVR approaches often only generate patches under specific preconditions, which may not align with developers’ current repair practices.

In this paper, we introduce VulAdvisor, an automated approach that generates natural language suggestions to guide developers or AVR tools in repairing vulnerabilities. VulAdvisor comprises two main components: oracle extraction and suggestion learning. To address the challenge of limited historical data, we propose an oracle extraction method facilitating ChatGPT to construct a comprehensive and high-quality dataset. For suggestion learning, we take the supervised fine-tuning CodeT5 model as the basis, integrating local context into Multi-Head Attention and introducing a repair action loss, to improve the relevance and meaningfulness of the generated suggestions.

Extensive experiments on a large-scale dataset from real-world C/C++ projects demonstrate the effectiveness of VulAdvisor, surpassing several baselines in terms of lexical and semantic metrics. Additionally, we show that the generated suggestions enhance the patch generation capabilities of existing AVR tools. Human evaluations further validate the quality and utility of VulAdvisor’s suggestions, confirming their potential to improve software vulnerability repair practices.