Security patch porting aims to adapt patches developed for one software version so they can be used in another version. This approach is crucial for maintaining the security of software systems over time. However, existing works often rely on predefined rules to understand patches, limiting their generalizability and portability. Additionally, they are ineffective when porting complex patches that involve numerous modified code lines across multiple files, which is common in real-world software, especially Java applications.

To overcome these obstacles, we propose a novel patch porting framework, called LLMPort. First, LLMPort breaks down the complex patch porting task into distinct subtasks, each containing an atomic code unit from the original patch. This enhances the LLMs’ focus. Second, for each subtask, LLMPort extracts the minimal patch-related code context and constructs a prompt with task-specific domain knowledge to guide the LLM in porting the patch code to the target version. Third, LLMPort implements a progressive self-correction system to automatically assess the correctness of the generated patch, and identify and correct error subtasks based on LLMs’ self-correction capabilities.

We evaluate LLMPort for porting Java language patches on a large-scale dataset, including 1,992 unique patch file pairs, and it successfully ports 91.92% of them. To assess the portability of LLMPort, we also evaluate its capability to port C language patches. The results show that it outperforms state-of-the-art approaches, including TSBPORT and FixMorph. LLMPort also discovers five 0-day vulnerabilities due to incomplete patches and the developers received and merged the new patches generated by LLMPort into the official code branches.