Enhancing supply chain security is crucial, often involving the detection and porting of patches from upstream to downstream. However, current security patch analysis works yield relatively low recall rates (i.e., many security patches are missed). In this work, we offer a new solution to fix a substantial number of vulnerabilities in outdated dependency code. We develop SPatch to comprehensively detect fine-grained safe patches. It leverages fine-grained patch analysis and a new differential symbolic execution technique to analyze the functional impacts of code changes.

We evaluated SPatch on various software, including the Linux kernel and OpenSSL, and demonstrated that it outperformed existing methods in detecting safe patches, resulting in observable security benefits. In our case studies, we updated hundreds of functions in modern software using safe patches detected by SPatch without causing any regression issues. Our detected safe security patches have been merged into the latest version of downstream software like Redis.