Identifying Vulnerability Patches by Comprehending Code Commits with Comprehensive Change Contexts

To help application developers apply vulnerability patches timely, security researchers maintain vulnerability databases such as National Vulnerability Database (NVD). By directly monitoring NVD with the name of each used library, application developers can be aware of vulnerabilities and their patches. Given that the monitoring results of vulnerability patches are unreliable due to patch incompleteness of NVD, existing approaches employ deep-learning (DL) models to identify additional vulnerability patches by determining whether a code commit fixes a vulnerability. However, these approaches suffer from low accuracy due to not considering code commits' comprehensive contexts such as control/data-flow contexts or method-invocation contexts. To improve accuracy, we design CompVPD, the first approach to identify vulnerability patches by fine-tuning a large language model (LLM) named StarCoder to comprehend code commits with comprehensive contexts. Considering that including comprehensive contexts needs to balance the context size and the training costs of LLM, CompVPD includes our two novel algorithms to generate comprehensive contexts within the given window size by removing irrelevant components (i.e., files, methods, and statements) and adaptively expanding each context. We empirically compare CompVPD with four state-of-the-art/practice (SOTA) approaches that identify vulnerability patches. The results show that CompVPD improves the AUC score by 11% and the F1 score by 30% when compared with the best scores of the SOTA approaches. Additionally, CompVPD provides high value to security practice by helping identify 20 vulnerability patches and 18 fixes of high-risk bugs from 2,500 recent code commits of five highly popular open-source projects.