SliceLocator: Locating Vulnerable Statements with Graph-based Detectors (2401.02737v4)

Abstract: Vulnerability detection is a crucial component in the software development lifecycle. Existing vulnerability detectors, especially those based on deep learning (DL) models, have achieved high effectiveness. Despite their capability of detecting vulnerable code snippets from given code fragments, the detectors are typically unable to further locate the fine-grained information pertaining to the vulnerability, such as the precise vulnerability triggering locations. Although explanation methods can filter important statements based on the predictions of code fragments, their effectiveness is limited by the fact that the model primarily learns the difference between vulnerable and non-vulnerable samples. In this paper, we propose SliceLocator, which, unlike previous approaches, leverages the detector's understanding of the differences between vulnerable and non-vulnerable samples, essentially, vulnerability-fixing statements. SliceLocator identifies the most relevant taint flow by selecting the highest-weighted flow path from all potential vulnerability-triggering statements in the program, in conjunction with the detector. We demonstrate that SliceLocator consistently performs well on four state-of-the-art GNN-based vulnerability detectors, achieving an accuracy of around 87% in flagging vulnerability-triggering statements across six common C/C++ vulnerabilities. It outperforms five widely used GNN-based explanation methods and two statement-level detectors.