With the rapid development of open-source software (OSS), the number of OSS vulnerabilities has been increasing rapidly. To mitigate such security risks, vulnerability patches are deployed across a wide range of security tasks. However, patches may contain non-critical changes, and such non-critical changes can hurt the effectiveness and efficiency of these security tasks. Existing approaches of identifying critical changes often lack precise inter-procedural analysis, work at a coarse granularity, or do not scale well to large and complex patches, limiting their effectiveness. To address these limitations, we propose a novel approach CoCoPat to identify critical changes in a vulnerability patch at the statement level. CoCoPat decompose critical changes identification into two phases, i.e., function-level and statement-level phases . CoCoPat follows a filtering-then-recovering strategy in each phase to first pinpoint a necessary minimal set of critical changes by semantic-enhanced LLM, then recover any semantically similar and functionally related critical changes. Our evaluation demonstrates that CoCoPat outperforms state-of-the-arts by at least 0.43 (98%) at F1-score. By integrating CoCoPat with tools of three downstream tasks, those tools show the improvement both in effectiveness and efficiency, underscoring the value of identifying critical changes in vulnerability patches.
Wu et al. (Wed,) studied this question.