Qixuan Guo (Beijing Jiaotong University), Yongzhong He (Beijing Jiaotong University)
When a vulnerability is detected in a specific software version, it is critical to trace the commit history to accurately identify the first commit where the vulnerability was introduced, known as Vulnerability-Introducing Commit(VIC).
This article proposes a method to accurately identify the VIC based on differential analysis of vulnerability patching patterns. Firstly, we compare the two files, before and after patching a vulnerability, to classify vulnerability-related statements in the patch into different patching patterns, such as coding errors, improper data flow, misplaced statements, and missing critical checks. Then, based on the patching patterns, we extract a vulnerability-critical statement sequence from the vulnerable file and match it with the earlier commits to determine the introducing commit. To evaluate the effectiveness of this method, we collected a dataset comprising 6,920 CVEs and 5,859,238 commits from open-source software, including the Linux kernel, MySQL, and OpenSSL, etc. The experimental results demonstrate that the proposed method achieves a detection accuracy of 94.94% and a recall rate of 86.92%, significantly outperforming existing approaches.