Abstract: In this paper, we present VFFinder, a novel graph-based approach for automated silent
vulnerability fix identification. To precisely capture the meaning of code changes, the changed code is
represented in connection with the related unchanged code. In VFFinder, the structure of the changed
code and related unchanged code are captured and the structural changes are represented in annotated
Abstract Syntax Trees (αAST). VFFinder distinguishes vulnerability-fixing commits from non-fixing
ones using attention-based graph neural network models to extract structural features expressed in
αASTs. We conducted experiments to evaluate VFFinder on a dataset of 11K+ vulnerability fixing
commits in 507 real-world C/C++ projects. Our results show that VFFinder significantly improves
the state-of-the-art methods by 272–420% in Precision, 22–70% in Recall, and 3.2X–8.2X in F1.
Especially, VFFinder speeds up the silent fix identification process by up to 121% with the same
effort reviewing 50K LOC compared to the existing approaches.
Keywords: Silent vulnerability fixes, vulnerability fix identification, code change representation,
graph-based model.