Search papers, labs, and topics across Lattice.
This paper introduces VIC-RAGENT, a multi-agent framework utilizing LLMs to detect vulnerability-inducing commits (VICs) by integrating insights from structural analysis, intent understanding, and vulnerability inspection. The framework employs a multi-stage reasoning process that enhances detection reliability through iterative refinement of candidate vulnerabilities. Experimental results show that VIC-RAGENT significantly outperforms existing methods, achieving 1.2-1.7x higher F1-scores, thus providing a robust solution for improving software security.
VIC-RAGENT achieves up to 1.7x higher F1-scores in detecting vulnerability-inducing commits, revolutionizing how we approach software security.
Detecting vulnerability-inducing commits (VICs) at submission time is critical for improving the security and reliability of software systems. However, this task is highly challenging because it requires reasoning about the semantic impact of code changes from heterogeneous information sources, including code diffs, commit messages, and the surrounding contextual code. Existing approaches often struggle to fully capture these complex interactions, resulting in limited detection performance. In this paper, we propose VIC-RAGENT, an LLM-based multi-agent framework for effective and explainable vulnerability detection. VIC-RAGENT leverages multiple specialized agents to provide complementary perspectives, including structural analysis, intent understanding, and vulnerability inspection. To further improve detection reliability, the framework employs a multi-stage reasoning process that progressively refines candidate vulnerabilities through preliminary inspection, reanalysis, and a final decision stage. Experimental results on a real-world dataset across multiple LLMs demonstrate that VIC-RAGENT consistently outperforms baselines, including Direct, CoT, and CodeAgent. Compared to the strongest baseline, VIC-RAGENT achieves 1.2-1.7x higher F1-scores across different models. Overall, VIC-RAGENT offers a robust, explainable, and practical solution for detecting VICs in modern software development workflows.