Search papers, labs, and topics across Lattice.
The paper introduces Favia, a forensic agent-based framework that identifies vulnerability-fixing commits corresponding to disclosed CVEs by combining scalable candidate ranking with deep, iterative semantic reasoning using a ReAct-based LLM agent. Favia leverages a pre-commit repository environment and specialized tools to enable the agent to localize vulnerable components, navigate the codebase, and establish causal alignment between code changes and vulnerability root causes. Evaluated on a newly created large-scale dataset (CVEVC) of over 8 million commits, Favia demonstrates superior precision-recall trade-offs and F1-scores compared to state-of-the-art traditional and LLM-based baselines under realistic candidate selection scenarios.
LLM agents can now pinpoint vulnerability fixes in massive codebases with unprecedented accuracy, even when the fixes are indirect, multi-file, or non-trivial.
Identifying vulnerability-fixing commits corresponding to disclosed CVEs is essential for secure software maintenance but remains challenging at scale, as large repositories contain millions of commits of which only a small fraction address security issues. Existing automated approaches, including traditional machine learning techniques and recent large language model (LLM)-based methods, often suffer from poor precision-recall trade-offs. Frequently evaluated on randomly sampled commits, we uncover that they are substantially underestimating real-world difficulty, where candidate commits are already security-relevant and highly similar. We propose Favia, a forensic, agent-based framework for vulnerability-fix identification that combines scalable candidate ranking with deep and iterative semantic reasoning. Favia first employs an efficient ranking stage to narrow the search space of commits. Each commit is then rigorously evaluated using a ReAct-based LLM agent. By providing the agent with a pre-commit repository as environment, along with specialized tools, the agent tries to localize vulnerable components, navigates the codebase, and establishes causal alignment between code changes and vulnerability root causes. This evidence-driven process enables robust identification of indirect, multi-file, and non-trivial fixes that elude single-pass or similarity-based methods. We evaluate Favia on CVEVC, a large-scale dataset we made that comprises over 8 million commits from 3,708 real-world repositories, and show that it consistently outperforms state-of-the-art traditional and LLM-based baselines under realistic candidate selection, achieving the strongest precision-recall trade-offs and highest F1-scores.
