English

CLNX: Bridging Code and Natural Language for C/C++ Vulnerability-Contributing Commits Identification

Cryptography and Security 2024-09-12 v1 Artificial Intelligence

Abstract

Large Language Models (LLMs) have shown great promise in vulnerability identification. As C/C++ comprises half of the Open-Source Software (OSS) vulnerabilities over the past decade and updates in OSS mainly occur through commits, enhancing LLMs' ability to identify C/C++ Vulnerability-Contributing Commits (VCCs) is essential. However, current studies primarily focus on further pre-training LLMs on massive code datasets, which is resource-intensive and poses efficiency challenges. In this paper, we enhance the ability of BERT-based LLMs to identify C/C++ VCCs in a lightweight manner. We propose CodeLinguaNexus (CLNX) as a bridge facilitating communication between C/C++ programs and LLMs. Based on commits, CLNX efficiently converts the source code into a more natural representation while preserving key details. Specifically, CLNX first applies structure-level naturalization to decompose complex programs, followed by token-level naturalization to interpret complex symbols. We evaluate CLNX on public datasets of 25,872 C/C++ functions with their commits. The results show that CLNX significantly enhances the performance of LLMs on identifying C/C++ VCCs. Moreover, CLNX-equipped CodeBERT achieves new state-of-the-art and identifies 38 OSS vulnerabilities in the real world.

Keywords

Cite

@article{arxiv.2409.07407,
  title  = {CLNX: Bridging Code and Natural Language for C/C++ Vulnerability-Contributing Commits Identification},
  author = {Zeqing Qin and Yiwei Wu and Lansheng Han},
  journal= {arXiv preprint arXiv:2409.07407},
  year   = {2024}
}

Comments

8 pages, 2 figures, conference

R2 v1 2026-06-28T18:41:28.103Z