English

MAS-SZZ: Multi-Agentic SZZ Algorithm for Vulnerability-Inducing Commit Identification

Cryptography and Security 2026-04-28 v1 Software Engineering

Abstract

Accurate vulnerability-inducing commit identification serves as a foundation for a series of software security tasks, such as vulnerability detection and affected version analysis. A straightforward solution is the SZZ algorithm, which traces back through the code history to identify the earliest commit that modify the vulnerable code. Unfortunately, neither the customized V-SZZ nor state-of-the-art LLM4SZZ perform satisfactorily due to the incorrect anchor selection and inadequate backtracking capability, making them far beyond a reliable usage in practice. To overcome these challenges, we propose a multi-agentic SZZ algorithm, named MAS-SZZ, that facilitates the identification of vulnerability-inducing commits through collaboration among agents. Specifically, given a CVE description and its corresponding fixing commit, MAS-SZZ summarizes the root cause of the vulnerability and employs a structured step-forward prompting strategy to localize vulnerability-related statements based on the change intent of each patch hunk. These vulnerable statements serve as anchors from which MAS-SZZ autonomously traces backward through the repository's history to find the commit that first introduced the vulnerability. Extensive experiments show that MAS-SZZ outperforms the state-of-the-art baselines across datasets and programming languages, achieving F1-score gains of up to 65.22% over the best-performing SZZ algorithm.

Keywords

Cite

@article{arxiv.2604.24398,
  title  = {MAS-SZZ: Multi-Agentic SZZ Algorithm for Vulnerability-Inducing Commit Identification},
  author = {Sicong Cao and Jinxuan Xu and Le Yu and Jing Yang and Xingwei Lin and Linlin Zhu and Fu Xiao},
  journal= {arXiv preprint arXiv:2604.24398},
  year   = {2026}
}
R2 v1 2026-07-01T12:37:06.730Z