基于思维链的软件漏洞自动修复  

作　　者：林博 王尚文 毛晓光[1] LIN Bo;WANG Shang-Wen;MAO Xiao-Guang(College of Computer Science and Technology,National University of Defense Technology,Changsha 410073,China)

机构地区：[1]国防科技大学计算机学院,湖南长沙410073

出　　处：《软件学报》2025年第3期1131-1151,共21页Journal of Software

摘　　要：随着软件漏洞的类型、数量和复杂性日渐增长,研究人员提出了诸多自动化的手段来帮助开发人员发现、检测和定位漏洞,但研究人员仍需花费大量精力对漏洞进行修复.近年来,一些研究者开始关注软件漏洞自动修复技术,然而当前的先进技术仅将软件漏洞修复规约为通用的文本生成问题,没有对缺陷修复位置进行定位,导致修复程序的生成空间较大,使得生成的修复程序质量较低,将其提供给开发人员反而影响漏洞修复的效率和效果.针对上述问题,提出一种基于思维链的通用类型漏洞修复方法CotRepair,利用思维链技术,模型首先对产生漏洞概率较高的位置进行预测,而后依托预测结果,更加准确地生成修复程序.实验结果表明提出的方法在评价生成修复程序的各项指标上均显著优于基线方法,从多个维度验证所提方法的有效性.As software vulnerabilities grow in type,volume,and complexity,researchers have proposed various techniques to help developers discover,detect,and localize vulnerabilities.However,researchers still need to exert considerable effort to manually repair these vulnerabilities.In recent years,some researchers have focused on automated software vulnerability repair.However,such a task is merely considered a generic text generation problem by the current advanced technology,and the detects are not located.As a result,the generation space of the repair program is large,and the generated repair program is low-quality.Providing developers with such lowquality repairs affects the efficiency and effectiveness of vulnerability repair.To solve the above problems,a general type vulnerability repair approach based on chain-of-thought is proposed in this study,which is named CotRepair.By utilizing the chain-of-thought technology,the model first predicts the locations that are most likely to contain vulnerable code,and then generates the repair program more accurately based on the predicted locations.The experimental results show that CotRepair outperforms the baselines in various metrics,and the effectiveness of the proposed approach is demonstrated from multiple aspects.

关 键 词：软件漏洞 缺陷自动修复 深度学习 

分 类 号：TP311[自动化与计算机技术—计算机软件与理论]