VulSCC: image-based vulnerability detection with SPP-CNN and code large language model

Abstract Deep learning excels in detecting source code vulnerabilities, where image-based detection methods overcome ignoring deep code semantic information in token-based methods and the inefficiency of graph-based methods. Unfortunately, current image-based methods cannot sufficiently extract vulnerability-related features due to three key limitations: (1) the inappropriateness of the construction of node centrality for sequential Program Dependency Graphs (PDGs), (2) the ineffective code analysis of traditional embedding models, and (3) the poor existing truncation/padding methods. Moreover, they fail to achieve effective vulnerability localization due to the irregular output of their interpretation method. In response, we propose a novel image-based line-level source code vulnerability detection system VulSCC. Firstly, VulSCC constructs a novel centrality combination and leverages a code large language model to capture richer vulnerability-related features. Secondly, we integrate an SPP layer to convert PDGs into images without distortion, as it adaptively aggregates arbitrary sizes into fixed-length vectors without truncation/padding. Finally, we use the occlusion technique to interpret the model predictions, which locate specific vulnerability lines, enabling effective vulnerability localization. Experimental results of VulSCC against seven SoTA methods show optimal detection performance in function-level detection. Additionally, we evaluate the effectiveness of the occlusion technique in localizing vulnerabilities, with interpretation success rate exceeding 90%.