Silent vulnerability fixes (SVFs) are pervasive in open-source ecosystems and pose significant risks to software supply chains due to incomplete or delayed disclosure. Existing SVF identification methods often rely on coarse-grained diff representations, loosely aligned change fragments, or limited modeling of developer intent, restricting their robustness and practical applicability across projects. This paper presents HuBCAP, a hunk-based and context-aware predictor that aligns code-change representations with Git’s standardized hunk structure while leveraging pre-trained models (PTMs) for semantic reasoning. HuBCAP explicitly models semantic differences between paired preand post-change code fragments, performs hierarchical aggregation at both hunk and file levels, and integrates commit-message semantics within a unified dual-branch architecture. The framework avoids language-specific parsing rules and handcrafted syntactic features, following a language-agnostic design principle based on Git-standard diff structures. We evaluate HuBCAP on a large-scale, manually curated dataset covering Java and Python projects and compare it with state-of-the-art task-specific models and generalpurpose LLMs. Results demonstrate consistent performance improvements. Module-level ablation experiments confirm the necessity of hunk-level aggregation, file-level aggregation, and explicit difference modeling, while input-level analyses reveal the complementary roles of code changes and commit messages. Finally, real-world case studies in software supply chain ecosystems show that HuBCAP can uncover undisclosed and cross-project propagated vulnerability fixes. We further analyze false positive patterns and discuss deployment-oriented optimization strategies such as confidence-aware triaging and threshold tuning, highlighting HuBCAP’s practical value for improving supply chain risk visibility.
Fan et al. (Fri,) studied this question.