Clovery: Identifying Affected Versions in C/C++ Public Security Vulnerability Reports
摘要
We present Clovery, a precise approach for detecting vulnerability-affected versions through code-level semantic analysis. Precise management of vulnerability-affected versions is crucial for mitigating risks from vulnerability propagation. However, identifying these versions is challenging, requiring deep understanding of both the syntax and semantics of vulnerable code. Existing approaches often rely on broad assumptions, causing false alarms. Public security reports frequently misclassify dangerous versions as safe and vice versa, further exacerbating the problem. To overcome these limitations, Clovery uses a technique called function-lineage tracking. It focuses on vulnerability-related code lines and uses semantic pairs to capture dependencies. By tracking function histories via semantic pairs, Clovery precisely identifies versions affected by vulnerabilities. On 1,502 NVD CVEs, Clovery found potential CPE issues in 65.65% of cases, indicating risks to vulnerability management. Notably, Clovery achieved 97.43% F1 in identifying affected versions, significantly outperforming existing approaches, which achieved 71.16% and 84.23% F1 scores. These results suggest that Clovery can improve vulnerability response and software supply-chain security.