Code vulnerability detection method and system fusing rule semantics and code attribute graph
By integrating rule semantics with code attribute graphs, this method solves the problems of insufficient semantic understanding and lack of contextual information in existing code vulnerability detection, and achieves efficient vulnerability detection and accurate classification.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- SHANDONG NORMAL UNIV
- Filing Date
- 2026-05-11
- Publication Date
- 2026-07-14
AI Technical Summary
Existing code vulnerability detection methods suffer from limited semantic understanding capabilities, lack of cross-function context awareness, and high computational overhead, resulting in high false negative rates, high false positive rates, and low detection efficiency.
The method that integrates rule semantics and code attribute graphs provides candidate vulnerability functions and cross-function program semantic context by constructing a complementary dual-channel high-recall initial screening mechanism and a code attribute graph hierarchical context extraction mechanism, thereby improving detection recall and accuracy and reducing computational overhead.
It has achieved systematic detection and accurate classification of the top 25 vulnerability types in CWE, reducing the false negative rate and the false positive rate, and improving detection efficiency and accuracy.
Smart Images

Figure CN122174244B_ABST
Abstract
Description
Technical Field
[0001] This invention relates to the field of code vulnerability detection technology, and in particular to a code vulnerability detection method and system that integrates rule semantics and code attribute graphs. Background Technology
[0002] Code vulnerability detection is a core task in the field of software security, playing a vital role in engineering practices such as code auditing, security hardening, and vulnerability remediation.
[0003] Currently, at least the following problems exist in the process of automatic code vulnerability detection:
[0004] Traditional vulnerability detection methods, such as static rule scanning, rely on predefined syntax matching patterns. Their semantic understanding capabilities are limited, making it difficult to identify vulnerability variants with different syntax but equivalent semantics. Furthermore, they only perform isolated analysis on the target function itself, lacking an overall understanding of the call relationships between functions, resulting in a high false negative rate and high false positive rate in actual detection.
[0005] While semantic reasoning methods, represented by large language models, possess strong code understanding capabilities, the computational overhead of performing model reasoning on each function in the entire codebase is enormous in the absence of an effective vulnerability candidate function localization mechanism, resulting in insufficient engineering practicality. At the same time, the input provided by existing methods to large language models only contains the code of the target function itself, lacking contextual information such as the propagation of tainted data along the call chain to trigger cross-function vulnerabilities. This limits the model's ability to reason about vulnerability paths, making it difficult to achieve systematic detection and accurate classification of multiple vulnerability types in the CWE Top 25 (Common Weakness Enumeration Top 25). Summary of the Invention
[0006] To address the aforementioned issues, this invention proposes a code vulnerability detection method and system that integrates rule-based semantics and code attribute graphs. By constructing a complementary dual-channel high-recall initial screening mechanism and a code attribute graph hierarchical context extraction mechanism, it provides sufficient candidate vulnerability functions and cross-function program semantic context for large language models, effectively improving the recall and accuracy of code vulnerability detection, enhancing cross-function context awareness, reducing computational overhead during model inference, and achieving systematic detection and accurate classification of CWE Top 25 vulnerability types. This solves the problems of insufficient semantic understanding, missing contextual information, and low efficiency in detecting large-scale code bases in existing methods.
[0007] To achieve the above objectives, the present invention adopts the following technical solution:
[0008] In a first aspect, the present invention provides a code vulnerability detection method that integrates rule semantics and code attribute graphs, comprising:
[0009] Obtain the static analysis rule set and extract the semantic summary of the rules;
[0010] All functions in the target code are scanned according to the static analysis rule set, and the matched functions are included in the rule matching candidate set. For the unmatched functions, the top K functions with similarity not lower than a set threshold and ranked according to the similarity between the rule semantic summary and the source code of the unmatched functions are selected to form a semantic supplementary candidate set. The rule matching candidate set and the semantic supplementary candidate set are merged to obtain the candidate vulnerability function set.
[0011] A code attribute graph is constructed for the target code. Based on the code attribute graph, the full call context of 1-hop is extracted, starting from each candidate vulnerability function. The 2-hop nodes are filtered based on the data flow path and merged to form a set of context functions.
[0012] Based on the candidate vulnerability function set and the context function set, the detection results are obtained, which include vulnerability existence judgment, vulnerability type and vulnerability cause.
[0013] As an alternative implementation, the rule semantic summary includes a vulnerability intent field, a triggering necessary condition field, an exclusion condition field, and a typical vulnerability evidence field.
[0014] As an alternative implementation, the code attribute graph integrates the abstract syntax tree, control flow graph, and program dependency graph.
[0015] As an alternative implementation, the process of extracting the full 1-hop call context includes: extracting all directly called functions and directly called functions of the candidate vulnerable function within the 1-hop range of the code attribute graph, and including them into the context function set C1 without filtering.
[0016] As an alternative implementation, the process of filtering 2-hop nodes based on data flow paths includes: extracting a set of 2-hop extension nodes that have a direct call or being called relationship with 1-hop nodes; determining whether each 2-hop extension node has a data flow path leading to the variable definition point or variable usage point within the candidate vulnerability function by tracing the variable definition-usage chain in the code property graph; if a data flow path exists, the 2-hop extension node is included in the context function set C2, otherwise it is filtered; C1 and C2 are merged to form the final context function set.
[0017] As an alternative implementation, a set of candidate vulnerable functions and context functions is used as input, and structured prompts are constructed using system role definitions, vulnerability detection task scope, CWE Top 25 vulnerability type knowledge injection, JSON output format constraints, code analysis rules, context function code, candidate vulnerable function code, and output instructions, thereby obtaining the detection results.
[0018] Secondly, the present invention provides a code vulnerability detection system that integrates rule semantics and code attribute graphs, comprising:
[0019] The semantic structuring module is configured to acquire a static analysis rule set and extract a semantic summary of the rules;
[0020] The complementary dual-channel initial screening module is configured to scan all functions in the target code according to the static analysis rule set, and include the hit functions into the rule matching candidate set; for the missing functions, based on the similarity between the rule semantic summary and the source code of the missing functions, select the top K functions with similarity not lower than a set threshold to form a semantic supplementary candidate set; the rule matching candidate set and the semantic supplementary candidate set are merged to obtain the candidate vulnerability function set;
[0021] The context extraction module is configured to construct a code attribute graph for the target code. Based on the code attribute graph, starting from each candidate vulnerability function, it extracts the full call context of 1-hop and filters 2-hop nodes based on data flow paths, merging them to form a set of context functions.
[0022] The vulnerability inference module is configured to obtain detection results, including vulnerability existence judgment, vulnerability type and vulnerability cause, based on the candidate vulnerability function set and the context function set.
[0023] Thirdly, the present invention provides an electronic device including a memory and a processor, and computer instructions stored in the memory and running on the processor, wherein the computer instructions, when executed by the processor, perform the method described in the first aspect.
[0024] Fourthly, the present invention provides a computer-readable storage medium for storing computer instructions, which, when executed by a processor, perform the method described in the first aspect.
[0025] Fifthly, the present invention provides a computer program product, including a computer program that, when executed by a processor, implements the method described in the first aspect.
[0026] Compared with the prior art, the beneficial effects of the present invention are as follows:
[0027] This invention proposes a complementary dual-channel high-recall initial screening mechanism. The rule matching channel relies on static rules to achieve high-confidence and fast hits, while the semantic feature channel uses a pre-trained code semantic model to supplement the rule coverage blind spots with vector similarity for recall. The two work together to make up for the missed detection problem caused by insufficient semantic understanding or incomplete rule coverage of a single method, and improve the recall rate of candidate vulnerability functions while effectively controlling the computational overhead.
[0028] This invention proposes a hierarchical context extraction mechanism based on code attribute graphs. The first hop fully includes the direct call relationships of candidate vulnerability functions, while the second hop performs precise pruning based on the data flow correlation of variable definition-use chains. This systematically introduces the cross-function program semantic structure into the vulnerability detection process, effectively solving the problem of missing context information caused by isolated analysis of target functions in existing methods, and improving the inference accuracy of large language models for vulnerability triggering paths.
[0029] This invention achieves a unified structured output for vulnerability existence judgment, CWE vulnerability type classification, and vulnerability cause explanation through an eight-component structured prompt word design and JSON format output constraints. It systematically covers the high-risk vulnerability types defined by CWE Top 25, and the detection results have good interpretability and downstream automated security analysis integration capabilities.
[0030] Advantages of additional aspects of the invention will be set forth in part in the description which follows, and in part will be obvious from the description, or may be learned by practice of the invention. Attached Figure Description
[0031] To more clearly illustrate the technical solutions in the embodiments of the present invention or the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below. Obviously, the drawings described below are only embodiments of the present invention. For those skilled in the art, other drawings can be obtained based on the provided drawings without creative effort.
[0032] Figure 1 This is a schematic diagram of the code vulnerability detection process that integrates rule semantics and code attribute graphs as provided in Embodiment 1 of the present invention;
[0033] Figure 2 This is a schematic diagram of the complementary dual-channel high-recall primary screening process provided in Embodiment 1 of the present invention;
[0034] Figure 3 This is a schematic diagram of hierarchical context extraction based on code attribute graphs provided in Embodiment 1 of the present invention. Detailed Implementation
[0035] The present invention will be further described below with reference to the accompanying drawings and embodiments.
[0036] It should be noted that the following detailed descriptions are exemplary and intended to provide further illustration of the invention. Unless otherwise specified, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this invention pertains.
[0037] It should be noted that the terminology used herein is for the purpose of describing particular embodiments only and is not intended to limit the scope of exemplary embodiments according to the invention. As used herein, unless the context clearly indicates otherwise, the singular form is intended to include the plural form as well. Furthermore, it should be understood that the terms “comprising” and “including”, and any variations thereof, are intended to cover non-exclusive inclusion, for example, a process, method, system, product, or apparatus that includes a series of steps or units is not necessarily limited to those steps or units explicitly listed, but may include other steps or units not explicitly listed or inherent to such processes, methods, products, or apparatus.
[0038] Where there is no conflict, the embodiments and features in the embodiments of the present invention can be combined with each other.
[0039] Example 1
[0040] like Figure 1 As shown in the figure, this embodiment provides a code vulnerability detection method that integrates rule semantics and code attribute graphs, including:
[0041] S1: Obtain the static analysis rule set and extract the semantic summary of the rules;
[0042] S2: Perform rule scanning on all functions in the target code according to the static analysis rule set, and include the hit functions into the rule matching candidate set; for the missing functions, select the top K functions with similarity not lower than the set threshold and ranked according to the similarity between the rule semantic summary and the source code of the missing functions to form a semantic supplementary candidate set; merge the rule matching candidate set and the semantic supplementary candidate set to obtain the candidate vulnerability function set;
[0043] S3: Construct a code attribute graph for the target code. Based on the code attribute graph, extract the full call context of 1-hop starting from each candidate vulnerability function, and filter the 2-hop nodes based on the data flow path, merging them to form a set of context functions.
[0044] S4: Based on the candidate vulnerability function set and the context function set, obtain the detection results, which include vulnerability existence judgment, vulnerability type and vulnerability cause.
[0045] In this embodiment, in step S1, a static analysis rule set covering the top 25 vulnerability types in CWE is selected from the public rule base. The large language model is used to perform semantic parsing on each rule to generate a structured rule semantic summary containing four fields: vulnerability intent, necessary triggering conditions, exclusion conditions, and typical vulnerability evidence. This summary serves as the vulnerability knowledge representation for subsequent semantic similarity matching.
[0046] Specifically:
[0047] The CWE Top-25 vulnerability types cover 25 high-risk vulnerability types, including buffer overflows, injection vulnerabilities, improper access control, and resource management errors. A static analysis rule set covering high-risk vulnerability types such as injection vulnerabilities, memory safety vulnerabilities, and access control flaws was obtained by filtering from a public rule base according to the vulnerability types covered by the CWE Top-25.
[0048] The original text of each static analysis rule is used as input to the large language model. The large language model performs semantic parsing on each rule, generating a structured rule semantic summary. Specifically, it includes the following four fields:
[0049] (1) Vulnerability Intent Field (vuln_intent): Describes the vulnerability attack pattern or code defect intent targeted by the rule, and is used to clarify the detection target of the rule.
[0050] (2) Triggering necessary conditions field (must_have): describes the code characteristics that must be met to trigger the vulnerability, including necessary conditions such as dangerous function calls and insecure data streams.
[0051] (3) Exclusion condition field (must_not_have): describes the reverse characteristics (negative constraints) used to exclude false alarm scenarios, and is used to distinguish vulnerable code from normal code with similar functions.
[0052] (4) Typical evidence field: describes the typical code features that provide evidence of the existence of vulnerabilities in the code, and assists in the judgment of candidate functions in the subsequent semantic similarity matching stage.
[0053] The above four fields together constitute the structured semantic knowledge representation of each rule, which is used in subsequent steps to calculate semantic similarity with the function source code.
[0054] In this embodiment, in step S2, a complementary dual-channel mechanism is used to perform high-recall initial screening of the full function, such as... Figure 2 As shown, specifically:
[0055] (1) Rule matching channel: Static rule scanning is performed on all functions in the target code library according to the static analysis rule set. Functions that are matched by the rules are included in the rule matching candidate set S and will not enter the semantic similarity calculation process again, so as to avoid repeated calculation and improve the overall running efficiency.
[0056] (2) Semantic feature channel: For functions that are not matched by the rules, the pre-trained code semantic model is used to perform vector encoding on the rule semantic summary generated in step S1 and the source code of the functions that are not matched. The hidden layer vectors corresponding to the [CLS] labels of the input sequence output by the model encoding are extracted as their respective semantic representation vectors, and the cosine similarity between the two vectors is calculated:
[0057] (1);
[0058] Where a is the rule semantic summary vector and b is the source code vector of the missed functions.
[0059] Set the similarity threshold to 0.8, sort all missing functions in descending order of similarity, and select the top K (K=10) functions with similarity not lower than the set similarity threshold to form the semantic supplementary candidate set C.
[0060] (3) Candidate set union: The rule matching candidate set S and the semantic supplement candidate set C are combined to obtain the final candidate vulnerability function set F=S∪C, which is then sent to the subsequent steps for context extraction and vulnerability reasoning.
[0061] In this embodiment, in step S3, as follows Figure 3 As shown, it specifically includes:
[0062] (1) Using code analysis tools, construct a code property graph (CPG) that integrates an abstract syntax tree (AST), a control flow graph (CFG), and a program dependency graph (PDG) for the target code; the CPG comprehensively reflects the program's syntax structure, execution path, and data and control dependencies.
[0063] (2) Based on the code attribute graph, starting from each candidate vulnerability function in the candidate vulnerability function set, extract all directly called functions and directly called functions within the 1-hop range and include them into the context function set without filtering; for the extended nodes within the 2-hop range, analyze the data flow correlation between each node and the candidate vulnerability function by tracking the variable definition-use chain, further filter the data flow of the 2-hop nodes, and retain only the nodes that have a variable definition-use chain data flow path with the candidate vulnerability function, and merge them to form a simplified context function set.
[0064] The process of extracting context using the hierarchical strategy described above includes:
[0065] (2-1) 1-hop full call context extraction: Extract all directly adjacent call relationship nodes of the candidate vulnerable function in the code attribute graph, including the function directly called by the candidate vulnerable function (i.e., the directly calling function Callee) and the function directly calling the candidate vulnerable function (i.e., the directly called function caller), and include them into the 1-hop full call context function set C1 without filtering.
[0066] (2-2) 2-hop Context Extraction and Data Flow Filtering: Extract the set of 2-hop extended nodes that have direct call or called relationships with 1-hop nodes. By tracing the variable definition-use chain in the CPG data flow graph, determine whether each 2-hop node f2 has a directed data flow path leading to the variable definition point or variable use point within the candidate vulnerability function. If a data flow path exists, add node f2 to the context function set C2; otherwise, filter it, retaining only the 2-hop nodes with data flow paths to form the filtered set C2. Finally, simplify the context function set to... .
[0067] In this embodiment, in step S4, the candidate vulnerability function and context function set are used as input. The structured prompt words are constructed according to eight components: system role definition, vulnerability detection task scope, CWE Top 25 vulnerability type knowledge injection, JSON output format constraints, code analysis rules, context function code, candidate vulnerability function code and output instructions. The prompt words are then input into the large language model to obtain a JSON-formatted structured detection result containing vulnerability existence judgment, CWE vulnerability type and vulnerability cause.
[0068] The structured prompts include:
[0069] (1) System Role Definition: Define the large language model as a code security analysis expert with professional code security auditing capabilities, and clarify its task positioning.
[0070] (2) Vulnerability detection task scope: It is agreed that this detection task will focus on the high-risk software defect types defined by CWE Top 25, and the detection scope will be limited.
[0071] (3) CWE Top 25 vulnerability knowledge injection (CWE Knowledge): The list of CWE Top 25 vulnerability types is injected into the prompt words in a structured form, providing the large language model with a list of vulnerability types and brief descriptions, and providing the large language model with lightweight vulnerability classification knowledge.
[0072] (4) JSON output format constraints (JSON Schema): Define the JSON format specification for structured output, including the name, type and value range of the vulnerability existence field, CWE vulnerability type field and vulnerability cause description field.
[0073] (5) Code Analysis Rules: Inject code audit analysis guidelines for vulnerability detection, provide criteria and precautions for vulnerability judgment, and guide the large language model to focus on typical vulnerability features such as data flow tracing, missing input validation, and resource management errors.
[0074] (6) Context Functions: Provides the source code of each function in the context function set Cctx, providing cross-function call relationships and data flow propagation information for the large language model.
[0075] (7) Candidate Vulnerable Function Code (Code Bundle): Provides the source code of the candidate vulnerable function to be detected.
[0076] (8) Output Instruction: Explicitly requires the large language model to return the detection results strictly in accordance with the JSON Schema format defined in component (4) and not to output any additional text.
[0077] After inputting the above structured prompts into the large language model, the following JSON-formatted structured detection results are obtained:
[0078] {
[0079] "has_vulnerability": true / false,
[0080] "cwe_type": "CWE-XX: [Vulnerability Type Name]",
[0081] "reason": "[Natural language explanation of the vulnerability's cause]"
[0082] }
[0083] The `has_vulnerability` field indicates whether the target function has a vulnerability; the `cwe_type` field outputs the corresponding CWE number and vulnerability type name; and the `reason` field outputs the interpretability of the large language model for the cause of the vulnerability.
[0084] In this embodiment, the programming languages supported by the above method include Python, Java, and C. The static rule scanning tool uses a multi-language static analysis framework to achieve unified rule matching for the above programming languages. The code attribute graph construction tool supports unified program analysis and graph structure extraction for the above programming languages. The pre-trained code semantic model uses the CodeBERT model, and the large language model uses the Qwen series models. The above method can be extended to other programming languages that support abstract syntax tree parsing and code attribute graph construction.
[0085] Example 2
[0086] This embodiment provides a code vulnerability detection system that integrates rule semantics and code attribute graphs, including:
[0087] The semantic structuring module is configured to acquire a static analysis rule set and extract a semantic summary of the rules;
[0088] The complementary dual-channel initial screening module is configured to scan all functions in the target code according to the static analysis rule set, and include the hit functions into the rule matching candidate set; for the missing functions, based on the similarity between the rule semantic summary and the source code of the missing functions, select the top K functions with similarity not lower than a set threshold to form a semantic supplementary candidate set; the rule matching candidate set and the semantic supplementary candidate set are merged to obtain the candidate vulnerability function set;
[0089] The context extraction module is configured to construct a code attribute graph for the target code. Based on the code attribute graph, starting from each candidate vulnerability function, it extracts the full call context of 1-hop and filters 2-hop nodes based on data flow paths, merging them to form a set of context functions.
[0090] The vulnerability inference module is configured to obtain detection results, including vulnerability existence judgment, vulnerability type and vulnerability cause, based on the candidate vulnerability function set and the context function set.
[0091] It should be noted that the above modules correspond to the steps described in Embodiment 1, and the examples and application scenarios implemented by the above modules and the corresponding steps are the same, but are not limited to the content disclosed in Embodiment 1. It should also be noted that the above modules, as part of the system, can be executed in a computer system such as a set of computer-executable instructions.
[0092] In further embodiments, the following is also provided:
[0093] An electronic device includes a memory and a processor, as well as computer instructions stored in the memory and running on the processor, wherein the computer instructions, when executed by the processor, perform the method described in Embodiment 1. For brevity, further details are omitted here.
[0094] It should be understood that in this embodiment, the processor can be a central processing unit (CPU), or it can be other general-purpose processors, digital signal processors (DSPs), application-specific integrated circuits (ASICs), programmable gate arrays (FPGAs), or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc. The general-purpose processor can be a microprocessor or any conventional processor, etc.
[0095] Memory may include read-only memory and random access memory, and provides instructions and data to the processor. A portion of memory may also include non-volatile random access memory. For example, memory may also store information about the device type.
[0096] A computer-readable storage medium for storing computer instructions, which, when executed by a processor, perform the method described in Embodiment 1.
[0097] The method in Example 1 can be directly implemented by a hardware processor, or implemented by a combination of hardware and software modules within the processor. The software modules can reside in readily available storage media in the field, such as random access memory, flash memory, read-only memory, programmable read-only memory, electrically erasable programmable memory, or registers. This storage medium is located in memory, and the processor reads information from the memory and, in conjunction with its hardware, completes the steps of the above method. To avoid repetition, a detailed description is not provided here.
[0098] A computer program product includes a computer program that, when executed by a processor, implements the method described in Embodiment 1.
[0099] The present invention also provides at least one computer program product tangibly stored on a non-transitory computer-readable storage medium. The computer program product includes computer-executable instructions, such as instructions included in program modules, which execute in a device on a target real or virtual processor to perform the processes / methods described above. Typically, program modules include routines, programs, libraries, objects, classes, components, data structures, etc., that perform specific tasks or implement specific abstract data types. In various embodiments, the functionality of program modules can be combined or divided among program modules as needed. The machine-executable instructions for the program modules can execute within a local or distributed device. In a distributed device, the program modules can reside in both local and remote storage media.
[0100] The computer program code used to implement the methods of the present invention may be written in one or more programming languages. This computer program code may be provided to a processor of a general-purpose computer, a special-purpose computer, or other programmable data processing device, such that when executed by the computer or other programmable data processing device, the program code causes the functions / operations specified in the flowcharts and / or block diagrams to be implemented. The program code may be executed entirely on a computer, partially on a computer, as a stand-alone software package, partially on a computer and partially on a remote computer, or entirely on a remote computer or server.
[0101] In the context of this invention, computer program code or related data may be carried by any suitable carrier to enable a device, apparatus, or processor to perform the various processes and operations described above. Examples of carriers include signals, computer-readable media, and the like. Examples of signals may include electrical, optical, radio, sound, or other forms of propagation signals, such as carrier waves, infrared signals, etc.
[0102] Those skilled in the art will recognize that the units and algorithm steps described in connection with the various examples of this embodiment can be implemented in electronic hardware or a combination of computer software and electronic hardware. Whether these functions are implemented in hardware or software depends on the specific application and design constraints of the technical solution. Those skilled in the art can use different methods to implement the described functions for each specific application, but such implementation should not be considered beyond the scope of this invention.
[0103] While the specific embodiments of the present invention have been described above in conjunction with the accompanying drawings, this is not intended to limit the scope of protection of the present invention. Those skilled in the art should understand that various modifications or variations that can be made by those skilled in the art without creative effort based on the technical solutions of the present invention are still within the scope of protection of the present invention.
Claims
1. A code vulnerability detection method that integrates rule semantics and code attribute graphs, characterized in that, include: Obtain the static analysis rule set and extract the rule semantic summary; the rule semantic summary includes the vulnerability intent field, the triggering necessary condition field, the exclusion condition field, and the typical vulnerability evidence field; All functions in the target code are scanned according to the static analysis rule set, and the matched functions are included in the rule matching candidate set. For the unmatched functions, the top K functions with similarity not lower than a set threshold and ranked according to the similarity between the rule semantic summary and the source code of the unmatched functions are selected to form a semantic supplementary candidate set. The rule matching candidate set and the semantic supplementary candidate set are merged to obtain the candidate vulnerability function set. A code attribute graph is constructed for the target code. Based on the code attribute graph, the full call context of 1-hop is extracted, starting from each candidate vulnerability function. The 2-hop nodes are filtered based on the data flow path and merged to form a set of context functions. The process of extracting the full 1-hop call context includes: extracting all directly called functions and directly called functions of the candidate vulnerability function within the 1-hop range of the code attribute graph, and including them into the context function set C1 without filtering; The process of filtering 2-hop nodes based on data flow paths includes: extracting a set of 2-hop extension nodes that have a direct call or being called relationship with 1-hop nodes; determining whether each 2-hop extension node has a data flow path leading to the variable definition point or variable usage point within the candidate vulnerability function by tracing the variable definition-usage chain in the code property graph; if a data flow path exists, the 2-hop extension node is included in the context function set C2, otherwise it is filtered; C1 and C2 are merged to form the final context function set. Based on the candidate vulnerability function set and the context function set, the detection results include vulnerability existence judgment, vulnerability type and vulnerability cause; The system takes candidate vulnerable functions and context function sets as input, and constructs structured prompts using system role definitions, vulnerability detection task scope, CWE Top 25 vulnerability type knowledge injection, JSON output format constraints, code analysis rules, context function code, candidate vulnerable function code, and output instructions. The structured prompts are then input into a large language model to obtain the detection results.
2. The code vulnerability detection method that integrates rule semantics and code attribute graphs as described in claim 1, characterized in that, The code attribute graph integrates the abstract syntax tree, control flow graph, and program dependency graph.
3. A code vulnerability detection system that integrates rule semantics and code attribute graphs, characterized in that, The code vulnerability detection method for fusing rule semantics and code attribute graphs as described in any one of claims 1-2 includes: The semantic structuring module is configured to acquire a static analysis rule set and extract a semantic summary of the rules; The complementary dual-channel initial screening module is configured to scan all functions in the target code according to the static analysis rule set, and include the hit functions into the rule matching candidate set; for the missing functions, based on the similarity between the rule semantic summary and the source code of the missing functions, select the top K functions with similarity not lower than a set threshold to form a semantic supplementary candidate set; the rule matching candidate set and the semantic supplementary candidate set are merged to obtain the candidate vulnerability function set; The context extraction module is configured to construct a code attribute graph for the target code. Based on the code attribute graph, starting from each candidate vulnerability function, it extracts the full call context of 1-hop and filters 2-hop nodes based on data flow paths, merging them to form a set of context functions. The vulnerability inference module is configured to obtain detection results, including vulnerability existence judgment, vulnerability type and vulnerability cause, based on the candidate vulnerability function set and the context function set.
4. An electronic device, characterized in that, It includes a memory and a processor, as well as computer instructions stored in the memory and running on the processor, which, when executed by the processor, perform the method according to any one of claims 1-2.
5. A computer-readable storage medium, characterized in that, Used to store computer instructions, which, when executed by a processor, perform the method described in any one of claims 1-2.
6. A computer program product, characterized in that, Includes a computer program, which, when executed by a processor, implements the method described in any one of claims 1-2.