Evaluation of ChatGPT Model for Vulnerability Detection
Anton Cheshkov, Pavel Zadorozhny, Rodion Levichev
TL;DR
<3-5 sentence high-level summary>This study investigates whether ChatGPT and GPT-3 can detect vulnerabilities in Java code using a real-world patch-level dataset. The authors construct binary and multi-label evaluation tasks based on CWE categories, and compare GPT-3, ChatGPT, and a dummy baseline via OpenAI APIs with deterministic prompts. Results indicate that both GPT-3 and ChatGPT perform near-random on key metrics (e.g., AUC around 0.5) and show limited ability to reliably identify vulnerabilities, with some variance across CWE types. The findings suggest current LLM capabilities are insufficient for robust vulnerability detection in code, motivating future work on prompt strategies, chain-of-thought prompting, and evaluation with newer models and larger datasets.
Abstract
In this technical report, we evaluated the performance of the ChatGPT and GPT-3 models for the task of vulnerability detection in code. Our evaluation was conducted on our real-world dataset, using binary and multi-label classification tasks on CWE vulnerabilities. We decided to evaluate the model because it has shown good performance on other code-based tasks, such as solving programming challenges and understanding code at a high level. However, we found that the ChatGPT model performed no better than a dummy classifier for both binary and multi-label classification tasks for code vulnerability detection.