Semantics-Aligned, Curriculum-Driven, and Reasoning-Enhanced Vulnerability Repair Framework
Chengran Yang, Ting Zhang, Jinfeng Jiang, Xin Zhou, Haoye Tian, Jieke Shi, Junkai Chen, Yikun Li, Eng Lieh Ouh, Lwin Khin Shar, David Lo
TL;DR
This work identifies critical weaknesses in learning-based AVR, notably poor cross-repository generalization, difficulty with long-range multi-hunk repairs, and susceptibility to lexical cues. It introduces SeCuRepair, a semantics-aligned, curriculum-driven framework that uses a reasoning-then-edit workflow and semantics-aware reinforcement learning to train patches that align syntactically and semantically with oracle solutions. A two-stage training regime—Reasoning-transferred SFT followed by GRPO-based RL with a AST and DFG–driven reward—coupled with a difficulty-based curriculum, yields robust improvements over state-of-the-art baselines on BigVul and PrimeVulAVR, including substantial CodeBLEU gains and higher patch workability. Ablation studies confirm the contributions of reasoning, semantic rewards, and curriculum learning, underscoring the importance of moving beyond lexical imitation to learn true repair semantics. The approach promises practical impact by enhancing automated vulnerability remediation across unseen repositories and complex, multi-hunk fixes, with potential extension to additional programming languages.
Abstract
Current learning-based Automated Vulnerability Repair (AVR) approaches, while promising, often fail to generalize effectively in real-world scenarios. Our diagnostic analysis reveals three fundamental weaknesses in state-of-the-art AVR approaches: (1) limited cross-repository generalization, with performance drops on unseen codebases; (2) inability to capture long-range dependencies, causing a performance degradation on complex, multi-hunk repairs; and (3) over-reliance on superficial lexical patterns, leading to significant performance drops on vulnerabilities with minor syntactic variations like variable renaming. To address these limitations, we propose SeCuRepair, a semantics-aligned, curriculum-driven, and reasoning-enhanced framework for vulnerability repair. At its core, SeCuRepair adopts a reason-then-edit paradigm, requiring the model to articulate why and how a vulnerability should be fixed before generating the patch. This explicit reasoning enforces a genuine understanding of repair logic rather than superficial memorization of lexical patterns. SeCuRepair also moves beyond traditional supervised fine-tuning and employs semantics-aware reinforcement learning, rewarding patches for their syntactic and semantic alignment with the oracle patch rather than mere token overlap. Complementing this, a difficulty-aware curriculum progressively trains the model, starting with simple fixes and advancing to complex, multi-hunk coordinated edits. We evaluate SeCuRepair on strict, repository-level splits of BigVul and newly crafted PrimeVul_AVR datasets. SeCuRepair significantly outperforms all baselines, surpassing the best-performing baselines by 34.52% on BigVul and 31.52% on PrimeVul\textsubscript{AVR} in terms of CodeBLEU, respectively. Comprehensive ablation studies further confirm that each component of our framework contributes to its final performance.