LLMs in Code Vulnerability Analysis: A Proof of Concept
Shaznin Sultana, Sadia Afreen, Nasir U. Eisty
TL;DR
This work investigates open-source LLMs as integrated assistants for a four-stage software vulnerability workflow in C/C++: detection, severity and access complexity prediction, and fix generation. By comparing five code-specific paired with general-purpose models across prompting regimes (zero-shot, few-shot) and fine-tuning (LoRA PEFT), the study shows that fine-tuning consistently enhances performance, while code-specialized models do not uniformly outrank general models. It also demonstrates significant limitations in current repair-quality metrics, underscoring the need for execution-based evaluation. The findings offer a practical baseline for deploying LLM-assisted vulnerability analysis and remediation, with implications for model choice, prompting design, and evaluation strategies in real-world security pipelines.
Abstract
Context: Traditional software security analysis methods struggle to keep pace with the scale and complexity of modern codebases, requiring intelligent automation to detect, assess, and remediate vulnerabilities more efficiently and accurately. Objective: This paper explores the incorporation of code-specific and general-purpose Large Language Models (LLMs) to automate critical software security tasks, such as identifying vulnerabilities, predicting severity and access complexity, and generating fixes as a proof of concept. Method: We evaluate five pairs of recent LLMs, including both code-based and general-purpose open-source models, on two recognized C/C++ vulnerability datasets, namely Big-Vul and Vul-Repair. Additionally, we compare fine-tuning and prompt-based approaches. Results: The results show that fine-tuning uniformly outperforms both zero-shot and few-shot approaches across all tasks and models. Notably, code-specialized models excel in zero-shot and few-shot settings on complex tasks, while general-purpose models remain nearly as effective. Discrepancies among CodeBLEU, CodeBERTScore, BLEU, and ChrF highlight the inadequacy of current metrics for measuring repair quality. Conclusions: This study contributes to the software security community by investigating the potential of advanced LLMs to improve vulnerability analysis and remediation.
