🤖 AI Summary
Accurately identifying vulnerable-introducing commits (VICs) is highly challenging, as it requires semantic reasoning over heterogeneous data such as code diffs, commit messages, and contextual information. This work proposes VIC-RAGENT, the first VIC detection framework based on multi-agent collaboration and multi-stage progressive reasoning. It employs specialized large language model agents to perform structural analysis, intent understanding, and vulnerability checking, which collaboratively reason across three stages: initial screening, refined analysis, and final judgment. The approach achieves both high precision and strong interpretability, outperforming the strongest baseline by 1.2–1.7× in F1 score on real-world datasets and demonstrating robust performance across multiple large language models.
📝 Abstract
Detecting vulnerability-inducing commits (VICs) at submission time is critical for improving the security and reliability of software systems. However, this task is highly challenging because it requires reasoning about the semantic impact of code changes from heterogeneous information sources, including code diffs, commit messages, and the surrounding contextual code. Existing approaches often struggle to fully capture these complex interactions, resulting in limited detection performance. In this paper, we propose VIC-RAGENT, an LLM-based multi-agent framework for effective and explainable vulnerability detection. VIC-RAGENT leverages multiple specialized agents to provide complementary perspectives, including structural analysis, intent understanding, and vulnerability inspection. To further improve detection reliability, the framework employs a multi-stage reasoning process that progressively refines candidate vulnerabilities through preliminary inspection, reanalysis, and a final decision stage. Experimental results on a real-world dataset across multiple LLMs demonstrate that VIC-RAGENT consistently outperforms baselines, including Direct, CoT, and CodeAgent. Compared to the strongest baseline, VIC-RAGENT achieves 1.2-1.7x higher F1-scores across different models. Overall, VIC-RAGENT offers a robust, explainable, and practical solution for detecting VICs in modern software development workflows.