Existing deep learning–based vulnerability detectors struggle to precisely localize fine-grained statements that trigger vulnerabilities. Method: This paper proposes an end-to-end trigger-statement localization method grounded in graph neural network (GNN) outputs. It innovatively leverages syntactic and semantic differences between vulnerable and patched code statements to guide localization, integrating program slicing, taint analysis, and weighted taint-flow path selection—thereby overcoming the limitation of conventional explanation methods that rely solely on prediction confidence scores. Contribution/Results: The resulting explainability-enhanced framework achieves an average localization accuracy of 87% across six common C/C++ vulnerability types, significantly outperforming five state-of-the-art GNN explanation methods and two statement-level detectors. This advancement provides more accurate, traceable, and actionable technical support for vulnerability diagnosis and root-cause analysis.

Vulnerability detection is a crucial component in the software development lifecycle. Existing vulnerability detectors, especially those based on deep learning (DL) models, have achieved high effectiveness. Despite their capability of detecting vulnerable code snippets from given code fragments, the detectors are typically unable to further locate the fine-grained information pertaining to the vulnerability, such as the precise vulnerability triggering locations. Although explanation methods can filter important statements based on the predictions of code fragments, their effectiveness is limited by the fact that the model primarily learns the difference between vulnerable and non-vulnerable samples. In this paper, we propose SliceLocator, which, unlike previous approaches, leverages the detector's understanding of the differences between vulnerable and non-vulnerable samples, essentially, vulnerability-fixing statements. SliceLocator identifies the most relevant taint flow by selecting the highest-weighted flow path from all potential vulnerability-triggering statements in the program, in conjunction with the detector. We demonstrate that SliceLocator consistently performs well on four state-of-the-art GNN-based vulnerability detectors, achieving an accuracy of around 87% in flagging vulnerability-triggering statements across six common C/C++ vulnerabilities. It outperforms five widely used GNN-based explanation methods and two statement-level detectors.