This study addresses the security risks faced by downstream software due to dependencies on open-source libraries containing implicit vulnerabilities, which are challenging for existing methods to detect prior to disclosure. The work presents the first systematic modeling of semantic relationships among heterogeneous data sources—including vulnerability descriptions, commit messages, and code changes—and introduces a deep learning model based on multi-head attention mechanisms to jointly reason about vulnerability symptoms, root causes, and remediation strategies. Experimental results demonstrate that the proposed approach achieves an F1-score of 0.941 in vulnerability identification and 0.610 in vulnerability type classification, outperforming the current state-of-the-art by 5.4% and significantly enhancing the detection and categorization capabilities for implicit vulnerabilities.

The utilization of third-party open-source libraries is widespread in modern software development. Due to the dependency relationships, vulnerabilities within open-source libraries pose significant security threats to downstream software. However, the library vulnerabilities are usually implicitly reported and patched, without explicit notification to dependent software, leaving the downstream software vulnerable to potential attacks. Existing research efforts primarily focus on identifying vulnerability patches according to bug reports, commit messages, or code changes, overlooking the rich semantic connections among various sources of information. In this paper, our main insight is that various sources of information, including the vulnerability descriptions (e.g., bug reports) and its fixing strategies (e.g., commit messages and code changes), are highly interconnected. They express the high-level semantic information about the symptom, root cause and fixing strategies of the bugs. Hence, we propose an approach that involves training an AI model to integrate multiple sources, thus enhancing the effectiveness of vulnerability identification and vulnerability type classification. We introduce VPFinder, a tool that utilizes multi-head attention mechanisms to extract high-level semantic information from diverse sources. Evaluation results demonstrate that VPFinder achieves remarkable 0.941 F1-score in vulnerability identification task and 0.610 F1-score in vulnerability type classification task, outperforming state-of-the-art approaches by 5.4%.