Learning to Locate: GNN-Powered Vulnerability Path Discovery in Open Source Code

Atashin, Nima; Tork Ladani, Behrouz; Sharbaf, Mohammadreza

doi:10.22042/isecure.2026.242017

Learning to Locate: GNN-Powered Vulnerability Path Discovery in Open Source Code

Articles in Press

Document Type : Research Article

Authors

Nima Atashin ¹

Behrouz Tork Ladani ²

Mohammadreza Sharbaf ²

¹ Faculty of Computer Engineering, University of Isfahan, Isfahan, Iran

² Faculty of Computer Engineering, University of Isfahan, Isfahan, Iran.

10.22042/isecure.2026.242017

Abstract

Detecting security vulnerabilities in open-source software is a critical task that is highly regarded in the related research communities. Several approaches have been proposed in the literature for detecting vulnerable code and identifying classes of vulnerabilities. However, there is still room to improve the explanation of the root causes of detected vulnerabilities by locating vulnerable statements and discovering the paths that lead to the activation of the vulnerability. While frameworks like SliceLocator offer explanations by identifying vulnerable paths, they rely on rule-based sink identification that limits their generalisation. In this paper, we introduce VulPathFinder, an explainable vulnerability path discovery framework that enhances SliceLocator’s methodology by utilising a novel Graph Neural Network (GNN) model for detecting sink statements, rather than relying on predefined rules. The proposed GNN captures semantic and syntactic dependencies to find potential sink points (PSPs), which are candidate statements where vulnerable paths end. After detecting PSPs, program slicing can be used to extract potentially vulnerable paths, which are then ranked by feeding them back into the target graph-based detector. Ultimately, the most probable path is returned, explaining the root cause of the detected vulnerability. We demonstrate the effectiveness of the proposed approach by performing evaluations on a benchmark of the buffer overflow CWEs from the SARD dataset, providing explanations for the corresponding detected vulnerabilities. The results show that VulPathFinder outperforms both the original SliceLocator and GNNExplainer (as a general GNN explainability tool) in discovering vulnerability paths to identified PSPs.

Keywords

Explainable AI

Graph Neural Networks

Program Slicing

Vulnerability Detection

Vulnerability Path Discovery

[1] National Institute of Standards and Technology. National vulnerability database. https://nvd. nist.gov/, 2020. Accessed: 2020.

[2] Saikat Chakraborty, Rahul Krishna, Yangruibo Ding, and Baishakhi Ray. Deep learning based vulnerability detection: Are we there yet? IEEE Transactions on Software Engineering, 48(9): 3280–3296, 2021.

[3] Nima Shiri Harzevili, Alvine Boaye Belle, Junjie Wang, Song Wang, Zhen Ming, and Nachiappan Nagappan. A survey on automated software vulnerability detection using machine learning and deep learning. arXiv preprint arXiv:2306.11673, 2023. Available at https://arxiv.org/abs/ 2306.11673.

[4] Open Source Security Foundation. Open source vulnerabilities database. https://osv.dev/, 2020. Accessed: 2020.

[5] Fabian Yamaguchi, Nico Golde, Daniel Arp, and Konrad Rieck. Modeling and discovering vulnerabilities with code property graphs. In 2014 IEEE symposium on security and privacy, pages 590–604. IEEE, 2014.

[6] Baijun Cheng, Kailong Wang, Cuiyun Gao, Xiapu Luo, Li Li, Yao Guo, Xiangqun Chen, and Haoyu Wang. Slicelocator: Locating vulnerable statements with graph-based detectors. arXiv e-prints, pages arXiv–2401, 2024.

[7] Zhitao Ying, Dylan Bourgeois, Jiaxuan You, Marinka Zitnik, and Jure Leskovec. Gnnexplainer: Generating explanations for graph neural networks. Advances in neural information processing systems, 32, 2019.

[8] GitHub. Codeql: Security analysis platform. https://codeql.github.com/, 2023.

[9] David Hovemeyer and William Pugh. Finding bugs is easy. Acm sigplan notices, 39(12):92–106, 2004.

[10] Nicholas Nethercote and Julian Seward. Valgrind: a framework for heavyweight dynamic binary instrumentation. ACM Sigplan notices, 42 (6):89–100, 2007.

[11] LLVM Project. Addresssanitizer: A fast memory error detector. https://clang.llvm.org/ docs/AddressSanitizer.html, 2023.

[12] Weiwei Jiang and Jiayun Luo. Graph neural network for traffic forecasting: A survey. Expert systems with applications, 207:117921, 2022.

[13] Thomas N Kipf and Max Welling. Semisupervised classification with graph convolutional networks. arXiv preprint arXiv:1609.02907, 2016.

[14] Yaqin Zhou, Shangqing Liu, Jingkai Siow, Xiaoning Du, and Yang Liu. Devign: Effective vulnerability identification by learning comprehensive program semantics via graph neural networks. Advances in neural information processing systems, 32, 2019.

[15] David Hin, Andrey Kan, Huaming Chen, and M Ali Babar. Linevd: Statement-level vulnerability detection using graph neural networks. In Proceedings of the 19th international conference on mining software repositories, pages 596–607, 2022.

[16] Ana Lucic, Maartje A Ter Hoeve, Gabriele Tolomei, Maarten De Rijke, and Fabrizio Silvestri. Cf-gnnexplainer: Counterfactual explanations for graph neural networks. In International Conference on Artificial Intelligence and Statistics, pages 4499–4511. PMLR, 2022.

[17] Yisroel Mirsky, George Macon, Michael Brown, Carter Yagemann, Matthew Pruett, Evan Downing, Sukarno Mertoguno, and Wenke Lee. {VulChecker}: Graph-based vulnerability localization in source code. In 32nd USENIX Security Symposium (USENIX Security 23), pages 6557–6574, 2023.

[18] Sicong Cao, Xiaobing Sun, Xiaoxue Wu, David Lo, Lili Bo, Bin Li, and Wei Liu. Coca: Improving and explaining graph neural network-based vulnerability detection systems. In Proceedings of the IEEE/ACM 46th International Conference on Software Engineering, pages 1–13, 2024.

[19] David Gunning, Mark Stefik, Jaesik Choi, Timothy Miller, Simone Stumpf, and Guang-Zhong Yang. Xai—explainable artificial intelligence. Science robotics, 4(37):eaay7120, 2019.

[20] Zhen Li, Deqing Zou, Shouhuai Xu, Hai Jin, YaweiZhu,andZhaoxuanChen. Sysevr:Aframework for using deep learning to detect software vulnerabilities. IEEE Transactions on Dependable and Secure Computing, 19(4):2244–2258, 2021.

[21] National Institute of Standards and Technology. Software assurance reference dataset (sard). https://samate.nist.gov/SARD/, 2020. Accessed: 2020.

[22] Nima Atashin. Vulpathfinder source codes and datasets. https://github.com/NimaNA11/ VulPathFinder/, 2025. Accessed: 2025-07-21. [23] Joern Team. Joern: A robust code analysis platform. https://joern.io/, 2023. Accessed: 2023.

[24] SVF Team. Svf: Static value-flow analysis framework. https://github.com/SVF-tools/SVF, 2023. Accessed: 2023.

[25] Yi Li, Shaohua Wang, and Tien N Nguyen. Vulnerability detection with fine-grained interpretations. In Proceedings of the 29th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering, pages 292–303, 2021.