Software vulnerabilities continue to be ubiquitous, even in the era of AI-powered code assistants, advanced static analysis tools, and the adoption of extensive testing frameworks. It has become apparent that we must not simply prevent these bugs, but also eliminate them in a quick, efficient manner. Yet, human code intervention is slow, costly, and can often lead to further security vulnerabilities, especially in legacy codebases. The advent of highly advanced Large Language Models (LLM) has opened up the possibility for many software defects to be patched automatically. We propose LLM4CVE — an LLM-based iterative pipeline that robustly fixes vulnerable functions in real-world code with high accuracy. We examine our pipeline with State-of-the-Art LLMs, such as GPT-3.5, GPT-4o, Llama 3 8B, and Llama 3 70B. We achieve a human-verified quality score of 8.51/10 and an increase in ground-truth code similarity of 20% with Llama 3 70B.
Anonymous repository access has been provided to reviewers during the review process using the following link:
https://anonymous.4open.science/r/LLM4CVE/README.md
We provide the LoRA files for these two models for download using the following link: https://drive.google.com/file/d/1XOPTGhi7AdM0lUqfzXe6YGgHyv8qeclN/view?usp=sharing