Source Code Vulnerability Detection Method Based on Hybrid Retrieval-Augmented Generation Technology
摘要
As software systems continue to grow in scale and complexity, vulnerability detection has become a critical task in ensuring software security. Recently, retrieval-augmented generation (RAG) techniques combined with large language models (LLMs) have demonstrated significant potential in source code vulnerability detection. However, existing RAG-based approaches typically rely on a single retrieval strategy, either sparse retrieval or dense retrieval. While sparse retrieval excels at precise keyword matching, it struggles with capturing deep semantic relationships, whereas dense retrieval, despite its ability to model semantic similarity, may fail to retrieve low-frequency or exact-match keywords. This trade-off limits both the coverage and accuracy of vulnerability information retrieval. To address these challenges, this paper proposes HRvul-RAG, a hybrid retrieval-based vulnerability detection framework that integrates BM25 and bge-m3 dual-modal retrieval. By leveraging the complementary strengths of sparse and dense retrieval, HRvul-RAG enhances the recall and retrieval precision. Furthermore, to refine the retrieval ranking, we incorporate the weighted reciprocal rank fusion (WRRF) algorithm, which dynamically adjusts the ranking weights on the basis of the query relevance, ensuring robustness and effectiveness in retrieval fusion. The optimized retrieval results are then fed into an LLM for vulnerability analysis, thereby improving the accuracy and intelligence of source code vulnerability detection.