As software systems continue to grow in scale and complexity, vulnerability detection has become a critical task in ensuring software security. Recently, retrieval-augmented generation (RAG) techniques combined with large language models (LLMs) have demonstrated significant potential in source code vulnerability detection. However, existing RAG-based approaches typically rely on a single retrieval strategy, either sparse retrieval or dense retrieval. While sparse retrieval excels at precise keyword matching, it struggles with capturing deep semantic relationships, whereas dense retrieval, despite its ability to model semantic similarity, may fail to retrieve low-frequency or exact-match keywords. This trade-off limits both the coverage and accuracy of vulnerability information retrieval. To address these challenges, this paper proposes HRvul-RAG, a hybrid retrieval-based vulnerability detection framework that integrates BM25 and bge-m3 dual-modal retrieval. By leveraging the complementary strengths of sparse and dense retrieval, HRvul-RAG enhances the recall and retrieval precision. Furthermore, to refine the retrieval ranking, we incorporate the weighted reciprocal rank fusion (WRRF) algorithm, which dynamically adjusts the ranking weights on the basis of the query relevance, ensuring robustness and effectiveness in retrieval fusion. The optimized retrieval results are then fed into an LLM for vulnerability analysis, thereby improving the accuracy and intelligence of source code vulnerability detection.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

Source Code Vulnerability Detection Method Based on Hybrid Retrieval-Augmented Generation Technology

  • Honggang Xie,
  • Xiangdong Li,
  • Zenghui Shen

摘要

As software systems continue to grow in scale and complexity, vulnerability detection has become a critical task in ensuring software security. Recently, retrieval-augmented generation (RAG) techniques combined with large language models (LLMs) have demonstrated significant potential in source code vulnerability detection. However, existing RAG-based approaches typically rely on a single retrieval strategy, either sparse retrieval or dense retrieval. While sparse retrieval excels at precise keyword matching, it struggles with capturing deep semantic relationships, whereas dense retrieval, despite its ability to model semantic similarity, may fail to retrieve low-frequency or exact-match keywords. This trade-off limits both the coverage and accuracy of vulnerability information retrieval. To address these challenges, this paper proposes HRvul-RAG, a hybrid retrieval-based vulnerability detection framework that integrates BM25 and bge-m3 dual-modal retrieval. By leveraging the complementary strengths of sparse and dense retrieval, HRvul-RAG enhances the recall and retrieval precision. Furthermore, to refine the retrieval ranking, we incorporate the weighted reciprocal rank fusion (WRRF) algorithm, which dynamically adjusts the ranking weights on the basis of the query relevance, ensuring robustness and effectiveness in retrieval fusion. The optimized retrieval results are then fed into an LLM for vulnerability analysis, thereby improving the accuracy and intelligence of source code vulnerability detection.