{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,1,29]],"date-time":"2026-01-29T22:13:02Z","timestamp":1769724782233,"version":"3.49.0"},"reference-count":52,"publisher":"Association for Computing Machinery (ACM)","issue":"ISSTA","funder":[{"DOI":"10.13039\/100017052","name":"National Natural Science Foundation of China","doi-asserted-by":"publisher","award":["Grant No. 62372114 and 62332005"],"award-info":[{"award-number":["Grant No. 62372114 and 62332005"]}],"id":[{"id":"10.13039\/100017052","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Proc. ACM Softw. Eng."],"published-print":{"date-parts":[[2025,6,22]]},"abstract":"<jats:p>With the rapid development of open-source software, code reuse has become a common practice to accelerate\u00a0development. However, it leads to inheritance from the original vulnerability, which recurs\u00a0at\u00a0the\u00a0reusing\u00a0projects, known as recurring vulnerabilities (RVs). Traditional general-purpose vulnerability\u00a0detection\u00a0approaches\u00a0struggle with scalability and adaptability, while learning-based approaches are often constrained by limited training datasets and are less\u00a0effective\u00a0against unseen vulnerabilities. Though specific recurring vulnerability detection (RVD) approaches have been proposed, their effectiveness across various RV characteristics remains unclear.<\/jats:p>\n          <jats:p>In this paper, we conduct a large-scale empirical study using a newly constructed RV dataset containing 4,569 RVs, achieving a 953% expansion over prior RV datasets. Our study analyzes the characteristics\u00a0of\u00a0RVs, evaluates the effectiveness of the state-of-the-art RVD approaches, and investigates the root causes of false positives and false negatives, yielding key insights. Inspired by these insights, we design AntMan, a novel RVD approach that identifies both explicit and implicit call relations with modified functions, then employs inter-procedural taint analysis and intra-procedural dependency slicing within those functions to generate comprehensive signatures, and finally incorporates a flexible matching to detect RVs. Our evaluation\u00a0has\u00a0shown the effectiveness, generality and practical usefulness in RVD. AntManhas detected 4,593 RVs, with 307\u00a0confirmed by developers, and identified 73 new 0-day vulnerabilities across 15 projects, receiving 5 CVE identifiers.<\/jats:p>","DOI":"10.1145\/3728901","type":"journal-article","created":{"date-parts":[[2025,6,22]],"date-time":"2025-06-22T10:53:21Z","timestamp":1750589601000},"page":"573-595","source":"Crossref","is-referenced-by-count":1,"title":["Recurring Vulnerability Detection: How Far Are We?"],"prefix":"10.1145","volume":"2","author":[{"ORCID":"https:\/\/orcid.org\/0009-0007-6101-8270","authenticated-orcid":false,"given":"Yiheng","family":"Cao","sequence":"first","affiliation":[{"name":"Fudan University, Shanghai, China"}]},{"ORCID":"https:\/\/orcid.org\/0009-0005-2169-7032","authenticated-orcid":false,"given":"Susheng","family":"Wu","sequence":"additional","affiliation":[{"name":"Fudan University, Shanghai, China"}]},{"ORCID":"https:\/\/orcid.org\/0009-0008-8404-4794","authenticated-orcid":false,"given":"Ruisi","family":"Wang","sequence":"additional","affiliation":[{"name":"Fudan University, Shanghai, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-7238-7492","authenticated-orcid":false,"given":"Bihuan","family":"Chen","sequence":"additional","affiliation":[{"name":"Fudan University, Shanghai, China"}]},{"ORCID":"https:\/\/orcid.org\/0009-0003-4722-3658","authenticated-orcid":false,"given":"Yiheng","family":"Huang","sequence":"additional","affiliation":[{"name":"Fudan University, Shanghai, China"}]},{"ORCID":"https:\/\/orcid.org\/0009-0003-3377-9807","authenticated-orcid":false,"given":"Chenhao","family":"Lu","sequence":"additional","affiliation":[{"name":"Fudan University, Shanghai, China"}]},{"ORCID":"https:\/\/orcid.org\/0009-0006-7819-9656","authenticated-orcid":false,"given":"Zhuotong","family":"Zhou","sequence":"additional","affiliation":[{"name":"Fudan University, Shanghai, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-3376-2581","authenticated-orcid":false,"given":"Xin","family":"Peng","sequence":"additional","affiliation":[{"name":"Fudan University, Shanghai, China"}]}],"member":"320","published-online":{"date-parts":[[2025,6,22]]},"reference":[{"key":"e_1_2_1_1_1","volume-title":"Proceedings of the 46th International Conference on Software Engineering. 1\u201313","author":"Cao Sicong","year":"2024","unstructured":"Sicong Cao, Xiaobing Sun, Xiaoxue Wu, David Lo, Lili Bo, Bin Li, and Wei Liu. 2024. Coca: Improving and Explaining Graph Neural Network-Based Vulnerability Detection Systems. In Proceedings of the 46th International Conference on Software Engineering. 1\u201313."},{"key":"e_1_2_1_2_1","unstructured":"Checkmarx. 2024. Checkmarx. https:\/\/checkmarx.com\/"},{"key":"e_1_2_1_3_1","doi-asserted-by":"publisher","DOI":"10.1145\/3243734.3243849"},{"key":"e_1_2_1_4_1","volume-title":"Proceedings of the 34th ACM SIGSOFT International Symposium on Software Testing and Analysis.","author":"Chen Qicai","year":"2025","unstructured":"Qicai Chen, Kun Hu, Sichen Gong, Bihuan Chen, kevin kong, Haowen Jiang, Bingkun Sun, You Lu, and Xin Peng. 2025. Structure-Aware, Diagnosis-Guided ECU Firmware Fuzzing. In Proceedings of the 34th ACM SIGSOFT International Symposium on Software Testing and Analysis."},{"key":"e_1_2_1_5_1","doi-asserted-by":"publisher","DOI":"10.1109\/TIFS.2020.3047756"},{"key":"e_1_2_1_6_1","volume-title":"Proceedings of the 22 USENIX Security Symposium. 463\u2013478","author":"Davidson Drew","year":"2013","unstructured":"Drew Davidson, Benjamin Moench, Thomas Ristenpart, and Somesh Jha. 2013. $FIE$ on firmware: Finding vulnerabilities in embedded systems using symbolic execution. In Proceedings of the 22 USENIX Security Symposium. 463\u2013478."},{"key":"e_1_2_1_7_1","volume-title":"Proceedings of the 41st International Conference on Software Engineering. 60\u201371","author":"Du Xiaoning","year":"2019","unstructured":"Xiaoning Du, Bihuan Chen, Yuekang Li, Jianmin Guo, Yaqin Zhou, Yang Liu, and Yu Jiang. 2019. Leopard: Identifying vulnerable code for vulnerability assessment through program metrics. In Proceedings of the 41st International Conference on Software Engineering. 60\u201371."},{"key":"e_1_2_1_8_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE.2007.90"},{"key":"e_1_2_1_9_1","doi-asserted-by":"publisher","DOI":"10.1145\/3133956.3134048"},{"key":"e_1_2_1_10_1","volume-title":"33rd USENIX Security Symposium (USENIX Security 24)","author":"Feng Siyue","year":"2024","unstructured":"Siyue Feng, Yueming Wu, Wenjie Xue, Sikui Pan, Deqing Zou, Yang Liu, and Hai Jin. 2024. $FIRE$: Combining $Multi-Stage$ Filtering with Taint Analysis for Scalable Recurring Vulnerability Detection. In 33rd USENIX Security Symposium (USENIX Security 24). 1867\u20131884."},{"key":"e_1_2_1_11_1","unstructured":"GitHub. 2024. CodeQL. https:\/\/codeql.github.com\/"},{"key":"e_1_2_1_12_1","unstructured":"gpac. 2024. CVE-2022-46489. https:\/\/github.com\/gpac\/gpac\/commit\/44e8616ec6d0c37498cdacb81375b09249fa9daa"},{"key":"e_1_2_1_13_1","volume-title":"Unixcoder: Unified cross-modal pre-training for code representation. arXiv preprint arXiv:2203.03850.","author":"Guo Daya","year":"2022","unstructured":"Daya Guo, Shuai Lu, Nan Duan, Yanlin Wang, Ming Zhou, and Jian Yin. 2022. Unixcoder: Unified cross-modal pre-training for code representation. arXiv preprint arXiv:2203.03850."},{"key":"e_1_2_1_14_1","volume-title":"Proceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security. 3958\u20133972","author":"Huang Kaifeng","year":"2024","unstructured":"Kaifeng Huang, Chenhao Lu, Yiheng Cao, Bihuan Chen, and Xin Peng. 2024. VMUD: Detecting Recurring Vulnerabilities with Multiple Fixing Functions via Function Selection and Semantic Equivalent Statement Matching. In Proceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security. 3958\u20133972."},{"key":"e_1_2_1_15_1","volume-title":"2012 IEEE Symposium on Security and Privacy. 48\u201362","author":"Jang Jiyong","year":"2012","unstructured":"Jiyong Jang, Abeer Agrawal, and David Brumley. 2012. ReDeBug: finding unpatched code clones in entire os distributions. In 2012 IEEE Symposium on Security and Privacy. 48\u201362."},{"key":"e_1_2_1_16_1","volume-title":"Proceedings of the Symposium on Security and Privacy. 258\u2013263","author":"Jovanovic Nenad","year":"2006","unstructured":"Nenad Jovanovic, Christopher Kruegel, and Engin Kirda. 2006. Pixy: A static analysis tool for detecting web application vulnerabilities. In Proceedings of the Symposium on Security and Privacy. 258\u2013263."},{"key":"e_1_2_1_17_1","doi-asserted-by":"publisher","DOI":"10.1145\/3548606.3560664"},{"key":"e_1_2_1_18_1","volume-title":"Proceedings of the Symposium on Security and Privacy. 595\u2013614","author":"Kim Seulbae","year":"2017","unstructured":"Seulbae Kim, Seunghoon Woo, Heejo Lee, and Hakjoo Oh. 2017. Vuddy: A scalable approach for vulnerable code clone discovery. In Proceedings of the Symposium on Security and Privacy. 595\u2013614."},{"key":"e_1_2_1_19_1","volume-title":"Proceedings of the 2020 IEEE 27th International Conference on Software Analysis, Evolution and Reengineering. 272\u2013283","author":"Li Guanhua","year":"2020","unstructured":"Guanhua Li, Yijian Wu, Chanchal K Roy, Jun Sun, Xin Peng, Nanjie Zhan, Bin Hu, and Jingyi Ma. 2020. SAGA: efficient and large-scale detection of near-miss clones with GPU acceleration. In Proceedings of the 2020 IEEE 27th International Conference on Software Analysis, Evolution and Reengineering. 272\u2013283."},{"key":"e_1_2_1_20_1","doi-asserted-by":"publisher","DOI":"10.1145\/3106237.3106295"},{"key":"e_1_2_1_21_1","volume-title":"Proceedings of the IEEE\/ACM 46th International Conference on Software Engineering. 1\u201312","author":"Li Zhen","year":"2024","unstructured":"Zhen Li, Ning Wang, Deqing Zou, Yating Li, Ruqian Zhang, Shouhuai Xu, Chao Zhang, and Hai Jin. 2024. On the Effectiveness of Function-Level Vulnerability Detectors for Inter-Procedural Vulnerabilities. In Proceedings of the IEEE\/ACM 46th International Conference on Software Engineering. 1\u201312."},{"key":"e_1_2_1_22_1","doi-asserted-by":"publisher","DOI":"10.1109\/TDSC.2021.3051525"},{"key":"e_1_2_1_23_1","volume-title":"Vuldeepecker: A deep learning-based system for vulnerability detection. arXiv preprint arXiv:1801.01681.","author":"Li Zhen","year":"2018","unstructured":"Zhen Li, Deqing Zou, Shouhuai Xu, Xinyu Ou, Hai Jin, Sujuan Wang, Zhijun Deng, and Yuyi Zhong. 2018. Vuldeepecker: A deep learning-based system for vulnerability detection. arXiv preprint arXiv:1801.01681."},{"key":"e_1_2_1_24_1","volume-title":"2015 IEEE symposium on security and privacy. 692\u2013708","author":"Nappa Antonio","year":"2015","unstructured":"Antonio Nappa, Richard Johnson, Leyla Bilge, Juan Caballero, and Tudor Dumitras. 2015. The attack of the clones: A study of the impact of shared code on vulnerability patching. In 2015 IEEE symposium on security and privacy. 692\u2013708."},{"key":"e_1_2_1_25_1","unstructured":"NVD. 2024. CVE-2022-46489. https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2022-46489"},{"key":"e_1_2_1_26_1","unstructured":"NVD. 2024. NVD Data Feeds. https:\/\/nvd.nist.gov\/vuln\/data-feeds"},{"key":"e_1_2_1_27_1","doi-asserted-by":"publisher","DOI":"10.1145\/2970276.2970281"},{"key":"e_1_2_1_28_1","unstructured":"Openstd. 2024. Open Std. https:\/\/www.open-std.org\/jtc1\/sc22\/wg14\/www\/docs\/n1548.pdf"},{"key":"e_1_2_1_29_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICMLA.2018.00120"},{"key":"e_1_2_1_30_1","doi-asserted-by":"publisher","DOI":"10.1109\/32.799955"},{"key":"e_1_2_1_31_1","unstructured":"ShiftLeftSecurity. 2024. Joern. https:\/\/github.com\/ShiftLeftSecurity\/joern"},{"key":"e_1_2_1_32_1","volume-title":"Proceedings of the 46th International Conference on Software Engineering. 1\u201313","author":"Steenhoek Benjamin","year":"2024","unstructured":"Benjamin Steenhoek, Hongyang Gao, and Wei Le. 2024. Dataflow analysis-inspired deep learning for efficient vulnerability detection. In Proceedings of the 46th International Conference on Software Engineering. 1\u201313."},{"key":"e_1_2_1_33_1","volume-title":"Proceedings of the Symposium on Network and Distributed System Security. 1\u201316","author":"Stephens Nick","year":"2016","unstructured":"Nick Stephens, John Grosen, Christopher Salls, Andrew Dutcher, Ruoyu Wang, Jacopo Corbetta, Yan Shoshitaishvili, Christopher Kruegel, and Giovanni Vigna. 2016. Driller: Augmenting fuzzing through selective symbolic execution. In Proceedings of the Symposium on Network and Distributed System Security. 1\u201316."},{"key":"e_1_2_1_34_1","unstructured":"2024. https:\/\/antman-opensource.github.io\/"},{"key":"e_1_2_1_35_1","volume-title":"Tree-sitter: An incremental parsing system for programming tools. https:\/\/tree-sitter.github.io\/tree-sitter\/","year":"2023","unstructured":"tree sitter. 2023. Tree-sitter: An incremental parsing system for programming tools. https:\/\/tree-sitter.github.io\/tree-sitter\/"},{"key":"e_1_2_1_36_1","volume-title":"2023 IEEE\/ACM 45th International Conference on Software Engineering: Companion Proceedings (ICSE-Companion). 218\u2013220","author":"Tu Haoxin","year":"2023","unstructured":"Haoxin Tu. 2023. Boosting symbolic execution for heap-based vulnerability detection and exploit generation. In 2023 IEEE\/ACM 45th International Conference on Software Engineering: Companion Proceedings (ICSE-Companion). 218\u2013220."},{"key":"e_1_2_1_37_1","volume-title":"Proceedings of the Symposium on Security and Privacy. 33\u201347","author":"Vanegue Julien","year":"2013","unstructured":"Julien Vanegue and Shuvendu K Lahiri. 2013. Towards practical reactive security audit using extended static checkers. In Proceedings of the Symposium on Security and Privacy. 33\u201347."},{"key":"e_1_2_1_38_1","volume-title":"Proceedings of the 2017 IEEE Symposium on Security and Privacy. 579\u2013594","author":"Wang Junjie","year":"2017","unstructured":"Junjie Wang, Bihuan Chen, Lei Wei, and Yang Liu. 2017. Skyfire: Data-driven seed generation for fuzzing. In Proceedings of the 2017 IEEE Symposium on Security and Privacy. 579\u2013594."},{"key":"e_1_2_1_39_1","volume-title":"Proceedings of the 2019 IEEE\/ACM 41st International Conference on Software Engineering. 724\u2013735","author":"Wang Junjie","year":"2019","unstructured":"Junjie Wang, Bihuan Chen, Lei Wei, and Yang Liu. 2019. Superion: Grammar-aware greybox fuzzing. In Proceedings of the 2019 IEEE\/ACM 41st International Conference on Software Engineering. 724\u2013735."},{"key":"e_1_2_1_40_1","volume-title":"Proceedings of the Symposium on Network and Distributed System Security. 1\u201314","author":"Wang Tielei","year":"2009","unstructured":"Tielei Wang, Tao Wei, Zhiqiang Lin, and Wei Zou. 2009. IntScope: Automatically detecting integer overflow vulnerability in X86 binary using symbolic execution. In Proceedings of the Symposium on Network and Distributed System Security. 1\u201314."},{"key":"e_1_2_1_41_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE48619.2023.00039"},{"key":"e_1_2_1_42_1","doi-asserted-by":"publisher","DOI":"10.1145\/3576915.3623213"},{"key":"e_1_2_1_43_1","doi-asserted-by":"publisher","DOI":"10.1109\/ASE56229.2023.00144"},{"key":"e_1_2_1_44_1","volume-title":"Proceedings of the 32nd USENIX Security Symposium. 6541\u20136556","author":"Woo Seunghoon","year":"2023","unstructured":"Seunghoon Woo, Eunjin Choi, Heejo Lee, and Hakjoo Oh. 2023. V1SCAN: Discovering 1-day Vulnerabilities in Reused C\/C++ Open-source Software Components Using Code Classification Techniques. In Proceedings of the 32nd USENIX Security Symposium. 6541\u20136556."},{"key":"e_1_2_1_45_1","volume-title":"Proceedings of the 31st USENIX Security Symposium. 3037\u20133053","author":"Woo Seunghoon","year":"2022","unstructured":"Seunghoon Woo, Hyunji Hong, Eunjin Choi, and Heejo Lee. 2022. MOVERY: A Precise Approach for Modified Vulnerable Code Clone Discovery from Modified Open-Source Software Components. In Proceedings of the 31st USENIX Security Symposium. 3037\u20133053."},{"key":"e_1_2_1_46_1","volume-title":"Proceedings of the 46th International Conference on Software Engineering. 1\u201312","author":"Wu Susheng","year":"2024","unstructured":"Susheng Wu, Wenyan Song, Kaifeng Huang, Bihuan Chen, and Xin Peng. 2024. Identifying Affected Libraries and Their Ecosystems for Open Source Software Vulnerabilities. In Proceedings of the 46th International Conference on Software Engineering. 1\u201312."},{"key":"e_1_2_1_47_1","volume-title":"Proceedings of the ACM on Software Engineering, 2, FSE","author":"Wu Susheng","year":"2025","unstructured":"Susheng Wu, Ruisi Wang, Yiheng Cao, Bihuan Chen, Zhuotong Zhou, Yiheng Huang, Zhao Junpeng, and Xin Peng. 2025. Mystique: Automated Vulnerability Patch Porting with Semantic and Syntactic-Enhanced LLM. Proceedings of the ACM on Software Engineering, 2, FSE (2025)."},{"key":"e_1_2_1_48_1","volume-title":"Proceedings of the 39th IEEE\/ACM International Conference on Automated Software Engineering. 1447\u20131459","author":"Wu Susheng","year":"2024","unstructured":"Susheng Wu, Ruisi Wang, Kaifeng Huang, Yiheng Cao, Wenyan Song, Zhuotong Zhou, Yiheng Huang, Bihuan Chen, and Xin Peng. 2024. Vision: Identifying affected library versions for open source software vulnerabilities. In Proceedings of the 39th IEEE\/ACM International Conference on Automated Software Engineering. 1447\u20131459."},{"key":"e_1_2_1_49_1","volume-title":"Proceedings of the 29th USENIX Security Symposium. 1165\u20131182","author":"Xiao Yang","year":"2020","unstructured":"Yang Xiao, Bihuan Chen, Chendong Yu, Zhengzi Xu, Zimu Yuan, Feng Li, Binghong Liu, Yang Liu, Wei Huo, and Wei Zou. 2020. MVP: Detecting Vulnerabilities using Patch-Enhanced Vulnerability Signatures. In Proceedings of the 29th USENIX Security Symposium. 1165\u20131182."},{"key":"e_1_2_1_50_1","doi-asserted-by":"publisher","DOI":"10.1145\/2508859.2516665"},{"key":"e_1_2_1_51_1","volume-title":"Proceedings of the 33rd Conference on Neural Information Processing Systems.","author":"Zhou Yaqin","year":"2019","unstructured":"Yaqin Zhou, Shangqing Liu, Jingkai Siow, Xiaoning Du, and Yang Liu. 2019. Devign: Effective vulnerability identification by learning comprehensive program semantics via graph neural networks. In Proceedings of the 33rd Conference on Neural Information Processing Systems."},{"key":"e_1_2_1_52_1","volume-title":"Proceedings of the 39th IEEE\/ACM International Conference on Automated Software Engineering. 1633\u20131644","author":"Zhou Zhuotong","year":"2024","unstructured":"Zhuotong Zhou, Yongzhuo Yang, Susheng Wu, Yiheng Huang, Bihuan Chen, and Xin Peng. 2024. Magneto: A Step-Wise Approach to Exploit Vulnerabilities in Dependent Libraries via LLM-Empowered Directed Fuzzing. In Proceedings of the 39th IEEE\/ACM International Conference on Automated Software Engineering. 1633\u20131644."}],"container-title":["Proceedings of the ACM on Software Engineering"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3728901","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,7,16]],"date-time":"2025-07-16T16:45:40Z","timestamp":1752684340000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3728901"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,6,22]]},"references-count":52,"journal-issue":{"issue":"ISSTA","published-print":{"date-parts":[[2025,6,22]]}},"alternative-id":["10.1145\/3728901"],"URL":"https:\/\/doi.org\/10.1145\/3728901","relation":{},"ISSN":["2994-970X"],"issn-type":[{"value":"2994-970X","type":"electronic"}],"subject":[],"published":{"date-parts":[[2025,6,22]]}}}