A novel vulnerability severity assessment method for source code based on a graph neural network

Context: Vulnerability severity assessment is an important part of vulnerability management that can help security personnel determine the priority of vulnerability repair work. Objective: Aiming at the problems of low evaluation efficiency and poor timeliness in the existing method, a vulnerability severity evaluation method combining a function call graph and vulnerability attribute graph is proposed. Method: This method constructs a function call graph centered on vulnerable functions and uses the call relationship between vulnerable functions and sensitive API functions to reflect the severity of the damage of the vulnerable functions. The graph attention neural network algorithm is used to mine the key vulnerability characteristics in the function call graph and the vulnerability attribute graph to realize the assessment of vulnerability severity. Results: The ablation experiment results showed that the combined vulnerability attribute graph and function call graph had higher evaluation accuracy than the vulnerability attribute graph or function call graph alone, which increased by 6.85% and 32.90%, respectively. Compared with other existing methods, our method has achieved a better evaluation effect, and the evaluation accuracy has increased by 10%. Conclusion: The vulnerability severity assessment method incorporating function call graphs and vulnerability property graphs demonstrates an enhancement in the ability to represent the severity of vulnerabilities and increases the efficiency of vulnerability severity evaluation through elimination of the requirement for manual analysis.