This repository contains the artifact for our paper "PatchPorter: LLM-Driven Security Patch Porting via Version Tracing and Context Selection for NPM".
PatchPorter is an automated tool for backporting security patches across different versions of JavaScript/NPM packages. It leverages Large Language Models (LLMs) with intelligent version tracing and context selection to generate accurate security patches for vulnerable package versions.
- Python 3.8+
- Node.js 16+ and npm
- Git
- Clone the repository:
git clone https://github.com/PatchPorter/PatchPorter.git
cd PatchPorter- Install Python dependencies:
pip install -r requirements.txt- Set up API keys (optional, for LLM inference):
export DEEPSEEK_API_KEY="your-deepseek-api-key"
export OPENAI_API_KEY="your-openai-api-key" # For GPT-4 or other OpenAI models# Run on all projects in the dataset
python core/run.py --all
# Run on a single project
python core/run.py --project dataset/redos/axios_0.21.0
# Run specific stages
python core/run.py --project dataset/redos/axios_0.21.0 --stages localize generate
# Use a specific model
python core/run.py --all --model gpt4oFor detailed usage instructions, see core/README.md.
The evaluation dataset contains 112 vulnerable NPM packages across 5 vulnerability categories. Each project directory includes:
- Vulnerability metadata and CVE information
- Original security patches
- Multiple vulnerable versions for backporting evaluation
Dataset setup requires cloning from SecBench.js. See core/README.md for setup instructions.
The motivation1-study/ directory contains data and analysis code for our preliminary study comparing code similarity patterns between NPM and C ecosystems. See motivation1-study/README.md for details.
The discussion/ directory contains the case-study materials and the
standalone reproduction pipeline used for the multi-branch and data-leakage
discussion.
Included artifact files:
300-multibranch-case.json: selected multi-branch patch-porting cases.20-dataleakage-case.json: selected data-leakage/security-fix cases for qualitative inspection, including successful and unsuccessful examples.
Each artifact entry contains the CVE ID, repository, fix commit, target commit, source-only oracle patch, generated patch, and semantic similarity judgment.
See discussion/README.md for input format, commands, and implementation details.
PatchPorter/
├── README.md # This file
├── requirements.txt # Python dependencies
├── core/ # Main implementation
│ ├── run.py # CLI entry point
│ ├── pipeline.py # Pipeline orchestration
│ ├── project.py # Project abstraction
│ ├── config.py # Configuration management
│ ├── managers/ # Core functionality modules
│ │ ├── localizer.py # Version tracing & fault localization
│ │ ├── prompt.py # Context selection & prompt generation
│ │ ├── llm.py # LLM inference handler
│ │ ├── test.py # Patch validation
│ │ └── ... # Other managers
│ ├── utils/ # Utility functions
│ └── data/ # Configuration files
├── dataset/ # Evaluation dataset (113 vulnerable packages)
│ ├── code-injection/ # Code injection vulnerabilities
│ ├── command-injection/ # Command injection vulnerabilities
│ ├── path-traversal/ # Path traversal vulnerabilities
│ ├── prototype-pollution/ # Prototype pollution vulnerabilities
│ └── redos/ # ReDoS vulnerabilities
├── discussion/ # Discussion cases and reproduction pipeline
│ ├── 300-multibranch-case.json
│ ├── 20-dataleakage-case.json
│ ├── README.md
│ └── *.py # Standalone artifact reproduction pipeline
└── motivation1-study/ # Preliminary study data & analysis
├── NPM-CVE.csv # NPM vulnerability dataset
├── C-CVE.json # C vulnerability dataset (for comparison)
├── plot_js_vs_c_cdf.py # Similarity analysis visualization
└── similarity_results/ # Pre-computed similarity metrics