![[2602.12500] Favia: Forensic Agent for Vulnerability-fix Identification and Analysis](https://arxiv.org/static/browse/0.3.4/images/arxiv-logo-fb.png){kind=logo}
[2602.12500] Favia: Forensic Agent for Vulnerability-fix Identification and Analysis
Summary
The paper presents Favia, a forensic agent designed to identify and analyze vulnerability-fixing commits in software repositories, improving precision-recall trade-offs in security maintenance.
Why It Matters
As software systems grow increasingly complex, identifying security vulnerabilities efficiently is crucial for maintaining software integrity. Favia addresses the limitations of existing methods by combining scalable ranking with deep semantic reasoning, offering a more effective solution for developers and security professionals.
Key Takeaways
- Favia improves the identification of vulnerability-fixing commits in large codebases.
- The framework combines efficient candidate ranking with advanced semantic reasoning.
- Favia outperforms traditional and LLM-based methods in precision-recall metrics.
- The evaluation is based on a large-scale dataset of over 8 million commits.
- The approach addresses challenges in pinpointing indirect and complex fixes.
Computer Science > Software Engineering arXiv:2602.12500 (cs) [Submitted on 13 Feb 2026] Title:Favia: Forensic Agent for Vulnerability-fix Identification and Analysis Authors:André Storhaug, Jiamou Sun, Jingyue Li View a PDF of the paper titled Favia: Forensic Agent for Vulnerability-fix Identification and Analysis, by Andr\'e Storhaug and 2 other authors View PDF Abstract:Identifying vulnerability-fixing commits corresponding to disclosed CVEs is essential for secure software maintenance but remains challenging at scale, as large repositories contain millions of commits of which only a small fraction address security issues. Existing automated approaches, including traditional machine learning techniques and recent large language model (LLM)-based methods, often suffer from poor precision-recall trade-offs. Frequently evaluated on randomly sampled commits, we uncover that they are substantially underestimating real-world difficulty, where candidate commits are already security-relevant and highly similar. We propose Favia, a forensic, agent-based framework for vulnerability-fix identification that combines scalable candidate ranking with deep and iterative semantic reasoning. Favia first employs an efficient ranking stage to narrow the search space of commits. Each commit is then rigorously evaluated using a ReAct-based LLM agent. By providing the agent with a pre-commit repository as environment, along with specialized tools, the agent tries to localize vulnerable compon...