Residual Risk Analysis in Benign Code: How Far Are We? A Multi-Model Semantic and Structural Similarity Approach
Benign code often hides dangerous vulnerabilities even after patching, study shows.
A new study from researchers Mohammad Farhad and Shuvalaxmi Dass, published on arXiv (2604.21051), tackles an overlooked problem in software security: residual risk in supposedly patched code. Using the PrimeVul benchmark dataset, they propose Residual Risk Scoring (RRS), a unified framework that combines embedding-based semantic similarity from multiple code language models (Code LMs) with Tree-sitter-based abstract syntax tree (AST) analysis for structural similarity. Their analysis reveals that benign functions often remain highly similar to their vulnerable counterparts, indicating that patches may not fully eliminate risk.
Specifically, 61% of high-RRS code pairs exhibited 13 distinct categories of residual issues, including null pointer dereferences and unsafe memory allocation, as validated by state-of-the-art static analysis tools like Cppcheck, Clang-Tidy, and Facebook-Infer. The authors argue that code-level similarity provides a practical signal for prioritizing post-patch inspection, enabling more reliable and scalable security assessment in real-world open-source software pipelines. This work highlights the gap between vulnerability detection and true risk elimination.
- 61% of high-RRS code pairs have 13 residual issue types, including null pointer dereferences and unsafe memory allocation.
- RRS uses Code LMs for semantic similarity and Tree-sitter AST for structural similarity to score residual risk.
- Validated with Cppcheck, Clang-Tidy, and Facebook-Infer static analysis tools on PrimeVul dataset.
Why It Matters
Patching code isn't enough—this framework helps teams prioritize inspection for hidden vulnerabilities in production systems.