Automated Test-free Repair

Most program repair techniques rely on test cases as a key ingredient for driving patch generation and validation. Test cases have been successfully leveraged to automate the repair of many bug classes, but relying on them has hindered progress on repairing vulnerabilities. Their scarcity, exacerbated by the fact that, for vulnerabilities, test cases are also exploits, forms a “sound” barrier that we propose to break in our work. Instead of tests, we suggest leveraging other signals such as the ones that can be found in the vulnerability detection and fix suggestions output of static analysis security testing (SAST) to learn to repair vulnerable code.