LLM-Assisted CWE Identification, Severity Assessment, and Vulnerability Description Generation

Authors

Mohammad Jalili Torkamani, University of Nebraska - LincolnFollow

First Advisor

Rahul Purandare

Date of this Version

12-2025

Document Type

Thesis

Citation

A thesis presented to the faculty of the Graduate College at the University of Nebraska in partial fulfillment of requirements for the degree of Master of Science

Major: Computer Science

Under the supervision of Professor Rahul Purandare

Lincoln, Nebraska, December 2025

Comments

Copyright 2025, Mohammad Jalili Torkamani. Used by permission

Abstract

Identifying the underlying weakness types and assessing their severity using CWE and CVSS standards are critical steps in software vulnerability management. While timely assessment of vulnerabilities mitigates the impact of severe security incidents, automating joint CWE identification and severity assessment remains challenging due to the heterogeneity of vulnerabilities across different code granularities and programming languages. In addition, generating vulnerability descriptions is often time-consuming, as it requires extensive manual review, validation, and writing by security experts.

In this thesis, we leverage the capabilities of Large Language Models (LLMs) to automate the identification of CWE identifiers and the assessment of their severity using vulnerability descriptions and corresponding vulnerable code at varying levels of granularity. We further extend our approach to automate the process of generating vulnerability descriptions by incorporating vulnerable code along with the identified vulnerability types. Our evaluations employ quantitative and qualitative metrics, robustness checks against potential noise, and manual analysis of the generated artifacts. Our results indicate that fine-tuning LLMs yields consistent improvements across all granularity levels, achieving over a threefold increase in CWE identification, a 17.68% improvement in severity assessment, and a 21.03% improvement in joint prediction over the baseline, while improving the automatic generation of descriptions that more closely mirror NVD entries. These findings highlight the potential of LLM-based approaches in the joint CWE identification and vulnerability assessment across different code granularities, thereby enhancing automated software vulnerability management.

Advisor: Rahul Purandare