First, we select related papers from top-tier software engineering and security venues between May 2020 and May 2025, using keywords such as “vulnerable version”, “version range”, “SZZ”, and “recurring vulnerability.”

The venues include:

• Security: S&P, Usenix Security, CCS, NDSS, TIFS, TDSC

• Software Engineering: ASE, ICSE, ISSTA, TSE, FSE, TOSEM

This yielded 22 papers. 

Second, we apply backward and forward snowballing to identify other relevant papers that are missed, and another 19 papers are included, resulting in 41 relevant papers in total for tool selection.

As most of these techniques target C/C++ projects, which is the most concerned ecosystem in vulnerability research, we excluded tools specific to other environments (e.g. VerJava, Neural-SZZ).

After that, we further filter out papers that:

1. not proposing new tools

2. proposing new tools but tools not being available

3. requiring additional information (e.g. Jira issues) or compilation that are infeasible for automated identification of vulnerable versions for general vulnerabilities.

As a result, 12 tools in total were chosen by us. 

All 41 relevant papers we found are listed in the table below, with the tools we evaluated highlighted in yellow. 

The scenario in our paper is identifying vulnerability-affected versions using known patches. The vulnerability detection methods typically detect numerous vulnerabilities without targeting a specific one. This would significantly increase the effort required for post-detection vulnerability confirmation, rendering them unsuitable for our task of vulnerability-affected version identification.

But recurring vulnerability detection (RVD) is distinct from general vulnerability detection in its exclusive focus on identifying specific, known vulnerabilities. When an RVD tool identifies a vulnerability, it can directly be considered a vulnerability-affected version. This strong alignment led us to collect and evaluate available RVD tools. Notably, VerJava has also applied recurring vulnerability detection to the vulnerability-affected version identification task. To the best of our knowledge, our work is the first to focus on the challenges recurring vulnerability detection tools face in the domain of identifying vulnerability-affected versions.

So finally, we chose 6 matching-based tools and 6 tracing-based tools, covering diverse methodologies including heuristics, semantic reasoning, and LLM-powered analysis.