Can we use LLMs to recover Trace Links between Source Code and Security Requirements?

In software development, many different artifacts are created during the process. At the beginning, requirements for the respective software are defined and then written down in a specification. This is followed by other artifacts, such as source code, test cases, or various UML diagrams. Different standards, including ISO 26262 for the automotive industry, require that safety and security requirements be explicitly traced for these different artifacts. However, tracing of requirements in source code is very time-consuming, error-prone, and costly. To reduce the effort involved, various approaches have been developed that use different techniques, such as information retrieval or machine learning, to automate this process. However, these approaches also have problems, so that practical use, especially in safety and security domains, is limited. In this paper, we have therefore developed a plugin for VSCode and a new approach based on LLMs to recover trace links between safety and security requirements and source code. Our results show that the used LLMs are capable of performing this task because they have both code and textual understanding. In various combinations, Llama showed satisfying results in terms of precision (0.8).