@Article{cmc.2026.075938,
AUTHOR = {Xiaorong Feng, Ying Gao, Pengyi Du, Leyu Shi},
TITLE = {Research on Prompt Engineering to Enhance LLM-Driven CPG Vulnerability Reachability},
JOURNAL = {Computers, Materials \& Continua},
VOLUME = {},
YEAR = {},
NUMBER = {},
PAGES = {{pages}},
URL = {http://www.techscience.com/cmc/online/detail/26934},
ISSN = {1546-2226},
ABSTRACT = {In recent years, large language models (LLMs) have seen growing application in code understanding and security analysis. However, their performance relies heavily on prompt context quality and engineering design, with unstable vulnerability detection and high false positive rates remaining key bottlenecks to reliable adoption. This paper systematically reviews advances in prompt engineering and context optimization across four core areas and proposes LARA (LLM-Augmented Reachability Analysis), a neural-symbolic framework leveraging code property graphs (CPGs), which uses a static analysis engine to extract source-to-sink data flow paths, integrates systematic prompt engineering to create context-aware prompts, and invokes LLMs for path risk scoring and reasoning. The framework forms a closed-loop process of path identification, risk assessment, and manual verification. Experimental validation on the Log4Shell vulnerability shows LARA accurately identifies core exploit paths and outperforms traditional static signature methods in covering unknown/variant vulnerabilities without explicit dangerous functions, with notable improvements in contextual understanding and detection accuracy. Our study identifies three core research trends: systematic context engineering, task-adaptive prompt strategies, and prompt-analysis closed loops in code security. However, LLMs still face challenges like long-text generation logic breaks, cross-model prompt transfer degradation, and code security false positive control. Future work should focus on long-context understanding/generation co-optimization, code-security-oriented fine-tuning of open-source LLMs, and deep CPG-prompt engineering integration to advance LLMs’ practical use in code security.},
DOI = {10.32604/cmc.2026.075938}
}