{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,2,17]],"date-time":"2026-02-17T12:10:48Z","timestamp":1771330248937,"version":"3.50.1"},"reference-count":94,"publisher":"Institute of Electrical and Electronics Engineers (IEEE)","license":[{"start":{"date-parts":[[2020,1,1]],"date-time":"2020-01-01T00:00:00Z","timestamp":1577836800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/legalcode"}],"funder":[{"name":"project METRICS: Monitoring and Measuring the Trustworthiness of Critical Cloud Systems of the Portuguese Foundation for Science and Technology","award":["POCI-01-0145-FEDER-032504"],"award-info":[{"award-number":["POCI-01-0145-FEDER-032504"]}]},{"DOI":"10.13039\/501100008530","name":"project AIDA: Adaptive, Intelligent and Distributed Assurance Platform of the FCT, COMPETE2020, CMU Portugal Program, and the European Regional Development Fund","doi-asserted-by":"publisher","award":["POCI-01-0247-FEDER-045907"],"award-info":[{"award-number":["POCI-01-0247-FEDER-045907"]}],"id":[{"id":"10.13039\/501100008530","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["IEEE Access"],"published-print":{"date-parts":[[2020]]},"DOI":"10.1109\/access.2020.3041181","type":"journal-article","created":{"date-parts":[[2020,11,27]],"date-time":"2020-11-27T20:23:51Z","timestamp":1606508631000},"page":"219174-219198","source":"Crossref","is-referenced-by-count":41,"title":["Vulnerable Code Detection Using Software Metrics and Machine Learning"],"prefix":"10.1109","volume":"8","author":[{"given":"Nadia","family":"Medeiros","sequence":"first","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0000-0001-8376-6711","authenticated-orcid":false,"given":"Naghmeh","family":"Ivaki","sequence":"additional","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0000-0002-8112-3154","authenticated-orcid":false,"given":"Pedro","family":"Costa","sequence":"additional","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0000-0001-5103-8541","authenticated-orcid":false,"given":"Marco","family":"Vieira","sequence":"additional","affiliation":[]}],"member":"263","reference":[{"key":"ref73","doi-asserted-by":"crossref","first-page":"660","DOI":"10.1109\/21.97458","article-title":"A survey of decision tree classifier methodology","volume":"21","author":"landgrebe","year":"1991","journal-title":"IEEE Trans Syst Man Cybern"},{"key":"ref72","doi-asserted-by":"publisher","DOI":"10.1111\/j.0824-7935.2004.t01-1-00228.x"},{"key":"ref71","doi-asserted-by":"publisher","DOI":"10.1145\/1007730.1007735"},{"key":"ref70","doi-asserted-by":"publisher","DOI":"10.1145\/1007730.1007733"},{"key":"ref76","doi-asserted-by":"publisher","DOI":"10.1145\/130385.130401"},{"key":"ref77","doi-asserted-by":"crossref","first-page":"352","DOI":"10.1016\/S1532-0464(03)00034-0","article-title":"Logistic regression and artificial neural network classification models: A methodology review","volume":"35","author":"dreiseitl","year":"2002","journal-title":"J Biomed Informat"},{"key":"ref74","doi-asserted-by":"publisher","DOI":"10.1023\/A:1010933404324"},{"key":"ref39","doi-asserted-by":"publisher","DOI":"10.1145\/3318299.3318345"},{"key":"ref75","doi-asserted-by":"publisher","DOI":"10.1007\/978-1-4302-5990-9_3"},{"key":"ref38","doi-asserted-by":"publisher","DOI":"10.4018\/jdtis.2011040101"},{"key":"ref78","doi-asserted-by":"publisher","DOI":"10.1016\/j.jclinepi.2009.11.020"},{"key":"ref79","doi-asserted-by":"publisher","DOI":"10.1145\/2939672.2939785"},{"key":"ref33","doi-asserted-by":"publisher","DOI":"10.1109\/ICDCSW.2016.27"},{"key":"ref32","doi-asserted-by":"crossref","first-page":"155","DOI":"10.1007\/978-3-319-44257-0_7","article-title":"Intrusion prediction systems","author":"abdlhamed","year":"2017","journal-title":"Information Fusion for Cyber-Security Analytics"},{"key":"ref31","doi-asserted-by":"crossref","first-page":"242","DOI":"10.1007\/978-3-030-31280-0_15","article-title":"Attack tolerance for services-based applications in the cloud","author":"ouffou\u00e9","year":"2019","journal-title":"Proc IFIP Int Conf Test Softw Syst"},{"key":"ref30","doi-asserted-by":"publisher","DOI":"10.1002\/spe.2844"},{"key":"ref37","doi-asserted-by":"publisher","DOI":"10.1109\/MSP.2005.23"},{"key":"ref36","first-page":"1","article-title":"&#x2018;Think secure from the beginning&#x2019; A survey with software developers","author":"assal","year":"2019","journal-title":"Proc CHI Conf Hum Factors Comput Syst"},{"key":"ref35","volume":"38","author":"di pietro","year":"2008","journal-title":"Intrusion Detection Systems"},{"key":"ref34","doi-asserted-by":"publisher","DOI":"10.1109\/RISP.1991.130780"},{"key":"ref60","doi-asserted-by":"publisher","DOI":"10.1007\/s10664-011-9190-8"},{"key":"ref62","year":"2017","journal-title":"Understand&#x2122; Static Code Analysis Tool"},{"key":"ref61","author":"henrique alves","year":"2016","journal-title":"A dataset of source code metrics and vulnerabilities"},{"key":"ref63","doi-asserted-by":"publisher","DOI":"10.1109\/MIS.2005.105"},{"key":"ref28","author":"graff","year":"2003","journal-title":"Secure Coding Principles and Practices"},{"key":"ref64","first-page":"17","article-title":"Classifying different feature selection algorithms based on the search strategies","author":"feizi-derakhshi","year":"2014","journal-title":"Int Conf Mach Learn Electr Mech Eng"},{"key":"ref27","doi-asserted-by":"publisher","DOI":"10.1109\/52.976940"},{"key":"ref65","first-page":"1","article-title":"Pearson correlation coefficient","author":"benesty","year":"2009","journal-title":"Noise Reduction in Speech Processing"},{"key":"ref66","article-title":"S pearman Correlation Coefficients, Differences between","author":"myers","year":"0","journal-title":"Wiley StatsRef Statistics Reference Online"},{"key":"ref29","author":"campbell","year":"2013","journal-title":"SonarQube in Action"},{"key":"ref67","doi-asserted-by":"publisher","DOI":"10.1016\/j.csda.2019.106839"},{"key":"ref68","first-page":"1205","article-title":"Efficient feature selection via analysis of relevance and redundancy","volume":"5","author":"yu","year":"2004","journal-title":"J Mach Learn Res"},{"key":"ref69","doi-asserted-by":"publisher","DOI":"10.1016\/j.compbiomed.2016.12.002"},{"key":"ref2","first-page":"1","article-title":"A first step towards automated detection of buffer overrun vulnerabilities","author":"wagner","year":"2000","journal-title":"Proc Symp Network and Distributed System Security"},{"key":"ref1","volume":"1","author":"mcgraw","year":"2006","journal-title":"Software Security Building Security"},{"key":"ref20","article-title":"OWASP ISO IEC 27034 application security controls project","author":"marcil","year":"2014","journal-title":"The Open Web Application Security Project (OWASP)"},{"key":"ref22","doi-asserted-by":"publisher","DOI":"10.1109\/MS.2004.1331309"},{"key":"ref21","first-page":"29","author":"poulin","year":"2008","journal-title":"Web Application Security Overview"},{"key":"ref24","doi-asserted-by":"publisher","DOI":"10.4236\/jis.2013.42011"},{"key":"ref23","year":"2009"},{"key":"ref26","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-26250-1_6"},{"key":"ref25","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-07452-8_1"},{"key":"ref50","doi-asserted-by":"publisher","DOI":"10.1145\/3092566"},{"key":"ref51","doi-asserted-by":"publisher","DOI":"10.1016\/j.sysarc.2010.06.003"},{"key":"ref94","doi-asserted-by":"publisher","DOI":"10.1109\/PRDC.2018.00019"},{"key":"ref93","doi-asserted-by":"crossref","first-page":"273","DOI":"10.3390\/info9110273","article-title":"The impact of code smells on software bugs: A systematic literature review","volume":"9","author":"cairo","year":"2018","journal-title":"Information"},{"key":"ref92","first-page":"1","article-title":"Security vulnerabilities of the top ten programming languages: C, Java, C++, Objective-C, C#, PHP, Visual Basic, Python, Perl, and Ruby","volume":"5","author":"turner","year":"2014","journal-title":"Journal of Research on Technology"},{"key":"ref91","doi-asserted-by":"publisher","DOI":"10.5120\/ijca2015905749"},{"key":"ref90","doi-asserted-by":"publisher","DOI":"10.1109\/32.177364"},{"key":"ref59","first-page":"3","article-title":"Exploring complexity metrics as indicators of software vulnerability","author":"shin","year":"2008","journal-title":"Proc Int Doctoral Symp Empirical Soft Eng"},{"key":"ref58","doi-asserted-by":"publisher","DOI":"10.1109\/LADC.2016.32"},{"key":"ref57","doi-asserted-by":"publisher","DOI":"10.1109\/ISSRE.2017.11"},{"key":"ref56","doi-asserted-by":"publisher","DOI":"10.1109\/APSEC.2018.00050"},{"key":"ref55","doi-asserted-by":"publisher","DOI":"10.1155\/2019\/8391425"},{"key":"ref54","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.2010.81"},{"key":"ref53","article-title":"Predicting vulnerable files by using machine learning method","author":"shen","year":"2018"},{"key":"ref52","doi-asserted-by":"publisher","DOI":"10.1145\/1988630.1988632"},{"key":"ref10","doi-asserted-by":"publisher","DOI":"10.1145\/1566445.1566509"},{"key":"ref11","doi-asserted-by":"publisher","DOI":"10.1145\/1456362.1456372"},{"key":"ref40","doi-asserted-by":"publisher","DOI":"10.1145\/800175.809854"},{"key":"ref12","doi-asserted-by":"publisher","DOI":"10.1109\/EDCC.2016.34"},{"key":"ref13","first-page":"34","article-title":"Durable security in software development: Needs and importance","volume":"10","author":"kumar","year":"2015","journal-title":"CSI Commun"},{"key":"ref14","doi-asserted-by":"publisher","DOI":"10.1109\/SecDev.2017.17"},{"key":"ref15","author":"disterer","year":"2013","journal-title":"27001 and 27002 for Information Security Management"},{"key":"ref82","doi-asserted-by":"publisher","DOI":"10.1109\/TR.2018.2839339"},{"key":"ref16","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-19216-1_37"},{"key":"ref81","doi-asserted-by":"publisher","DOI":"10.1007\/978-0-387-21579-2_9"},{"key":"ref17","author":"chemuturi","year":"2010","journal-title":"Mastering Software Quality Assurance Best Practices Tools and Techniques for Software Developers"},{"key":"ref84","first-page":"19","article-title":"Resampling methods: concepts, applications, and justification","volume":"8","author":"yu","year":"2002","journal-title":"Practical Assessment Res Eval"},{"key":"ref18","year":"0"},{"key":"ref83","doi-asserted-by":"publisher","DOI":"10.1109\/DSN.2015.30"},{"key":"ref19","article-title":"Owasp secure coding practices-quick reference guide","author":"turpin","year":"2010"},{"key":"ref80","doi-asserted-by":"publisher","DOI":"10.1109\/LGRS.2018.2803259"},{"key":"ref89","author":"wickham","year":"2019","journal-title":"dplyr A Grammar of Data Manipulation"},{"key":"ref4","doi-asserted-by":"publisher","DOI":"10.1109\/EDCC.2017.29"},{"key":"ref3","doi-asserted-by":"publisher","DOI":"10.1109\/TDSC.2004.2"},{"key":"ref6","article-title":"Privacy by design&#x2014;The 7 foundational principles&#x2013;implementation and mapping of fair information practices","author":"cavoukian","year":"2009"},{"key":"ref5","author":"galin","year":"2004","journal-title":"Software Quality Assurance From Theory to Implementation"},{"key":"ref85","author":"team","year":"2017","journal-title":"The R Project for Statistical Computing"},{"key":"ref8","doi-asserted-by":"publisher","DOI":"10.1109\/MSP.2004.111"},{"key":"ref86","article-title":"Package &#x2018;caret","author":"kuhn","year":"2020","journal-title":"R Journal"},{"key":"ref7","doi-asserted-by":"publisher","DOI":"10.1145\/971617.971637"},{"key":"ref49","first-page":"570","article-title":"Software vulnerabilities detection based on security metrics at the design and code levels: empirical findings","volume":"6","author":"alenezi","year":"2018","journal-title":"Engineering and Technology Journal"},{"key":"ref87","author":"liaw","year":"2018","journal-title":"The r random forest package"},{"key":"ref88","author":"meyer","year":"2019","journal-title":"e1071 Misc Functions of the Department of Statistics Probability Theory Group (Formerly E1071) TU Wien"},{"key":"ref9","doi-asserted-by":"crossref","first-page":"773","DOI":"10.14419\/ijet.v7i3.12.16499","article-title":"Analysis of vulnerability detection tool for Web services","volume":"7","author":"senthamil","year":"2018","journal-title":"Int J Eng Technol"},{"key":"ref46","doi-asserted-by":"publisher","DOI":"10.1109\/ICMLA.2018.00120"},{"key":"ref45","article-title":"SySeVR: A framework for using deep learning to detect software vulnerabilities","author":"li","year":"2018","journal-title":"arXiv 1807 06756"},{"key":"ref48","doi-asserted-by":"publisher","DOI":"10.1016\/S1361-3723(13)70045-9"},{"key":"ref47","doi-asserted-by":"publisher","DOI":"10.1109\/CYBERNETICSCOM.2017.8311708"},{"key":"ref42","first-page":"1","article-title":"Software metrics and reliability","author":"rosenberg","year":"1998","journal-title":"Proc 9th Int Symp Softw Rel Eng"},{"key":"ref41","doi-asserted-by":"publisher","DOI":"10.1109\/2.303623"},{"key":"ref44","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.2007.256941"},{"key":"ref43","doi-asserted-by":"publisher","DOI":"10.1016\/S0164-1212(99)00102-8"}],"container-title":["IEEE Access"],"original-title":[],"link":[{"URL":"http:\/\/xplorestaging.ieee.org\/ielx7\/6287639\/8948470\/09272730.pdf?arnumber=9272730","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2022,1,26]],"date-time":"2022-01-26T04:17:55Z","timestamp":1643170675000},"score":1,"resource":{"primary":{"URL":"https:\/\/ieeexplore.ieee.org\/document\/9272730\/"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2020]]},"references-count":94,"URL":"https:\/\/doi.org\/10.1109\/access.2020.3041181","relation":{},"ISSN":["2169-3536"],"issn-type":[{"value":"2169-3536","type":"electronic"}],"subject":[],"published":{"date-parts":[[2020]]}}}