{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,8]],"date-time":"2026-04-08T03:02:11Z","timestamp":1775617331426,"version":"3.50.1"},"reference-count":78,"publisher":"Association for Computing Machinery (ACM)","issue":"1","license":[{"start":{"date-parts":[[2021,9,28]],"date-time":"2021-09-28T00:00:00Z","timestamp":1632787200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"DOI":"10.13039\/501100001381","name":"National Research Foundation, Singapore","doi-asserted-by":"crossref","award":["AISG2-RP-2020-019"],"award-info":[{"award-number":["AISG2-RP-2020-019"]}],"id":[{"id":"10.13039\/501100001381","id-type":"DOI","asserted-by":"crossref"}]},{"DOI":"10.13039\/501100001381","name":"National Research Foundation, Prime Ministers Office, Singapore","doi-asserted-by":"crossref","award":["NRF2018NCR-NCR005-0001"],"award-info":[{"award-number":["NRF2018NCR-NCR005-0001"]}],"id":[{"id":"10.13039\/501100001381","id-type":"DOI","asserted-by":"crossref"}]},{"name":"NRF Investigatorship","award":["NRF-NRFI06-2020-0001"],"award-info":[{"award-number":["NRF-NRFI06-2020-0001"]}]},{"DOI":"10.13039\/501100001321","name":"National Research Foundation","doi-asserted-by":"crossref","award":["NRF2018NCR-NSOE003-0001"],"award-info":[{"award-number":["NRF2018NCR-NSOE003-0001"]}],"id":[{"id":"10.13039\/501100001321","id-type":"DOI","asserted-by":"crossref"}]},{"name":"NVIDIA AI Tech Center"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["ACM Trans. Softw. Eng. Methodol."],"published-print":{"date-parts":[[2022,1,31]]},"abstract":"<jats:p>\n            Security patches in open source software, providing security fixes to identified vulnerabilities, are crucial in protecting against cyber attacks. Security advisories and announcements are often publicly released to inform the users about potential security vulnerability. Despite the\n            <jats:bold>National Vulnerability Database (NVD)<\/jats:bold>\n            publishes identified vulnerabilities, a vast majority of vulnerabilities and their corresponding security patches remain beyond public exposure, e.g., in the open source libraries that are heavily relied on by developers. As many of these patches exist in open sourced projects, the problem of curating and gathering security patches can be difficult due to their hidden nature. An extensive and complete security patches dataset could help end-users such as security companies, e.g., building a security knowledge base, or researcher, e.g., aiding in vulnerability research.\n          <\/jats:p>\n          <jats:p>\n            To efficiently curate security patches including undisclosed patches at large scale and low cost, we propose a deep neural-network-based approach built upon commits of open source repositories. First, we design and build security patch datasets that include 38,291 security-related commits and 1,045\n            <jats:bold>Common Vulnerabilities and Exposures (CVE)<\/jats:bold>\n            patches from four large-scale C programming language libraries. We manually verify each commit, among the 38,291 security-related commits, to determine if they are security related.\n          <\/jats:p>\n          <jats:p>We devise and implement a deep learning-based security patch identification system that consists of two composite neural networks: one commit-message neural network that utilizes pretrained word representations learned from our commits dataset and one code-revision neural network that takes code before revision and after revision and learns the distinction on the statement level. Our system leverages the power of the two networks for Security Patch Identification. Evaluation results show that our system significantly outperforms SVM and K-fold stacking algorithms. The result on the combined dataset achieves as high as 87.93% F1-score and precision of 86.24%.<\/jats:p>\n          <jats:p>We deployed our pipeline and learned model in an industrial production environment to evaluate the generalization ability of our approach. The industrial dataset consists of 298,917 commits from 410 new libraries that range from a wide functionalities. Our experiment results and observation on the industrial dataset proved that our approach can identify security patches effectively among open sourced projects.<\/jats:p>","DOI":"10.1145\/3468854","type":"journal-article","created":{"date-parts":[[2021,9,28]],"date-time":"2021-09-28T20:49:24Z","timestamp":1632862164000},"page":"1-27","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":44,"title":["SPI: Automated Identification of Security Patches via Commits"],"prefix":"10.1145","volume":"31","author":[{"given":"Yaqin","family":"Zhou","sequence":"first","affiliation":[{"name":"Nanyang Technological University, Singapore"}]},{"given":"Jing Kai","family":"Siow","sequence":"additional","affiliation":[{"name":"Nanyang Technological University, Singapore"}]},{"given":"Chenyu","family":"Wang","sequence":"additional","affiliation":[{"name":"Nanyang Technological University, Singapore"}]},{"given":"Shangqing","family":"Liu","sequence":"additional","affiliation":[{"name":"Nanyang Technological University, Singapore"}]},{"given":"Yang","family":"Liu","sequence":"additional","affiliation":[{"name":"Nanyang Technological University, Singapore"}]}],"member":"320","published-online":{"date-parts":[[2021,9,28]]},"reference":[{"key":"e_1_2_1_1_1","unstructured":"[n.d.]. Buffer Overflow. Retrieved from https:\/\/www.owasp.org\/index.php\/Buffer_Overflows.  [n.d.]. Buffer Overflow. Retrieved from https:\/\/www.owasp.org\/index.php\/Buffer_Overflows."},{"key":"e_1_2_1_2_1","unstructured":"[n.d.]. Buffer Overreads. Retrieved from https:\/\/cwe.mitre.org\/data\/definitions\/126.html.  [n.d.]. Buffer Overreads. Retrieved from https:\/\/cwe.mitre.org\/data\/definitions\/126.html."},{"key":"e_1_2_1_3_1","unstructured":"[n.d.]. FFMpeg Security Patch Example. Retrieved from https:\/\/github.com\/FFmpeg\/FFmpeg\/commit\/61cd19b8bc32185c8caf64d89d1b0909877a0707.  [n.d.]. FFMpeg Security Patch Example. Retrieved from https:\/\/github.com\/FFmpeg\/FFmpeg\/commit\/61cd19b8bc32185c8caf64d89d1b0909877a0707."},{"key":"e_1_2_1_4_1","unstructured":"[n.d.]. Module Counts. Retrieved from http:\/\/www.modulecounts.com\/.  [n.d.]. Module Counts. Retrieved from http:\/\/www.modulecounts.com\/."},{"key":"e_1_2_1_5_1","unstructured":"[n.d.]. Null Pointer Dereference. Retrieved from https:\/\/www.owasp.org\/index.php\/Null_Dereference.  [n.d.]. Null Pointer Dereference. Retrieved from https:\/\/www.owasp.org\/index.php\/Null_Dereference."},{"key":"e_1_2_1_6_1","volume-title":"Open Sourced Security and License Management -","year":"2020","unstructured":"[n.d.]. Open Sourced Security and License Management - 2020 . Retrieved from https:\/\/www.whitesourcesoftware.com\/. [n.d.]. Open Sourced Security and License Management - 2020. Retrieved from https:\/\/www.whitesourcesoftware.com\/."},{"key":"e_1_2_1_7_1","unstructured":"[n.d.]. Software Composition Analysis | Black Duck Software. Retrieved from https:\/\/www.blackducksoftware.com\/.  [n.d.]. Software Composition Analysis | Black Duck Software. Retrieved from https:\/\/www.blackducksoftware.com\/."},{"key":"e_1_2_1_8_1","unstructured":"[n.d.]. The State of Open Source Security\u20132019. Retrieved from https:\/\/snyk.io\/opensourcesecurity-2019\/.  [n.d.]. The State of Open Source Security\u20132019. Retrieved from https:\/\/snyk.io\/opensourcesecurity-2019\/."},{"key":"e_1_2_1_9_1","unstructured":"[n.d.]. Uninitialized Variable. Retrieved from https:\/\/www.owasp.org\/index.php\/Uninitialized_variable.  [n.d.]. Uninitialized Variable. Retrieved from https:\/\/www.owasp.org\/index.php\/Uninitialized_variable."},{"key":"e_1_2_1_10_1","unstructured":"2010. CVE-2010-5329. Retrieved from https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2010-5329.  2010. CVE-2010-5329. Retrieved from https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2010-5329."},{"key":"e_1_2_1_11_1","unstructured":"2015. CVE-2015-8952. Retrieved from https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2015-8952.  2015. CVE-2015-8952. Retrieved from https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2015-8952."},{"key":"e_1_2_1_12_1","unstructured":"2017. CVE-2017-5638. Retrieved from https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2017-5638.  2017. CVE-2017-5638. Retrieved from https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2017-5638."},{"key":"e_1_2_1_13_1","unstructured":"2017. CVE-2017-7187. Retrieved from https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2017-7187.  2017. CVE-2017-7187. Retrieved from https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2017-7187."},{"key":"e_1_2_1_14_1","unstructured":"2017. Machine Learning at SourceClear. Retrieved from https:\/\/www.sourceclear.com\/blog\/Machine-Learning-at-SourceClear\/.  2017. Machine Learning at SourceClear. Retrieved from https:\/\/www.sourceclear.com\/blog\/Machine-Learning-at-SourceClear\/."},{"key":"e_1_2_1_15_1","unstructured":"2017. Silently (or Obliviously) Partially-fixed CONFIG_STRICT_DEVMEM Bypass. Retrieved from http:\/\/www.openwall.com\/lists\/oss-security\/2017\/04\/16\/4.  2017. Silently (or Obliviously) Partially-fixed CONFIG_STRICT_DEVMEM Bypass. Retrieved from http:\/\/www.openwall.com\/lists\/oss-security\/2017\/04\/16\/4."},{"key":"e_1_2_1_16_1","unstructured":"2019. Checkmarx. Retrieved from https:\/\/www.checkmarx.com\/.  2019. Checkmarx. Retrieved from https:\/\/www.checkmarx.com\/."},{"key":"e_1_2_1_17_1","unstructured":"2019. CVEDetails\u2013CVE Number by Date. Retrieved from https:\/\/www.cvedetails.com\/browse-by-date.php.  2019. CVEDetails\u2013CVE Number by Date. Retrieved from https:\/\/www.cvedetails.com\/browse-by-date.php."},{"key":"e_1_2_1_18_1","unstructured":"2019. Pygments. Retrieved from https:\/\/pygments.org\/.  2019. Pygments. Retrieved from https:\/\/pygments.org\/."},{"key":"e_1_2_1_19_1","unstructured":"2019. Software Assurance Reference Dataset. Retrieved from https:\/\/samate.nist.gov\/SARD\/testsuite.php.  2019. Software Assurance Reference Dataset. Retrieved from https:\/\/samate.nist.gov\/SARD\/testsuite.php."},{"key":"e_1_2_1_20_1","unstructured":"2019. The State of Octoverse. Retrieved from https:\/\/octoverse.github.com\/.  2019. The State of Octoverse. Retrieved from https:\/\/octoverse.github.com\/."},{"key":"e_1_2_1_21_1","volume-title":"National Vulnerability Database -","year":"2020","unstructured":"2020. National Vulnerability Database - 2020 . Retrieved from https:\/\/nvd.nist.gov. 2020. National Vulnerability Database - 2020. Retrieved from https:\/\/nvd.nist.gov."},{"key":"e_1_2_1_22_1","unstructured":"2020. VulnDB-2020. Retrieved from https:\/\/vulndb.cyberriskanalytics.com\/.  2020. VulnDB-2020. Retrieved from https:\/\/vulndb.cyberriskanalytics.com\/."},{"key":"e_1_2_1_23_1","unstructured":"Mart\u00edn Abadi Ashish Agarwal Paul Barham and etal2015. TensorFlow: Large-Scale Machine Learning on Heterogeneous Systems. Retrieved from https:\/\/www.tensorflow.org\/.  Mart\u00edn Abadi Ashish Agarwal Paul Barham and et al.2015. TensorFlow: Large-Scale Machine Learning on Heterogeneous Systems. Retrieved from https:\/\/www.tensorflow.org\/."},{"key":"e_1_2_1_24_1","volume-title":"Proceedings of the 32nd IEEE\/ACM International Conference on Automated Software Engineering (ASE'17)","author":"Ahmed T.","year":"2017","unstructured":"T. Ahmed , A. Bosu , A. Iqbal , and S. Rahimi . 2017. SentiCR: A customized sentiment analysis tool for code review interactions . In Proceedings of the 32nd IEEE\/ACM International Conference on Automated Software Engineering (ASE'17) . 106\u2013111. https:\/\/doi.org\/10.1109\/ASE. 2017 .8115623 T. Ahmed, A. Bosu, A. Iqbal, and S. Rahimi. 2017. SentiCR: A customized sentiment analysis tool for code review interactions. In Proceedings of the 32nd IEEE\/ACM International Conference on Automated Software Engineering (ASE'17). 106\u2013111. https:\/\/doi.org\/10.1109\/ASE.2017.8115623"},{"key":"e_1_2_1_25_1","volume-title":"Proc. ACM Program. Lang. 3, POPL, Article 40 (January","author":"Alon Uri","year":"2018","unstructured":"Uri Alon , Meital Zilberstein , Omer Levy , and Eran Yahav . 2018 . code2vec: Learning distributed representations of code . Proc. ACM Program. Lang. 3, POPL, Article 40 (January 2019), 29 pages. DOI:https:\/\/doi.org\/10.1145\/3290353 Uri Alon, Meital Zilberstein, Omer Levy, and Eran Yahav. 2018. code2vec: Learning distributed representations of code. Proc. ACM Program. Lang. 3, POPL, Article 40 (January 2019), 29 pages. DOI:https:\/\/doi.org\/10.1145\/3290353"},{"key":"e_1_2_1_26_1","doi-asserted-by":"publisher","DOI":"10.1145\/3133956.3134022"},{"key":"e_1_2_1_27_1","doi-asserted-by":"publisher","DOI":"10.1145\/3377813.3381360"},{"key":"e_1_2_1_28_1","doi-asserted-by":"publisher","DOI":"10.1145\/3379597.3387461"},{"key":"e_1_2_1_29_1","doi-asserted-by":"publisher","DOI":"10.1145\/3180445.3180453"},{"key":"e_1_2_1_30_1","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/E17-1104"},{"key":"e_1_2_1_31_1","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.2018.2881961"},{"key":"e_1_2_1_32_1","volume-title":"Proceedings of the International Conference on Learning Representations.","author":"Dinella Elizabeth","year":"2020","unstructured":"Elizabeth Dinella , Hanjun Dai , Ziyang Li , Mayur Naik , Le Song , and Ke Wang . 2020 . HOPPITY: Learning graph transformations to detect and fix bugs in programs . In Proceedings of the International Conference on Learning Representations. Elizabeth Dinella, Hanjun Dai, Ziyang Li, Mayur Naik, Le Song, and Ke Wang. 2020. HOPPITY: Learning graph transformations to detect and fix bugs in programs. In Proceedings of the International Conference on Learning Representations."},{"key":"e_1_2_1_33_1","volume-title":"Deep Learning","author":"Goodfellow Ian","unstructured":"Ian Goodfellow , Yoshua Bengio , and Aaron Courville . 2016. Deep Learning . MIT Press . Ian Goodfellow, Yoshua Bengio, and Aaron Courville. 2016. Deep Learning. MIT Press."},{"key":"e_1_2_1_34_1","doi-asserted-by":"publisher","DOI":"10.1145\/3180155.3180167"},{"key":"e_1_2_1_35_1","doi-asserted-by":"publisher","DOI":"10.1145\/2950290.2950334"},{"key":"e_1_2_1_36_1","volume-title":"Proceedings of the 31st AAAI Conference on Artificial Intelligence (AAAI'17)","author":"Gupta Rahul","year":"2017","unstructured":"Rahul Gupta , Soham Pal , Aditya Kanade , and Shirish Shevade . 2017 . DeepFix: Fixing common C language errors by deep learning . In Proceedings of the 31st AAAI Conference on Artificial Intelligence (AAAI'17) . AAAI Press, 1345\u20131351. Rahul Gupta, Soham Pal, Aditya Kanade, and Shirish Shevade. 2017. DeepFix: Fixing common C language errors by deep learning. In Proceedings of the 31st AAAI Conference on Artificial Intelligence (AAAI'17). AAAI Press, 1345\u20131351."},{"key":"e_1_2_1_37_1","volume-title":"et\u00a0al","author":"Harer Jacob A.","year":"2018","unstructured":"Jacob A. Harer , Louis Y. Kim , Rebecca L. Russell , Onur Ozdemir , Leonard R. Kosta , Akshay Rangamani , Lei H. Hamilton , Gabriel I. Centeno , Jonathan R. Key , Paul M. Ellingwood , et\u00a0al . 2018 . Automated software vulnerability detection with machine learning. arXiv:1803.04497. Retrieved from https:\/\/arxiv.org\/abs\/1803.04497. Jacob A. Harer, Louis Y. Kim, Rebecca L. Russell, Onur Ozdemir, Leonard R. Kosta, Akshay Rangamani, Lei H. Hamilton, Gabriel I. Centeno, Jonathan R. Key, Paul M. Ellingwood, et\u00a0al. 2018. Automated software vulnerability detection with machine learning. arXiv:1803.04497. Retrieved from https:\/\/arxiv.org\/abs\/1803.04497."},{"key":"e_1_2_1_38_1","doi-asserted-by":"publisher","DOI":"10.1145\/1985441.1985466"},{"key":"e_1_2_1_39_1","volume-title":"2019 IEEE\/ACM 41st International Conference on Software Engineering: Companion Proceedings (ICSE-Companion'19)","author":"Hoang T.","unstructured":"T. Hoang , J. Lawall , R. J. Oentaryo , Y. Tian , and D. Lo . 2019. PatchNet: A tool for deep patch classification . In 2019 IEEE\/ACM 41st International Conference on Software Engineering: Companion Proceedings (ICSE-Companion'19) . 83\u201386. DOI:10.1109\/ICSE-Companion.2019.00044 10.1109\/ICSE-Companion.2019.00044 T. Hoang, J. Lawall, R. J. Oentaryo, Y. Tian, and D. Lo. 2019. PatchNet: A tool for deep patch classification. In 2019 IEEE\/ACM 41st International Conference on Software Engineering: Companion Proceedings (ICSE-Companion'19). 83\u201386. DOI:10.1109\/ICSE-Companion.2019.00044"},{"key":"e_1_2_1_40_1","volume-title":"Proceedings of the 25th International Joint Conference on Artificial Intelligence. AAAI Press, 1606\u20131612","author":"Huo Xuan","year":"2016","unstructured":"Xuan Huo , Ming Li , and Zhi-Hua Zhou . 2016 . Learning unified features from natural and programming languages for locating buggy source code . In Proceedings of the 25th International Joint Conference on Artificial Intelligence. AAAI Press, 1606\u20131612 . http:\/\/dl.acm.org\/citation.cfm?id=3060832.3060845. Xuan Huo, Ming Li, and Zhi-Hua Zhou. 2016. Learning unified features from natural and programming languages for locating buggy source code. In Proceedings of the 25th International Joint Conference on Artificial Intelligence. AAAI Press, 1606\u20131612. http:\/\/dl.acm.org\/citation.cfm?id=3060832.3060845."},{"key":"e_1_2_1_41_1","doi-asserted-by":"publisher","DOI":"10.3115\/v1\/D14-1181"},{"key":"e_1_2_1_42_1","volume-title":"Proceedings of the 3rd International Conference on Learning Representations, ICLR 2015","author":"Diederik","year":"2015","unstructured":"Diederik P. Kingma and Jimmy Ba. 2014. Adam: A method for stochastic optimization . In Proceedings of the 3rd International Conference on Learning Representations, ICLR 2015 , San Diego, CA, USA , May 7-9, 2015 . Diederik P. Kingma and Jimmy Ba. 2014. Adam: A method for stochastic optimization. In Proceedings of the 3rd International Conference on Learning Representations, ICLR 2015, San Diego, CA, USA, May 7-9, 2015."},{"key":"e_1_2_1_43_1","doi-asserted-by":"publisher","DOI":"10.1145\/3133956.3134072"},{"key":"e_1_2_1_44_1","volume-title":"Proceedings 4th International Conference on Learning Representations (ICLR'16)","author":"Li Yujia","year":"2016","unstructured":"Yujia Li , Daniel Tarlow , Marc Brockschmidt , and Richard Zemel . 2016 . Gated graph sequence neural networks . In Proceedings 4th International Conference on Learning Representations (ICLR'16) , San Juan, Puerto Rico , May 2-4, 2016. Yujia Li, Daniel Tarlow, Marc Brockschmidt, and Richard Zemel. 2016. Gated graph sequence neural networks. In Proceedings 4th International Conference on Learning Representations (ICLR'16), San Juan, Puerto Rico, May 2-4, 2016."},{"key":"e_1_2_1_45_1","doi-asserted-by":"publisher","DOI":"10.1145\/3377811.3380345"},{"key":"e_1_2_1_46_1","unstructured":"Zhen Li Deqing Zou Shouhuai Xu Hai Jin Yawei Zhu Zhaoxuan Chen Sujuan Wang and Jialai Wang. 2018. SySeVR: A Framework for using deep learning to detect software vulnerabilities. arXiv:1807.06756. Retrieved from http:\/\/arxiv.org\/abs\/1807.06756.  Zhen Li Deqing Zou Shouhuai Xu Hai Jin Yawei Zhu Zhaoxuan Chen Sujuan Wang and Jialai Wang. 2018. SySeVR: A Framework for using deep learning to detect software vulnerabilities. arXiv:1807.06756. Retrieved from http:\/\/arxiv.org\/abs\/1807.06756."},{"key":"e_1_2_1_47_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2018.23158"},{"key":"e_1_2_1_48_1","unstructured":"Zachary C. Lipton John Berkowitz and Charles Elkan. 2015. A critical review of recurrent neural networks for sequence learning. arXiv:1506.00019 [cs.LG]. Retrieved from https:\/\/arxiv.org\/abs\/1506.00019.  Zachary C. Lipton John Berkowitz and Charles Elkan. 2015. A critical review of recurrent neural networks for sequence learning. arXiv:1506.00019 [cs.LG]. Retrieved from https:\/\/arxiv.org\/abs\/1506.00019."},{"key":"e_1_2_1_49_1","doi-asserted-by":"publisher","DOI":"10.1145\/3324884.3418924"},{"key":"e_1_2_1_50_1","volume-title":"Proceedings of the International Conference on Learning Representations.","author":"Liu Shangqing","year":"2021","unstructured":"Shangqing Liu , Yu Chen , Xiaofei Xie , Jing Kai Siow , and Yang Liu . 2021 . Retrieval-augmented generation for code summarization via hybrid {GNN} . In Proceedings of the International Conference on Learning Representations. Shangqing Liu, Yu Chen, Xiaofei Xie, Jing Kai Siow, and Yang Liu. 2021. Retrieval-augmented generation for code summarization via hybrid {GNN}. In Proceedings of the International Conference on Learning Representations."},{"key":"e_1_2_1_51_1","volume-title":"ATOM: Commit message generation based on abstract syntax tree and hybrid ranking","author":"Liu S.","unstructured":"S. Liu , C. Gao , S. Chen , N. Lun Yiu , and Y. Liu . ATOM: Commit message generation based on abstract syntax tree and hybrid ranking . In IEEE Transactions on Software Engineering vol. 1. 1\u20131. DOI:10.1109\/TSE.2020.3038681 10.1109\/TSE.2020.3038681 S. Liu, C. Gao, S. Chen, N. Lun Yiu, and Y. Liu. ATOM: Commit message generation based on abstract syntax tree and hybrid ranking. In IEEE Transactions on Software Engineering vol. 1. 1\u20131. DOI:10.1109\/TSE.2020.3038681"},{"key":"e_1_2_1_52_1","unstructured":"Tomas Mikolov Ilya Sutskever Kai Chen Greg S Corrado and Jeff Dean. 2013. Distributed representations of words and phrases and their compositionality. In Advances in neural information processing systems. 3111\u20133119.  Tomas Mikolov Ilya Sutskever Kai Chen Greg S Corrado and Jeff Dean. 2013. Distributed representations of words and phrases and their compositionality. In Advances in neural information processing systems. 3111\u20133119."},{"key":"e_1_2_1_53_1","volume-title":"Proceedings of the AAAI Annual Conference on Artificial Intelligence (AAAI'16)","volume":"2","author":"Mou Lili","year":"2016","unstructured":"Lili Mou , Ge Li , Lu Zhang , Tao Wang , and Zhi Jin . 2016 . Convolutional neural networks over tree structures for programming language processing . In Proceedings of the AAAI Annual Conference on Artificial Intelligence (AAAI'16) , Vol. 2 . 4. Lili Mou, Ge Li, Lu Zhang, Tao Wang, and Zhi Jin. 2016. Convolutional neural networks over tree structures for programming language processing. In Proceedings of the AAAI Annual Conference on Artificial Intelligence (AAAI'16), Vol. 2. 4."},{"key":"e_1_2_1_54_1","unstructured":"Google OSS-Fuzz. 2020. Retrieved from https:\/\/bugs.chromium.org\/p\/oss-fuzz\/issues\/list.  Google OSS-Fuzz. 2020. Retrieved from https:\/\/bugs.chromium.org\/p\/oss-fuzz\/issues\/list."},{"key":"e_1_2_1_55_1","doi-asserted-by":"publisher","DOI":"10.1145\/3094243.3094245"},{"key":"e_1_2_1_56_1","doi-asserted-by":"publisher","DOI":"10.1145\/2810103.2813604"},{"key":"e_1_2_1_57_1","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.2017.2787653"},{"key":"e_1_2_1_58_1","doi-asserted-by":"publisher","DOI":"10.1145\/2597073.2597117"},{"key":"e_1_2_1_59_1","doi-asserted-by":"publisher","DOI":"10.1145\/3276517"},{"key":"e_1_2_1_60_1","doi-asserted-by":"publisher","DOI":"10.1145\/2635868.2635922"},{"key":"e_1_2_1_61_1","doi-asserted-by":"publisher","DOI":"10.1145\/2594291.2594321"},{"key":"e_1_2_1_62_1","unstructured":"Bugzilla Redhat. 2020. Retrieved from https:\/\/bugzilla.redhat.com\/.  Bugzilla Redhat. 2020. Retrieved from https:\/\/bugzilla.redhat.com\/."},{"key":"e_1_2_1_63_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICMLA.2018.00120"},{"key":"e_1_2_1_64_1","volume-title":"McConley","author":"Russell Rebecca L.","year":"2018","unstructured":"Rebecca L. Russell , Louis Y. Kim , Lei H. Hamilton , Tomo Lazovich , Jacob A. Harer , Onur Ozdemir , Paul M. Ellingwood , and Marc W . McConley . 2018 . Automated vulnerability detection in source code using deep representation learning. arXiv:1807.04320. Retrieved from http:\/\/arxiv.org\/abs\/1807.04320. Rebecca L. Russell, Louis Y. Kim, Lei H. Hamilton, Tomo Lazovich, Jacob A. Harer, Onur Ozdemir, Paul M. Ellingwood, and Marc W. McConley. 2018. Automated vulnerability detection in source code using deep representation learning. arXiv:1807.04320. Retrieved from http:\/\/arxiv.org\/abs\/1807.04320."},{"key":"e_1_2_1_65_1","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.2010.81"},{"key":"e_1_2_1_66_1","doi-asserted-by":"publisher","DOI":"10.1145\/1414004.1414065"},{"key":"e_1_2_1_67_1","doi-asserted-by":"publisher","DOI":"10.1109\/SANER48275.2020.9054794"},{"key":"e_1_2_1_68_1","doi-asserted-by":"publisher","DOI":"10.1145\/3238147.3240732"},{"key":"e_1_2_1_69_1","volume-title":"Mining of Massive Datasets","author":"Ullman Jeffrey David","unstructured":"Jeffrey David Ullman . 2011. Mining of Massive Datasets . Cambridge University Press . Jeffrey David Ullman. 2011. Mining of Massive Datasets. Cambridge University Press."},{"key":"e_1_2_1_70_1","volume-title":"Proceedings of the ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering (ESEC\/FSE'18)","author":"Earl","unstructured":"Earl T. Barr Vincent Hellendoorn, Christian Bird and Miltiadis Allamanis. 2018. Deep learning type inference . In Proceedings of the ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering (ESEC\/FSE'18) . Earl T. Barr Vincent Hellendoorn, Christian Bird and Miltiadis Allamanis. 2018. Deep learning type inference. In Proceedings of the ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering (ESEC\/FSE'18)."},{"key":"e_1_2_1_71_1","doi-asserted-by":"publisher","DOI":"10.24963\/ijcai.2017\/406"},{"key":"e_1_2_1_72_1","doi-asserted-by":"publisher","DOI":"10.1145\/2884781.2884804"},{"key":"e_1_2_1_73_1","volume-title":"OSS. In Proceedings of the 49th Annual IEEE\/IFIP International Conference on Dependable Systems and Networks (DSN'19)","author":"Wang X.","year":"2019","unstructured":"X. Wang , K. Sun , A. Batcheller , and S. Jajodia . 2019. Detecting \u201c0-Day\u201d Vulnerability: An empirical study of secret security patch in OSS. In Proceedings of the 49th Annual IEEE\/IFIP International Conference on Dependable Systems and Networks (DSN'19) . 485\u2013492. https:\/\/doi.org\/10.1109\/DSN. 2019 .00056 X. Wang, K. Sun, A. Batcheller, and S. Jajodia. 2019. Detecting \u201c0-Day\u201d Vulnerability: An empirical study of secret security patch in OSS. In Proceedings of the 49th Annual IEEE\/IFIP International Conference on Dependable Systems and Networks (DSN'19). 485\u2013492. https:\/\/doi.org\/10.1109\/DSN.2019.00056"},{"key":"e_1_2_1_74_1","volume-title":"Proceedings of the 31st IEEE\/ACM International Conference on Automated Software Engineering (ASE'16)","author":"White M.","unstructured":"M. White , M. Tufano , C. Vendome , and D. Poshyvanyk . 2016. Deep learning code fragments for code clone detection . In Proceedings of the 31st IEEE\/ACM International Conference on Automated Software Engineering (ASE'16) . 87\u201398. M. White, M. Tufano, C. Vendome, and D. Poshyvanyk. 2016. Deep learning code fragments for code clone detection. In Proceedings of the 31st IEEE\/ACM International Conference on Automated Software Engineering (ASE'16). 87\u201398."},{"key":"e_1_2_1_75_1","volume-title":"Proceedings of the IEEE International Conference on Software Quality, Reliability and Security. 17\u201326","author":"Yang X.","unstructured":"X. Yang , D. Lo , X. Xia , Y. Zhang , and J. Sun . 2015. Deep learning for just-in-time defect prediction . In Proceedings of the IEEE International Conference on Software Quality, Reliability and Security. 17\u201326 . X. Yang, D. Lo, X. Xia, Y. Zhang, and J. Sun. 2015. Deep learning for just-in-time defect prediction. In Proceedings of the IEEE International Conference on Software Quality, Reliability and Security. 17\u201326."},{"key":"e_1_2_1_76_1","volume-title":"Devign: Effective vulnerability identification by learning comprehensive program semantics via graph neural networks. In Advances in Neural Information Processing Systems. 10197\u201310207.","author":"Zhou Yaqin","year":"2019","unstructured":"Yaqin Zhou , Shangqing Liu , Jingkai Siow , Xiaoning Du , and Yang Liu . 2019 . Devign: Effective vulnerability identification by learning comprehensive program semantics via graph neural networks. In Advances in Neural Information Processing Systems. 10197\u201310207. Yaqin Zhou, Shangqing Liu, Jingkai Siow, Xiaoning Du, and Yang Liu. 2019. Devign: Effective vulnerability identification by learning comprehensive program semantics via graph neural networks. In Advances in Neural Information Processing Systems. 10197\u201310207."},{"key":"e_1_2_1_77_1","doi-asserted-by":"publisher","DOI":"10.1145\/3106237.3117771"},{"key":"e_1_2_1_78_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICST.2010.32"}],"container-title":["ACM Transactions on Software Engineering and Methodology"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3468854","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3468854","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T20:17:21Z","timestamp":1750191441000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3468854"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2021,9,28]]},"references-count":78,"journal-issue":{"issue":"1","published-print":{"date-parts":[[2022,1,31]]}},"alternative-id":["10.1145\/3468854"],"URL":"https:\/\/doi.org\/10.1145\/3468854","relation":{},"ISSN":["1049-331X","1557-7392"],"issn-type":[{"value":"1049-331X","type":"print"},{"value":"1557-7392","type":"electronic"}],"subject":[],"published":{"date-parts":[[2021,9,28]]},"assertion":[{"value":"2020-05-01","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2021-05-01","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2021-09-28","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}