{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,18]],"date-time":"2026-03-18T13:20:10Z","timestamp":1773840010137,"version":"3.50.1"},"publisher-location":"New York, NY, USA","reference-count":69,"publisher":"ACM","license":[{"start":{"date-parts":[[2021,10,11]],"date-time":"2021-10-11T00:00:00Z","timestamp":1633910400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"name":"Cyber Security Cooperative Research Centre"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2021,10,11]]},"DOI":"10.1145\/3475716.3475781","type":"proceedings-article","created":{"date-parts":[[2021,10,6]],"date-time":"2021-10-06T11:43:50Z","timestamp":1633520630000},"page":"1-12","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":51,"title":["An Empirical Study of Rule-Based and Learning-Based Approaches for Static Application Security Testing"],"prefix":"10.1145","author":[{"given":"Roland","family":"Croft","sequence":"first","affiliation":[{"name":"University of Adelaide, Cyber Security Cooperative, Research Centre"}]},{"given":"Dominic","family":"Newlands","sequence":"additional","affiliation":[{"name":"University of Adelaide"}]},{"given":"Ziyu","family":"Chen","sequence":"additional","affiliation":[{"name":"Monash University"}]},{"given":"M. Ali","family":"Babar","sequence":"additional","affiliation":[{"name":"University of Adelaide, Cyber Security Cooperative, Research Centre"}]}],"member":"320","published-online":{"date-parts":[[2021,10,11]]},"reference":[{"key":"e_1_3_2_1_1_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.jss.2019.110427"},{"key":"e_1_3_2_1_2_1","doi-asserted-by":"publisher","DOI":"10.1109\/SANER.2016.105"},{"key":"e_1_3_2_1_3_1","doi-asserted-by":"publisher","DOI":"10.1109\/MC.2012.345"},{"key":"e_1_3_2_1_4_1","unstructured":"CERN. [n.d.]. Rough Auditing Tool for Security (RATS). https:\/\/security.web.cern.ch\/recommendations\/en\/codetools\/rats.shtml  CERN. [n.d.]. Rough Auditing Tool for Security (RATS). https:\/\/security.web.cern.ch\/recommendations\/en\/codetools\/rats.shtml"},{"key":"e_1_3_2_1_5_1","volume-title":"The advantages of the Matthews correlation coefficient (MCC) over F1 score and accuracy in binary classification evaluation. BMC genomics 21, 1","author":"Chicco Davide","year":"2020","unstructured":"Davide Chicco and Giuseppe Jurman . 2020. The advantages of the Matthews correlation coefficient (MCC) over F1 score and accuracy in binary classification evaluation. BMC genomics 21, 1 ( 2020 ), 1--13. Davide Chicco and Giuseppe Jurman. 2020. The advantages of the Matthews correlation coefficient (MCC) over F1 score and accuracy in binary classification evaluation. BMC genomics 21, 1 (2020), 1--13."},{"key":"e_1_3_2_1_6_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.sysarc.2010.06.003"},{"key":"e_1_3_2_1_7_1","doi-asserted-by":"publisher","DOI":"10.1145\/2970276.2970347"},{"key":"e_1_3_2_1_8_1","volume-title":"Sampling techniques","author":"Cochran William G","unstructured":"William G Cochran . 2007. Sampling techniques . John Wiley & Sons . William G Cochran. 2007. Sampling techniques. John Wiley & Sons."},{"key":"e_1_3_2_1_9_1","volume-title":"Code analysis for intelligent cyber systems: A data-driven approach. Information sciences 524","author":"Coulter Rory","year":"2020","unstructured":"Rory Coulter , Qing-Long Han , Lei Pan , Jun Zhang , and Yang Xiang . 2020. Code analysis for intelligent cyber systems: A data-driven approach. Information sciences 524 ( 2020 ), 46--58. Rory Coulter, Qing-Long Han, Lei Pan, Jun Zhang, and Yang Xiang. 2020. Code analysis for intelligent cyber systems: A data-driven approach. Information sciences 524 (2020), 46--58."},{"key":"#cr-split#-e_1_3_2_1_10_1.1","unstructured":"Roland Croft Dominic Newlands Ziyu Chen and Ali Babar. 2021. Reproduction package for \"An Empirical Study of Rule-Based and Learning-Based Approaches for Static Application Security Testing\". https:\/\/doi.org\/10.6084\/m9.figshare.14585076.v1 10.6084\/m9.figshare.14585076.v1"},{"key":"#cr-split#-e_1_3_2_1_10_1.2","doi-asserted-by":"crossref","unstructured":"Roland Croft Dominic Newlands Ziyu Chen and Ali Babar. 2021. Reproduction package for \"An Empirical Study of Rule-Based and Learning-Based Approaches for Static Application Security Testing\". https:\/\/doi.org\/10.6084\/m9.figshare.14585076.v1","DOI":"10.1145\/3475716.3475781"},{"key":"e_1_3_2_1_11_1","unstructured":"CWE. [n.d.]. Common Weakness Enumeration. https:\/\/cwe.mitre.org\/  CWE. [n.d.]. Common Weakness Enumeration. https:\/\/cwe.mitre.org\/"},{"key":"e_1_3_2_1_12_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.infsof.2013.02.005"},{"key":"e_1_3_2_1_13_1","doi-asserted-by":"publisher","DOI":"10.1007\/s10664-020-09868-x"},{"key":"e_1_3_2_1_14_1","volume-title":"The impact of mislabeled changes by szz on just-in-time defect prediction","author":"Fan Yuanrui","year":"2020","unstructured":"Yuanrui Fan , D Alencar da Costa , D Lo , AE Hassan , and L Shanping . 2020. The impact of mislabeled changes by szz on just-in-time defect prediction . IEEE Transactions on Software Engineering ( 2020 ). Yuanrui Fan, D Alencar da Costa, D Lo, AE Hassan, and L Shanping. 2020. The impact of mislabeled changes by szz on just-in-time defect prediction. IEEE Transactions on Software Engineering (2020)."},{"key":"e_1_3_2_1_15_1","unstructured":"OWASP Foundation. [n.d.]. Static Code Analysis. https:\/\/owasp.org\/www-community\/controls\/Static_Code_Analysis  OWASP Foundation. [n.d.]. Static Code Analysis. https:\/\/owasp.org\/www-community\/controls\/Static_Code_Analysis"},{"key":"e_1_3_2_1_16_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICIMP.2007.46"},{"key":"e_1_3_2_1_17_1","doi-asserted-by":"publisher","DOI":"10.1145\/3092566"},{"key":"e_1_3_2_1_18_1","doi-asserted-by":"publisher","DOI":"10.1109\/MSR.2017.18"},{"key":"e_1_3_2_1_19_1","volume-title":"Mohd Faizal Ab Razak, Ahmad Firdaus, and Nor Badrul Anuar.","author":"Hanif Hazim","year":"2021","unstructured":"Hazim Hanif , Mohd Hairul Nizam Md Nasir , Mohd Faizal Ab Razak, Ahmad Firdaus, and Nor Badrul Anuar. 2021 . The rise of software vulnerability: Taxonomy of software vulnerabilities detection and machine learning approaches. Journal of Network and Computer Applications ( 2021), 103009. Hazim Hanif, Mohd Hairul Nizam Md Nasir, Mohd Faizal Ab Razak, Ahmad Firdaus, and Nor Badrul Anuar. 2021. The rise of software vulnerability: Taxonomy of software vulnerabilities detection and machine learning approaches. Journal of Network and Computer Applications (2021), 103009."},{"key":"e_1_3_2_1_20_1","doi-asserted-by":"publisher","DOI":"10.1109\/MSR.2019.00049"},{"key":"e_1_3_2_1_21_1","volume-title":"The distribution of the flora in the alpine zone. 1. New phytologist 11, 2","author":"Jaccard Paul","year":"1912","unstructured":"Paul Jaccard . 1912. The distribution of the flora in the alpine zone. 1. New phytologist 11, 2 ( 1912 ), 37--50. Paul Jaccard. 1912. The distribution of the flora in the alpine zone. 1. New phytologist 11, 2 (1912), 37--50."},{"key":"e_1_3_2_1_22_1","volume-title":"IEEE International Working Conference on Source Code Analysis and Manipulation.","author":"Jimenez Matthieu","year":"2018","unstructured":"Matthieu Jimenez , Yves Le Traon , and Mike Papadakis . 2018 . Enabling the continous analysis of security vulnerabilities with vuldata7 . In IEEE International Working Conference on Source Code Analysis and Manipulation. Matthieu Jimenez, Yves Le Traon, and Mike Papadakis. 2018. Enabling the continous analysis of security vulnerabilities with vuldata7. In IEEE International Working Conference on Source Code Analysis and Manipulation."},{"key":"e_1_3_2_1_23_1","doi-asserted-by":"publisher","DOI":"10.5555\/2486788.2486877"},{"key":"e_1_3_2_1_24_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.procs.2020.04.217"},{"key":"e_1_3_2_1_25_1","doi-asserted-by":"publisher","DOI":"10.1093\/biomet\/30.1-2.81"},{"key":"e_1_3_2_1_26_1","volume-title":"Guide to Vulnerability Analysis for Computer Networks and Systems","author":"Khan Saad","unstructured":"Saad Khan and Simon Parkinson . 2018. Review into state of the art of vulnerability assessment using artificial intelligence . In Guide to Vulnerability Analysis for Computer Networks and Systems . Springer , 3--32. Saad Khan and Simon Parkinson. 2018. Review into state of the art of vulnerability assessment using artificial intelligence. In Guide to Vulnerability Analysis for Computer Networks and Systems. Springer, 3--32."},{"key":"e_1_3_2_1_27_1","doi-asserted-by":"publisher","DOI":"10.1145\/512927.512945"},{"key":"e_1_3_2_1_28_1","doi-asserted-by":"publisher","DOI":"10.1145\/3379597.3387443"},{"key":"e_1_3_2_1_29_1","doi-asserted-by":"publisher","DOI":"10.1145\/3463274.3463331"},{"key":"e_1_3_2_1_30_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2018.23158"},{"key":"e_1_3_2_1_31_1","unstructured":"Daniel Marjamaki. [n.d.]. Cppcheck. http:\/\/cppcheck.sourceforge.net\/  Daniel Marjamaki. [n.d.]. Cppcheck. http:\/\/cppcheck.sourceforge.net\/"},{"key":"e_1_3_2_1_32_1","doi-asserted-by":"publisher","DOI":"10.1109\/ACCESS.2020.3032756"},{"key":"e_1_3_2_1_33_1","doi-asserted-by":"publisher","DOI":"10.1145\/2746194.2746198"},{"key":"e_1_3_2_1_34_1","doi-asserted-by":"publisher","DOI":"10.1007\/s10664-017-9541-1"},{"key":"e_1_3_2_1_35_1","doi-asserted-by":"publisher","DOI":"10.1109\/RCoSE\/DDrEE.2019.00008"},{"key":"e_1_3_2_1_36_1","doi-asserted-by":"publisher","DOI":"10.1109\/ACCESS.2017.2710421"},{"key":"e_1_3_2_1_37_1","unstructured":"National Institute of Standards and Technology. [n.d.]. Software Assurance and Reference Dataset. https:\/\/samate.nist.gov\/SARD\/testsuite.php  National Institute of Standards and Technology. [n.d.]. Software Assurance and Reference Dataset. https:\/\/samate.nist.gov\/SARD\/testsuite.php"},{"key":"e_1_3_2_1_38_1","unstructured":"National Institute of Standards and Technology. [n.d.]. Source Code Security Analyzers. https:\/\/samate.nist.gov\/index.php\/Source_Code_Security_Analyzers.html  National Institute of Standards and Technology. [n.d.]. Source Code Security Analyzers. https:\/\/samate.nist.gov\/index.php\/Source_Code_Security_Analyzers.html"},{"key":"e_1_3_2_1_39_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-91602-6_6"},{"key":"e_1_3_2_1_40_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE43902.2021.00124"},{"key":"e_1_3_2_1_41_1","doi-asserted-by":"publisher","DOI":"10.1109\/LADC48089.2019.8995685"},{"key":"e_1_3_2_1_42_1","doi-asserted-by":"publisher","DOI":"10.1145\/2810103.2813604"},{"key":"e_1_3_2_1_43_1","volume-title":"Automated Security Review of PHP Web Applications with Static Code Analysis. Master's thesis","author":"Poel Nico","unstructured":"Nico Poel . 2010. Automated Security Review of PHP Web Applications with Static Code Analysis. Master's thesis . University of Groningen. Nico Poel. 2010. Automated Security Review of PHP Web Applications with Static Code Analysis. Master's thesis. University of Groningen."},{"key":"e_1_3_2_1_44_1","volume-title":"Better, Faster, Finer-grained Just-In-Time Defect Prediction. arXiv preprint arXiv:2103.07068","author":"Pornprasit Chanathip","year":"2021","unstructured":"Chanathip Pornprasit and Chakkrit Tantithamthavorn . 2021. JITLine : A Simpler , Better, Faster, Finer-grained Just-In-Time Defect Prediction. arXiv preprint arXiv:2103.07068 ( 2021 ). Chanathip Pornprasit and Chakkrit Tantithamthavorn. 2021. JITLine: A Simpler, Better, Faster, Finer-grained Just-In-Time Defect Prediction. arXiv preprint arXiv:2103.07068 (2021)."},{"key":"e_1_3_2_1_45_1","doi-asserted-by":"publisher","DOI":"10.1145\/2568225.2568269"},{"key":"e_1_3_2_1_46_1","doi-asserted-by":"publisher","DOI":"10.1145\/3306446.3340828"},{"key":"e_1_3_2_1_47_1","doi-asserted-by":"publisher","DOI":"10.1145\/3239235.3267440"},{"key":"e_1_3_2_1_48_1","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.2014.2340398"},{"key":"e_1_3_2_1_49_1","doi-asserted-by":"publisher","DOI":"10.5555\/1407003"},{"key":"e_1_3_2_1_50_1","doi-asserted-by":"publisher","DOI":"10.1145\/2187671.2187673"},{"key":"e_1_3_2_1_51_1","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.2010.81"},{"key":"e_1_3_2_1_52_1","doi-asserted-by":"publisher","DOI":"10.1007\/s10664-011-9190-8"},{"key":"e_1_3_2_1_53_1","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.2018.2810116"},{"key":"e_1_3_2_1_54_1","doi-asserted-by":"publisher","DOI":"10.1016\/S1353-4858(17)30027-2"},{"key":"e_1_3_2_1_55_1","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.2018.2876537"},{"key":"e_1_3_2_1_56_1","volume-title":"Explainable AI for Software Engineering. arXiv preprint arXiv:2012.01614","author":"Tantithamthavorn Chakkrit","year":"2020","unstructured":"Chakkrit Tantithamthavorn , Jirayus Jiarpakdee , and John Grundy . 2020. Explainable AI for Software Engineering. arXiv preprint arXiv:2012.01614 ( 2020 ). Chakkrit Tantithamthavorn, Jirayus Jiarpakdee, and John Grundy. 2020. Explainable AI for Software Engineering. arXiv preprint arXiv:2012.01614 (2020)."},{"key":"e_1_3_2_1_57_1","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.2016.2584050"},{"key":"e_1_3_2_1_58_1","unstructured":"TIOBE. [n.d.]. TIOBE Index. https:\/\/www.tiobe.com\/tiobe-index\/  TIOBE. [n.d.]. TIOBE Index. https:\/\/www.tiobe.com\/tiobe-index\/"},{"key":"e_1_3_2_1_59_1","doi-asserted-by":"publisher","DOI":"10.1145\/545186.545188"},{"key":"e_1_3_2_1_60_1","doi-asserted-by":"publisher","DOI":"10.5220\/0005032902440252"},{"key":"e_1_3_2_1_61_1","doi-asserted-by":"publisher","DOI":"10.1109\/ISSRE.2014.32"},{"key":"e_1_3_2_1_62_1","unstructured":"David Wheeler. [n.d.]. Flawfinder. https:\/\/dwheeler.com\/flawfinder\/  David Wheeler. [n.d.]. Flawfinder. https:\/\/dwheeler.com\/flawfinder\/"},{"key":"e_1_3_2_1_63_1","volume-title":"Breakthroughs in statistics","author":"Wilcoxon Frank","unstructured":"Frank Wilcoxon . 1992. Individual comparisons by ranking methods . In Breakthroughs in statistics . Springer , 196--202. Frank Wilcoxon. 1992. Individual comparisons by ranking methods. In Breakthroughs in statistics. Springer, 196--202."},{"key":"e_1_3_2_1_64_1","doi-asserted-by":"publisher","DOI":"10.1145\/949952.940115"},{"key":"e_1_3_2_1_65_1","volume-title":"Predictive Models in Software Engineering: Challenges and Opportunities. arXiv preprint arXiv:2008.03656","author":"Yang Yanming","year":"2020","unstructured":"Yanming Yang , Xin Xia , David Lo , Tingting Bi , John Grundy , and Xiaohu Yang . 2020. Predictive Models in Software Engineering: Challenges and Opportunities. arXiv preprint arXiv:2008.03656 ( 2020 ). Yanming Yang, Xin Xia, David Lo, Tingting Bi, John Grundy, and Xiaohu Yang. 2020. Predictive Models in Software Engineering: Challenges and Opportunities. arXiv preprint arXiv:2008.03656 (2020)."},{"key":"e_1_3_2_1_66_1","doi-asserted-by":"publisher","DOI":"10.1109\/APSEC.2014.81"},{"key":"e_1_3_2_1_67_1","doi-asserted-by":"publisher","DOI":"10.1109\/ACCESS.2020.3034766"},{"key":"e_1_3_2_1_68_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICST.2010.32"}],"event":{"name":"ESEM '21: ACM \/ IEEE International Symposium on Empirical Software Engineering and Measurement","location":"Bari Italy","acronym":"ESEM '21","sponsor":["SIGSOFT ACM Special Interest Group on Software Engineering","IEEE CS"]},"container-title":["Proceedings of the 15th ACM \/ IEEE International Symposium on Empirical Software Engineering and Measurement (ESEM)"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3475716.3475781","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3475716.3475781","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T20:48:18Z","timestamp":1750193298000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3475716.3475781"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2021,10,11]]},"references-count":69,"alternative-id":["10.1145\/3475716.3475781","10.1145\/3475716"],"URL":"https:\/\/doi.org\/10.1145\/3475716.3475781","relation":{},"subject":[],"published":{"date-parts":[[2021,10,11]]},"assertion":[{"value":"2021-10-11","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}