{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,1,30]],"date-time":"2026-01-30T02:54:15Z","timestamp":1769741655984,"version":"3.49.0"},"reference-count":197,"publisher":"Association for Computing Machinery (ACM)","issue":"1","license":[{"start":{"date-parts":[[2024,10,7]],"date-time":"2024-10-07T00:00:00Z","timestamp":1728259200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"DOI":"10.13039\/501100012166","name":"National Key R&D Program of China","doi-asserted-by":"crossref","award":["2022YFB2902205"],"award-info":[{"award-number":["2022YFB2902205"]}],"id":[{"id":"10.13039\/501100012166","id-type":"DOI","asserted-by":"crossref"}]},{"DOI":"10.13039\/501100017596","name":"Natural Science Basic Research Program of Shaanxi Province","doi-asserted-by":"crossref","award":["2021JM137"],"award-info":[{"award-number":["2021JM137"]}],"id":[{"id":"10.13039\/501100017596","id-type":"DOI","asserted-by":"crossref"}]},{"DOI":"10.13039\/501100012226","name":"Fundamental Research Funds for the Central Universities","doi-asserted-by":"crossref","award":["YJSJ23007"],"award-info":[{"award-number":["YJSJ23007"]}],"id":[{"id":"10.13039\/501100012226","id-type":"DOI","asserted-by":"crossref"}]},{"name":"Tencent Security Yunding Lab"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["ACM Comput. Surv."],"published-print":{"date-parts":[[2025,1,31]]},"abstract":"<jats:p>Over the past decade, Open Source Software (OSS) has experienced rapid growth and widespread adoption, attributed to its openness and editability. However, this expansion has also brought significant security challenges, particularly introducing and propagating software vulnerabilities. Despite the use of machine learning and formal methods to tackle these issues, there remains a notable gap in comprehensive surveys that summarize and analyze both Vulnerability Detection (VD) and Security Patch Detection (SPD) in OSS. This article seeks to bridge this gap through an extensive survey that evaluates 127 technical studies published between 2014 and 2023, structured around the Vulnerability-Patch lifecycle. We begin by delineating the six critical events that constitute the Vulnerability-Patch lifecycle, leading to an in-depth exploration of the Vulnerability-Patch ecosystem. We then systematically review the databases commonly used in VD and SPD, and analyze their characteristics. Subsequently, we examine existing VD methods, focusing on traditional and deep learning based approaches. Additionally, we organize current security patch identification methods by kernel type and discuss techniques for detecting the presence of security patches. Based on our comprehensive review, we identify open research questions and propose future research directions that merit further exploration.<\/jats:p>","DOI":"10.1145\/3694782","type":"journal-article","created":{"date-parts":[[2024,9,9]],"date-time":"2024-09-09T11:01:46Z","timestamp":1725879706000},"page":"1-37","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":10,"title":["Vulnerabilities and Security Patches Detection in OSS: A Survey"],"prefix":"10.1145","volume":"57","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-6583-4343","authenticated-orcid":false,"given":"Ruyan","family":"Lin","sequence":"first","affiliation":[{"name":"School of Cyber Engineering, Xidian University, Xian, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-2058-3405","authenticated-orcid":false,"given":"Yulong","family":"Fu","sequence":"additional","affiliation":[{"name":"School of Cyber Engineering and the State Key Laboratory of ISN, Xidian University, Xian, China"}]},{"ORCID":"https:\/\/orcid.org\/0009-0006-4602-5352","authenticated-orcid":false,"given":"Wei","family":"Yi","sequence":"additional","affiliation":[{"name":"School of Cyber Engineering, Xidian University, Xian, China"}]},{"ORCID":"https:\/\/orcid.org\/0009-0002-2859-7921","authenticated-orcid":false,"given":"Jincheng","family":"Yang","sequence":"additional","affiliation":[{"name":"School of Cyber Engineering, Xidian University, Xian, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-1372-7252","authenticated-orcid":false,"given":"Jin","family":"Cao","sequence":"additional","affiliation":[{"name":"School of Cyber Engineering and the State Key Laboratory of ISN, Xidian University, Xian, China"}]},{"ORCID":"https:\/\/orcid.org\/0009-0007-8389-6867","authenticated-orcid":false,"given":"Zhiqiang","family":"Dong","sequence":"additional","affiliation":[{"name":"Tencent, Shenzhen, China"}]},{"ORCID":"https:\/\/orcid.org\/0009-0008-2634-5521","authenticated-orcid":false,"given":"Fei","family":"Xie","sequence":"additional","affiliation":[{"name":"Tencent, Beijing, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-8310-7169","authenticated-orcid":false,"given":"Hui","family":"Li","sequence":"additional","affiliation":[{"name":"School of Cyber Engineering and the State Key Laboratory of ISN, Xidian University, Xian, China"}]}],"member":"320","published-online":{"date-parts":[[2024,10,7]]},"reference":[{"key":"e_1_3_2_2_2","doi-asserted-by":"publisher","DOI":"10.1007\/s10664-022-10278-4"},{"key":"e_1_3_2_3_2","first-page":"337","volume-title":"Proceedings of the 2020 IEEE International Conference on Parallel and Distributed Processing with Applications, Big Data and Cloud Computing, Sustainable Computing and Communications, and Social Computing and Networking (ISPA\/BDCloud\/SocialCom\/SustainCom\u201920)","author":"An Wenyan","year":"2020","unstructured":"Wenyan An, Liwei Chen, Jinxin Wang, Gewangzi Du, Gang Shi, and Dan Meng. 2020. AVDHRAM: Automated vulnerability detection based on hierarchical representation and attention mechanism. In Proceedings of the 2020 IEEE International Conference on Parallel and Distributed Processing with Applications, Big Data and Cloud Computing, Sustainable Computing and Communications, and Social Computing and Networking (ISPA\/BDCloud\/SocialCom\/SustainCom\u201920). IEEE, 337\u2013344."},{"key":"e_1_3_2_4_2","unstructured":"Android. 2023. Android Security Bulletins. Retrieved September 10 2024 from https:\/\/source.android.com\/security\/bulletin"},{"key":"e_1_3_2_5_2","unstructured":"Android. 2023. Dalvik Executable Format. Retrieved September 10 2024 from https:\/\/source.android.com\/devices\/tech\/dalvik\/dex-format.html"},{"key":"e_1_3_2_6_2","doi-asserted-by":"publisher","DOI":"10.1145\/3360585"},{"key":"e_1_3_2_7_2","article-title":"A systematic literature review on software vulnerability prediction models","author":"Bassi Deepali","year":"2023","unstructured":"Deepali Bassi and Hardeep Singh. 2023. A systematic literature review on software vulnerability prediction models. IEEE Access 11 (2023), 110289\u2013110311.","journal-title":"IEEE Access"},{"key":"e_1_3_2_8_2","doi-asserted-by":"publisher","DOI":"10.1145\/3338906.3338952"},{"key":"e_1_3_2_9_2","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.2007.70725"},{"key":"e_1_3_2_10_2","doi-asserted-by":"publisher","DOI":"10.1145\/3475960.3475985"},{"key":"e_1_3_2_11_2","volume-title":"Proceedings of the Symposium sur la s\u00e9curit\u00e9 des technologies de linformation et des communications","author":"Biondi Philippe","year":"2017","unstructured":"Philippe Biondi, Rapha\u00ebl Rigo, Sarah Zennou, and Xavier Mehrenberger. 2017. BinCAT: Purrfecting binary static analysis. In Proceedings of the Symposium sur la s\u00e9curit\u00e9 des technologies de linformation et des communications."},{"key":"e_1_3_2_12_2","doi-asserted-by":"publisher","DOI":"10.1145\/3133956.3134020"},{"key":"e_1_3_2_13_2","first-page":"464","volume-title":"Proceedings of the 19th International Conference on Mining Software Repositories","author":"Bui Quang-Cuong","year":"2022","unstructured":"Quang-Cuong Bui, Riccardo Scandariato, and Nicol\u00e1s E. D\u00edaz Ferreyra. 2022. Vul4j: A dataset of reproducible Java vulnerabilities geared towards the study of program repair techniques. In Proceedings of the 19th International Conference on Mining Software Repositories. 464\u2013468."},{"key":"e_1_3_2_14_2","first-page":"209","volume-title":"Proceedings of the 8th USENIX Conference on Operating Systems Design and Implementation (OSDI\u201908)","volume":"8","author":"Cadar Cristian","year":"2008","unstructured":"Cristian Cadar, Daniel Dunbar, and Dawson R. Engler. 2008. KLEE: Unassisted and automatic generation of high-coverage tests for complex systems programs. In Proceedings of the 8th USENIX Conference on Operating Systems Design and Implementation (OSDI\u201908), Vol. 8. 209\u2013224."},{"key":"e_1_3_2_15_2","doi-asserted-by":"crossref","first-page":"2","DOI":"10.1007\/11537328_2","volume-title":"Proceedings of the International SPIN Workshop on Model Checking of Software","author":"Cadar Cristian","year":"2005","unstructured":"Cristian Cadar and Dawson Engler. 2005. Execution generated test cases: How to make systems code crash itself. In Proceedings of the International SPIN Workshop on Model Checking of Software. 2\u201323."},{"issue":"2","key":"e_1_3_2_16_2","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1145\/1455518.1455522","article-title":"EXE: Automatically generating inputs of death","volume":"12","author":"Cadar Cristian","year":"2008","unstructured":"Cristian Cadar, Vijay Ganesh, Peter M. Pawlowski, David L. Dill, and Dawson R. Engler. 2008. EXE: Automatically generating inputs of death. ACM Transactions on Information and System Security 12, 2 (2008), 1\u201338.","journal-title":"ACM Transactions on Information and System Security"},{"key":"e_1_3_2_17_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.infsof.2021.106576"},{"key":"e_1_3_2_18_2","doi-asserted-by":"crossref","DOI":"10.1109\/TSE.2021.3087402","article-title":"Deep learning based vulnerability detection: Are we there yet","author":"Chakraborty Saikat","year":"2022","unstructured":"Saikat Chakraborty, Rahul Krishna, Yangruibo Ding, and Baishakhi Ray. 2022. Deep learning based vulnerability detection: Are we there yet? IEEE Transactions on Software Engineering 48 (2022), 3280\u20133296.","journal-title":"IEEE Transactions on Software Engineering"},{"key":"e_1_3_2_19_2","doi-asserted-by":"publisher","DOI":"10.1145\/2950290.2950350"},{"key":"e_1_3_2_20_2","unstructured":"Checkmarx. 2023. Home Page. Retrieved September 10 2024 from https:\/\/www.checkmarx.com\/"},{"key":"e_1_3_2_21_2","doi-asserted-by":"publisher","DOI":"10.1145\/3319535.3363225"},{"key":"e_1_3_2_22_2","article-title":"Identifying vulnerability patches by comprehending code commits with comprehensive change contexts","author":"Chen Tianyu","year":"2023","unstructured":"Tianyu Chen, Lin Li, Taotao Qian, Zeyu Wang, Guangtai Liang, Ding Li, Qianxiang Wang, and Tao Xie. 2023. Identifying vulnerability patches by comprehending code commits with comprehensive change contexts. arXiv preprint arXiv:2310.02530 (2023).","journal-title":"arXiv preprint arXiv:2310.02530"},{"key":"e_1_3_2_23_2","first-page":"774","volume-title":"Proceedings of the 2021 IEEE 20th International Conference on Trust, Security, and Privacy in Computing and Communications (TrustCom\u201921)","author":"Chen Xiarun","year":"2021","unstructured":"Xiarun Chen, Qien Li, Zhou Yang, Yongzhi Liu, Shaosen Shi, Chenglin Xie, and Weiping Wen. 2021. VulChecker: Achieving more effective taint analysis by identifying sanitizers automatically. In Proceedings of the 2021 IEEE 20th International Conference on Trust, Security, and Privacy in Computing and Communications (TrustCom\u201921). IEEE, 774\u2013782."},{"key":"e_1_3_2_24_2","doi-asserted-by":"publisher","DOI":"10.1145\/3607199.3607242"},{"key":"e_1_3_2_25_2","doi-asserted-by":"crossref","first-page":"1580","DOI":"10.1109\/SP40000.2020.00002","volume-title":"Proceedings of the 2020 IEEE Symposium on Security and Privacy (SP\u201920)","author":"Chen Yaohui","year":"2020","unstructured":"Yaohui Chen, Peng Li, Jun Xu, Shengjian Guo, Rundong Zhou, Yulong Zhang, Tao Wei, and Long Lu. 2020. SAVIOR: Towards bug-driven hybrid testing. In Proceedings of the 2020 IEEE Symposium on Security and Privacy (SP\u201920). IEEE, 1580\u20131596."},{"key":"e_1_3_2_26_2","doi-asserted-by":"publisher","DOI":"10.1145\/3436877"},{"key":"e_1_3_2_27_2","doi-asserted-by":"crossref","first-page":"31","DOI":"10.1145\/3180445.3180453","volume-title":"Proceedings of the 4th ACM International Workshop on Security and Privacy Analytics","author":"Chernis Boris","year":"2018","unstructured":"Boris Chernis and Rakesh Verma. 2018. Machine learning methods for software vulnerability detection. In Proceedings of the 4th ACM International Workshop on Security and Privacy Analytics. 31\u201339."},{"key":"e_1_3_2_28_2","article-title":"Learning phrase representations using RNN encoder-decoder for statistical machine translation","author":"Cho Kyunghyun","year":"2014","unstructured":"Kyunghyun Cho, Bart Van Merri\u00ebnboer, Caglar Gulcehre, Dzmitry Bahdanau, Fethi Bougares, Holger Schwenk, and Yoshua Bengio. 2014. Learning phrase representations using RNN encoder-decoder for statistical machine translation. arXiv preprint arXiv:1406.1078 (2014).","journal-title":"arXiv preprint arXiv:1406.1078"},{"key":"e_1_3_2_29_2","article-title":"Graph neural networks for vulnerability detection: A counterfactual explanation","author":"Chu Zhaoyang","year":"2024","unstructured":"Zhaoyang Chu, Yao Wan, Qian Li, Yang Wu, Hongyu Zhang, Yulei Sui, Guandong Xu, and Hai Jin. 2024. Graph neural networks for vulnerability detection: A counterfactual explanation. arXiv preprint arXiv:2404.15687 (2024).","journal-title":"arXiv preprint arXiv:2404.15687"},{"key":"e_1_3_2_30_2","article-title":"Empirical evaluation of gated recurrent neural networks on sequence modeling","author":"Chung Junyoung","year":"2014","unstructured":"Junyoung Chung, Caglar Gulcehre, KyungHyun Cho, and Yoshua Bengio. 2014. Empirical evaluation of gated recurrent neural networks on sequence modeling. arXiv preprint arXiv:1412.3555 (2014).","journal-title":"arXiv preprint arXiv:1412.3555"},{"key":"e_1_3_2_31_2","doi-asserted-by":"publisher","DOI":"10.1109\/TIFS.2020.3047756"},{"key":"e_1_3_2_32_2","unstructured":"Cyber Safety Review Board. 2021. Review of the December 2021 Log4j Event. Retrieved September 9 2024 from https:\/\/www.cisa.gov\/sites\/default\/files\/publications\/CSRB-Report-on-Log4-July-11-2022_508.pdf"},{"key":"e_1_3_2_33_2","first-page":"17, 9 (2017), 5","volume-title":"Netinfo Security","author":"Da Xiaowen","year":"2017","unstructured":"Xiaowen Da, Limin Mao, and Mingjie Wu. 2017. Research on a vulnerability location technology based on patch matching and static taint analysis. Netinfo Security17, 9 (2017), 5\u20139."},{"key":"e_1_3_2_34_2","first-page":"2702","volume-title":"Proceedings of the International Conference on Machine Learning","author":"Dai Hanjun","year":"2016","unstructured":"Hanjun Dai, Bo Dai, and Le Song. 2016. Discriminative embeddings of latent variable models for structured data. In Proceedings of the International Conference on Machine Learning. 2702\u20132711."},{"key":"e_1_3_2_35_2","article-title":"Automatic feature learning for vulnerability prediction","author":"Dam Hoa Khanh","year":"2017","unstructured":"Hoa Khanh Dam, Truyen Tran, Trang Pham, Shien Wee Ng, John Grundy, and Aditya Ghose. 2017. Automatic feature learning for vulnerability prediction. arXiv preprint arXiv:1708.02368 (2017).","journal-title":"arXiv preprint arXiv:1708.02368"},{"key":"e_1_3_2_36_2","doi-asserted-by":"publisher","DOI":"10.1145\/2980983.2908126"},{"key":"e_1_3_2_37_2","doi-asserted-by":"publisher","DOI":"10.1145\/3296957.3177157"},{"key":"e_1_3_2_38_2","doi-asserted-by":"publisher","DOI":"10.1145\/2666356.2594343"},{"key":"e_1_3_2_39_2","article-title":"BERT: Pre-training of deep bidirectional Transformers for language understanding","author":"Devlin Jacob","year":"2018","unstructured":"Jacob Devlin, Ming-Wei Chang, Kenton Lee, and Kristina Toutanova. 2018. BERT: Pre-training of deep bidirectional Transformers for language understanding. arXiv preprint arXiv:1810.04805 (2018).","journal-title":"arXiv preprint arXiv:1810.04805"},{"key":"e_1_3_2_40_2","doi-asserted-by":"publisher","DOI":"10.1145\/2939672.2939719"},{"key":"e_1_3_2_41_2","doi-asserted-by":"crossref","first-page":"472","DOI":"10.1109\/SP.2019.00003","volume-title":"Proceedings of the 2019 IEEE Symposium on Security and Privacy (SP\u201919)","author":"Ding Steven H. H.","year":"2019","unstructured":"Steven H. H. Ding, Benjamin C. M. Fung, and Philippe Charland. 2019. Asm2Vec: Boosting static representation robustness for binary clone search against code obfuscation and compiler optimization. In Proceedings of the 2019 IEEE Symposium on Security and Privacy (SP\u201919). IEEE, 472\u2013489."},{"key":"e_1_3_2_42_2","article-title":"VFCFinder: Seamlessly pairing security advisories and patches","author":"Dunlap Trevor","year":"2023","unstructured":"Trevor Dunlap, Elizabeth Lin, William Enck, and Bradley Reaves. 2023. VFCFinder: Seamlessly pairing security advisories and patches. arXiv preprint arXiv:2311.01532 (2023).","journal-title":"arXiv preprint arXiv:2311.01532"},{"key":"e_1_3_2_43_2","first-page":"303","volume-title":"Proceedings of the 23rd USENIX Security Symposium (USENIX Security\u201914)","author":"Egele Manuel","year":"2014","unstructured":"Manuel Egele, Maverick Woo, Peter Chapman, and David Brumley. 2014. Blanket execution: Dynamic similarity testing for program binaries and components. In Proceedings of the 23rd USENIX Security Symposium (USENIX Security\u201914). 303\u2013317."},{"key":"e_1_3_2_44_2","doi-asserted-by":"publisher","DOI":"10.1145\/2619091"},{"key":"e_1_3_2_45_2","doi-asserted-by":"publisher","DOI":"10.1145\/1540438.1540462"},{"key":"e_1_3_2_46_2","first-page":"58","volume-title":"Proceedings of the Network and Distributed System Security Symposium (NDSS\u201916)","volume":"52","author":"Eschweiler Sebastian","year":"2016","unstructured":"Sebastian Eschweiler, Khaled Yakdan, and Elmar Gerhards-Padilla. 2016. discovRE: Efficient cross-architecture identification of bugs in binary code. In Proceedings of the Network and Distributed System Security Symposium (NDSS\u201916), Vol. 52. 58\u201379."},{"key":"e_1_3_2_47_2","doi-asserted-by":"publisher","DOI":"10.1145\/3379597.3387501"},{"key":"e_1_3_2_48_2","doi-asserted-by":"crossref","first-page":"78","DOI":"10.1109\/SERE.2014.21","volume-title":"Proceedings of the 2014 8th International Conference on Software Security and Reliability (SERE\u201914)","author":"Farhadi Mohammad Reza","year":"2014","unstructured":"Mohammad Reza Farhadi, Benjamin C. M. Fung, Philippe Charland, and Mourad Debbabi. 2014. BinClone: Detecting code clones in malware. In Proceedings of the 2014 8th International Conference on Software Security and Reliability (SERE\u201914). IEEE, 78\u201387."},{"key":"e_1_3_2_49_2","doi-asserted-by":"publisher","DOI":"10.1145\/2976749.2978370"},{"key":"e_1_3_2_50_2","article-title":"CodeBERT: A pre-trained model for programming and natural languages","author":"Feng Zhangyin","year":"2020","unstructured":"Zhangyin Feng, Daya Guo, Duyu Tang, Nan Duan, Xiaocheng Feng, Ming Gong, Linjun Shou, Bing Qin, Ting Liu, Daxin Jiang, and Ming Zhou. 2020. CodeBERT: A pre-trained model for programming and natural languages. arXiv preprint arXiv:2002.08155 (2020).","journal-title":"arXiv preprint arXiv:2002.08155"},{"key":"e_1_3_2_51_2","doi-asserted-by":"publisher","DOI":"10.1145\/24039.24041"},{"key":"e_1_3_2_52_2","doi-asserted-by":"publisher","DOI":"10.1145\/3524842.3528452"},{"key":"e_1_3_2_53_2","first-page":"632","volume-title":"Proceedings of the 2023 30th Asia-Pacific Software Engineering Conference (APSEC\u201923)","author":"Fu Michael","year":"2023","unstructured":"Michael Fu, Chakkrit Kla Tantithamthavorn, Van Nguyen, and Trung Le. 2023. ChatGPT for vulnerability detection, classification, and repair: How far are we? In Proceedings of the 2023 30th Asia-Pacific Software Engineering Conference (APSEC\u201923). IEEE, 632\u2013636."},{"key":"e_1_3_2_54_2","doi-asserted-by":"publisher","DOI":"10.1145\/3092566"},{"key":"e_1_3_2_55_2","unstructured":"Git. 2023. Home Page. Retrieved September 10 2024 from https:\/\/git-scm.com\/"},{"key":"e_1_3_2_56_2","unstructured":"GitHub. 2023. Google\/Honggfuzz. Retrieved September 10 2024 from https:\/\/github.com\/google\/honggfuzz"},{"key":"e_1_3_2_57_2","unstructured":"Google. 2024. Open Source Vulnerability. Retrieved September 10 2024 from https:\/\/osv.dev\/"},{"key":"e_1_3_2_58_2","unstructured":"Google Project Zero. 2019. Five Years of \u201cMake 0Day Hard.\u201d Retrieved September 9 2024 from https:\/\/i.blackhat.com\/USA-19\/Thursday\/us-19-Hawkes-Project-Zero-Five-Years-Of-Make-0day-Hard.pdf"},{"key":"e_1_3_2_59_2","doi-asserted-by":"publisher","DOI":"10.1109\/IJCNN.2005.1555942"},{"key":"e_1_3_2_60_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.neunet.2005.06.042"},{"key":"e_1_3_2_61_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICCCS49078.2020.9118556"},{"key":"e_1_3_2_62_2","article-title":"GraphCodeBERT: Pre-training code representations with data flow","author":"Guo Daya","year":"2020","unstructured":"Daya Guo, Shuo Ren, Shuai Lu, Zhangyin Feng, Duyu Tang, Shujie Liu, Long Zhou, Nan Duan, Alexey Svyatkovskiy, Shengyu Fu, Michele Tufano, Shao Kun Deng, Colin Clement, Dawn Drain, Neel Sundaresan, Jian Yin, Daxin Jiang, and Ming Zhou. 2020. GraphCodeBERT: Pre-training code representations with data flow. arXiv preprint arXiv:2009.08366 (2020).","journal-title":"arXiv preprint arXiv:2009.08366"},{"key":"e_1_3_2_63_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.jnca.2021.103009"},{"key":"e_1_3_2_64_2","doi-asserted-by":"publisher","DOI":"10.1145\/3524842.3527949"},{"key":"e_1_3_2_65_2","doi-asserted-by":"publisher","DOI":"10.1145\/3597926.3598145"},{"key":"e_1_3_2_66_2","first-page":"88","volume-title":"Proceedings of the 2017 IEEE\/ACM 25th International Conference on Program Comprehension (ICPC\u201917)","author":"Hu Yikun","year":"2017","unstructured":"Yikun Hu, Yuanyuan Zhang, Juanru Li, and Dawu Gu. 2017. Binary code clone detection across architectures and compiling configurations. In Proceedings of the 2017 IEEE\/ACM 25th International Conference on Program Comprehension (ICPC\u201917). IEEE, 88\u201398."},{"issue":"1","key":"e_1_3_2_67_2","doi-asserted-by":"crossref","first-page":"44","DOI":"10.1109\/TSE.2022.3140868","article-title":"The secret life of software vulnerabilities: A large-scale empirical study","volume":"49","author":"Iannone Emanuele","year":"2022","unstructured":"Emanuele Iannone, Roberta Guadagni, Filomena Ferrucci, Andrea De Lucia, and Fabio Palomba. 2022. The secret life of software vulnerabilities: A large-scale empirical study. IEEE Transactions on Software Engineering 49, 1 (2022), 44\u201363.","journal-title":"IEEE Transactions on Software Engineering"},{"key":"e_1_3_2_68_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2021.102308"},{"key":"e_1_3_2_69_2","first-page":"255","volume-title":"Proceedings of the 2019 34th IEEE\/ACM International Conference on Automated Software Engineering (ASE\u201919)","author":"Jiang Jiajun","year":"2019","unstructured":"Jiajun Jiang, Luyao Ren, Yingfei Xiong, and Lingming Zhang. 2019. Inferring program transformations from singular examples via big code. In Proceedings of the 2019 34th IEEE\/ACM International Conference on Automated Software Engineering (ASE\u201919). IEEE, 255\u2013266."},{"key":"e_1_3_2_70_2","doi-asserted-by":"publisher","DOI":"10.1145\/3372297.3417240"},{"key":"e_1_3_2_71_2","unstructured":"Joern. 2023. Home Page. Retrieved September 10 2024 from http:\/\/mlsec.org\/joern\/"},{"key":"e_1_3_2_72_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-0-387-35413-2_16"},{"key":"e_1_3_2_73_2","doi-asserted-by":"crossref","first-page":"1695","DOI":"10.1145\/3548606.3560664","volume-title":"Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security","author":"Kang Wooseok","year":"2022","unstructured":"Wooseok Kang, Byoungho Son, and Kihong Heo. 2022. TRACER: Signature-based static analysis for detecting recurring vulnerabilities. In Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security. 1695\u20131708."},{"key":"e_1_3_2_74_2","doi-asserted-by":"publisher","DOI":"10.1145\/3575879.3575964"},{"key":"e_1_3_2_75_2","unstructured":"Staffs Keele and others. 2007. Guidelines for performing systematic literature reviews in software engineering. Technical report ver. 2.3 ebse technical report. ebse."},{"key":"e_1_3_2_76_2","first-page":"69","volume-title":"Proceedings of the 2022 IEEE International Symposium on Software Reliability Engineering Workshops (ISSREW\u201922)","author":"Kim Soolin","year":"2022","unstructured":"Soolin Kim, Jusop Choi, Muhammad Ejaz Ahmed, Surya Nepal, and Hyoungshick Kim. 2022. VulDeBERT: A vulnerability detection system using BERT. In Proceedings of the 2022 IEEE International Symposium on Software Reliability Engineering Workshops (ISSREW\u201922). IEEE, 69\u201374."},{"key":"e_1_3_2_77_2","first-page":"595","volume-title":"Proceedings of the 2017 IEEE Symposium on Security and Privacy (SP\u201917)","author":"Kim Seulbae","year":"2017","unstructured":"Seulbae Kim, Seunghoon Woo, Heejo Lee, and Hakjoo Oh. 2017. VUDDY: A scalable approach for vulnerable code clone discovery. In Proceedings of the 2017 IEEE Symposium on Security and Privacy (SP\u201917). IEEE, 595\u2013614."},{"key":"e_1_3_2_78_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.diin.2006.06.015"},{"key":"e_1_3_2_79_2","first-page":"1","volume-title":"Proceedings of the 2021 IEEE International Performance, Computing, and Communications Conference (IPCCC\u201921)","author":"Lang Zhe","year":"2021","unstructured":"Zhe Lang, Shouguo Yang, Yiran Cheng, Xiaoling Zhang, Zhiqiang Shi, and Limin Sun. 2021. PMatch: Semantic-based patch detection for binary programs. In Proceedings of the 2021 IEEE International Performance, Computing, and Communications Conference (IPCCC\u201921). IEEE, 1\u201310."},{"key":"e_1_3_2_80_2","first-page":"1188","volume-title":"Proceedings of the International Conference on Machine Learning","author":"Le Quoc","year":"2014","unstructured":"Quoc Le and Tomas Mikolov. 2014. Distributed representations of sentences and documents. In Proceedings of the International Conference on Machine Learning. 1188\u20131196."},{"key":"e_1_3_2_81_2","first-page":"717","volume-title":"Proceedings of the 2021 36th IEEE\/ACM International Conference on Automated Software Engineering (ASE\u201921)","author":"Le Triet Huynh Minh","year":"2021","unstructured":"Triet Huynh Minh Le, David Hin, Roland Croft, and M. Ali Babar. 2021. DeepCVA: Automated commit-level vulnerability assessment with deep multi-task learning. In Proceedings of the 2021 36th IEEE\/ACM International Conference on Automated Software Engineering (ASE\u201921). IEEE, 717\u2013729."},{"key":"e_1_3_2_82_2","doi-asserted-by":"publisher","DOI":"10.1007\/3-540-46805-6_19"},{"key":"e_1_3_2_83_2","volume-title":"Proceedings of the Network and Distributed System Security Symposium (NDSS\u201917)","author":"Lee Seungsoo","year":"2017","unstructured":"Seungsoo Lee, Changhoon Yoon, Chanhee Lee, Seungwon Shin, Vinod Yegneswaran, and Phillip A. Porras. 2017. DELTA: A security assessment framework for software-defined networks. In Proceedings of the Network and Distributed System Security Symposium (NDSS\u201917)."},{"key":"e_1_3_2_84_2","first-page":"109","volume-title":"Proceedings of the International Conference on Applications and Techniques in Information Security","author":"Li Hongzhe","year":"2014","unstructured":"Hongzhe Li, Hyuckmin Kwon, Jonghoon Kwon, and Heejo Lee. 2014. A scalable approach for vulnerability discovery based on security patches. In Proceedings of the International Conference on Applications and Techniques in Information Security. 109\u2013122."},{"key":"e_1_3_2_85_2","first-page":"24","volume-title":"Proceedings of the 2021 International Symposium on Computer Technology and Information Science (ISCTIS\u201921)","author":"Li Hongrui","year":"2021","unstructured":"Hongrui Li, Lili Zhou, Mingming Xing, and Hafsah Binti Taha. 2021. Vulnerability detection algorithm of lightweight Linux Internet of Things application with symbolic execution method. In Proceedings of the 2021 International Symposium on Computer Technology and Information Science (ISCTIS\u201921). 24\u201327."},{"key":"e_1_3_2_86_2","first-page":"249","volume-title":"Proceedings of the 2017 IEEE International Conference on Software Maintenance and Evolution (ICSME\u201917)","author":"Li Liuqing","year":"2017","unstructured":"Liuqing Li, He Feng, Wenjie Zhuang, Na Meng, and Barbara Ryder. 2017. CCLearner: A deep learning-based clone detection approach. In Proceedings of the 2017 IEEE International Conference on Software Maintenance and Evolution (ICSME\u201917). IEEE, 249\u2013260."},{"key":"e_1_3_2_87_2","article-title":"Gated graph sequence neural networks","author":"Li Yujia","year":"2015","unstructured":"Yujia Li, Daniel Tarlow, Marc Brockschmidt, and Richard Zemel. 2015. Gated graph sequence neural networks. arXiv preprint arXiv:1511.05493 (2015).","journal-title":"arXiv preprint arXiv:1511.05493"},{"key":"e_1_3_2_88_2","doi-asserted-by":"publisher","DOI":"10.1145\/3468264.3468597"},{"key":"e_1_3_2_89_2","doi-asserted-by":"publisher","DOI":"10.1109\/TDSC.2021.3076142"},{"key":"e_1_3_2_90_2","doi-asserted-by":"publisher","DOI":"10.1145\/2991079.2991102"},{"key":"e_1_3_2_91_2","doi-asserted-by":"publisher","DOI":"10.1109\/TDSC.2021.3051525"},{"key":"e_1_3_2_92_2","article-title":"VulDeePecker: A deep learning-based system for vulnerability detection","author":"Li Zhen","year":"2018","unstructured":"Zhen Li, Deqing Zou, Shouhuai Xu, Xinyu Ou, Hai Jin, Sujuan Wang, Zhijun Deng, and Yuyi Zhong. 2018. VulDeePecker: A deep learning-based system for vulnerability detection. arXiv preprint arXiv:1801.01681 (2018).","journal-title":"arXiv preprint arXiv:1801.01681"},{"key":"e_1_3_2_93_2","doi-asserted-by":"publisher","DOI":"10.1109\/JPROC.2020.2993293"},{"key":"e_1_3_2_94_2","first-page":"2539","volume-title":"Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security","author":"Lin Guanjun","year":"2017","unstructured":"Guanjun Lin, Jun Zhang, Wei Luo, Lei Pan, and Yang Xiang. 2017. POSTER: Vulnerability discovery with function representation learning from unlabeled projects. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. 2539\u20132541."},{"key":"e_1_3_2_95_2","article-title":"RoBERTa: A robustly optimized BERT pretraining approach","author":"Liu Yinhan","year":"2019","unstructured":"Yinhan Liu, Myle Ott, Naman Goyal, Jingfei Du, Mandar Joshi, Danqi Chen, Omer Levy, Mike Lewis, Luke Zettlemoyer, and Veselin Stoyanov. 2019. RoBERTa: A robustly optimized BERT pretraining approach. arXiv preprint arXiv:1907.11692 (2019).","journal-title":"arXiv preprint arXiv:1907.11692"},{"key":"e_1_3_2_96_2","unstructured":"LLVM Compiler Infrastructure. 2023. LibFuzzer. Retrieved September 10 2024 from https:\/\/llvm.org\/docs\/LibFuzzer.html"},{"key":"e_1_3_2_97_2","doi-asserted-by":"publisher","DOI":"10.1145\/3106237.3106253"},{"key":"e_1_3_2_98_2","doi-asserted-by":"crossref","first-page":"1562","DOI":"10.1109\/SP40000.2020.00038","volume-title":"Proceedings of the 2020 IEEE Symposium on Security and Privacy (SP\u201920)","author":"Machiry Aravind","year":"2020","unstructured":"Aravind Machiry, Nilo Redini, Eric Camellini, Christopher Kruegel, and Giovanni Vigna. 2020. SPIDER: Enabling fast patch propagation in related software repositories. In Proceedings of the 2020 IEEE Symposium on Security and Privacy (SP\u201920). IEEE, 1562\u20131579."},{"key":"e_1_3_2_99_2","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.2019.2946563"},{"key":"e_1_3_2_100_2","doi-asserted-by":"publisher","DOI":"10.1145\/3377811.3380407"},{"key":"e_1_3_2_101_2","unstructured":"Michal Zalewski. 2023. American Fuzzy Lop. Retrieved September 10 2024 from https:\/\/lcamtuf.coredump.cx\/afl\/"},{"key":"e_1_3_2_102_2","unstructured":"Microsoft. 2023. Microsoft Security Blog. Retrieved September 10 2024 from https:\/\/www.microsoft.com\/security\/blog\/"},{"key":"e_1_3_2_103_2","article-title":"Efficient estimation of word representations in vector space","author":"Mikolov Tomas","year":"2013","unstructured":"Tomas Mikolov, Kai Chen, Greg Corrado, and Jeffrey Dean. 2013. Efficient estimation of word representations in vector space. arXiv preprint arXiv:1301.3781 (2013).","journal-title":"arXiv preprint arXiv:1301.3781"},{"key":"e_1_3_2_104_2","article-title":"Distributed representations of words and phrases and their compositionality","volume":"26","author":"Mikolov Tomas","year":"2013","unstructured":"Tomas Mikolov, Ilya Sutskever, Kai Chen, Greg S. Corrado, and Jeff Dean. 2013. Distributed representations of words and phrases and their compositionality. Advances in Neural Information Processing Systems 26 (2013), 1\u20139.","journal-title":"Advances in Neural Information Processing Systems"},{"key":"e_1_3_2_105_2","volume-title":"Proceedings of the 31st USENIX Security Symposium","author":"Mirsky Yisroel","year":"2023","unstructured":"Yisroel Mirsky, George Macon, Michael Brown, Carter Yagemann, Matthew Pruett, Evan Downing, Sukarno Mertoguno, and Wenke Lee. 2023. VulChecker: Graph-based vulnerability localization in source code. In Proceedings of the 31st USENIX Security Symposium."},{"key":"e_1_3_2_106_2","unstructured":"Mozilla Security. 2023. Peach fuzzing platform. Retrieved September 12 2024 from https:\/\/community.peachfuzzer.com\/WhatIsPeach.html"},{"key":"e_1_3_2_107_2","unstructured":"National Institute of Standards and Technology. 2023. National Vulnerability Database. Retrieved September 10 2024 from https:\/\/nvd.nist.gov\/vuln"},{"key":"e_1_3_2_108_2","unstructured":"National Institute of Standards and Technology. 2023. NIST Software Assurance Reference Dataset. Retrieved September 10 2024 from https:\/\/samate.nist.gov\/SARD"},{"key":"e_1_3_2_109_2","unstructured":"National Institute of Standards and Technology. 2023. Common Platform Enumeration. Retrieved September 10 2024 from https:\/\/nvd.nist.gov\/products\/cpe"},{"key":"e_1_3_2_110_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.measurement.2019.107139"},{"key":"e_1_3_2_111_2","article-title":"Chain-of-thought prompting of large language models for discovering and fixing software vulnerabilities","author":"Nong Yu","year":"2024","unstructured":"Yu Nong, Mohammed Aldeen, Long Cheng, Hongxin Hu, Feng Chen, and Haipeng Cai. 2024. Chain-of-thought prompting of large language models for discovering and fixing software vulnerabilities. arXiv preprint arXiv:2402.17230 (2024).","journal-title":"arXiv preprint arXiv:2402.17230"},{"key":"e_1_3_2_112_2","doi-asserted-by":"publisher","DOI":"10.1145\/3540250.3549156"},{"key":"e_1_3_2_113_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2015.49"},{"key":"e_1_3_2_114_2","doi-asserted-by":"crossref","first-page":"383","DOI":"10.1109\/MSR.2019.00064","volume-title":"Proceedings of the 2019 IEEE\/ACM 16th International Conference on Mining Software Repositories (MSR\u201919)","author":"Ponta Serena Elisa","year":"2019","unstructured":"Serena Elisa Ponta, Henrik Plate, Antonino Sabetta, Michele Bezzi, and C\u00e9dric Dangremont. 2019. A manually-curated dataset of fixes to vulnerabilities of open-source software. In Proceedings of the 2019 IEEE\/ACM 16th International Conference on Mining Software Repositories (MSR\u201919). IEEE, 383\u2013387."},{"key":"e_1_3_2_115_2","first-page":"112","volume-title":"Proceedings of the 2023 IEEE 34th International Symposium on Software Reliability Engineering Workshops (ISSREW\u201923)","author":"Purba Moumita Das","year":"2023","unstructured":"Moumita Das Purba, Arpita Ghosh, Benjamin J. Radford, and Bill Chu. 2023. Software vulnerability detection using large language models. In Proceedings of the 2023 IEEE 34th International Symposium on Software Reliability Engineering Workshops (ISSREW\u201923). IEEE, 112\u2013119."},{"key":"e_1_3_2_116_2","doi-asserted-by":"publisher","DOI":"10.1109\/ACCESS.2017.2676161"},{"key":"e_1_3_2_117_2","unstructured":"Alec Radford Karthik Narasimhan Tim Salimans and Ilya Sutskever2018. Improving language understanding by generative pre-training. Preprint."},{"key":"e_1_3_2_118_2","first-page":"49","volume-title":"Proceedings of the 24th USENIX Security Symposium (USENIX Security\u201915)","author":"Ramos David A.","unstructured":"David A. Ramos and Dawson Engler. 2015. Under-constrained symbolic execution: Correctness checking for real code. In Proceedings of the 24th USENIX Security Symposium (USENIX Security\u201915). 49\u201364."},{"key":"e_1_3_2_119_2","article-title":"A ground-truth dataset of real security patches","author":"Reis Sofia","year":"2021","unstructured":"Sofia Reis and Rui Abreu. 2021. A ground-truth dataset of real security patches. arXiv preprint arXiv:2110.09635 (2021).","journal-title":"arXiv preprint arXiv:2110.09635"},{"key":"e_1_3_2_120_2","doi-asserted-by":"publisher","DOI":"10.1145\/199448.199462"},{"key":"e_1_3_2_121_2","first-page":"404","volume-title":"Proceedings of the 2017 IEEE\/ACM 39th International Conference on Software Engineering (ICSE\u201917)","author":"Rolim Reudismam","year":"2017","unstructured":"Reudismam Rolim, Gustavo Soares, Loris D\u2019Antoni, Oleksandr Polozov, Sumit Gulwani, Rohit Gheyi, Ryo Suzuki, and Bj\u00f6rn Hartmann. 2017. Learning syntactic program transformations from examples. In Proceedings of the 2017 IEEE\/ACM 39th International Conference on Software Engineering (ICSE\u201917). IEEE, 404\u2013415."},{"issue":"115","key":"e_1_3_2_122_2","first-page":"64","article-title":"A survey on software clone detection research","volume":"541","author":"Roy Chanchal Kumar","year":"2007","unstructured":"Chanchal Kumar Roy and James R. Cordy. 2007. A survey on software clone detection research. Queen\u2019s School of Computing TR 541, 115 (2007), 64\u201368.","journal-title":"Queen\u2019s School of Computing TR"},{"key":"e_1_3_2_123_2","first-page":"757","volume-title":"Proceedings of the 2018 17th IEEE International Conference on Machine Learning and Applications (ICMLA\u201918)","author":"Russell Rebecca","year":"2018","unstructured":"Rebecca Russell, Louis Kim, Lei Hamilton, Tomo Lazovich, Jacob Harer, Onur Ozdemir, Paul Ellingwood, and Marc McConley. 2018. Automated vulnerability detection in source code using deep representation learning. In Proceedings of the 2018 17th IEEE International Conference on Machine Learning and Applications (ICMLA\u201918). IEEE, 757\u2013762."},{"key":"e_1_3_2_124_2","doi-asserted-by":"publisher","DOI":"10.1109\/ACCESS.2021.3114202"},{"key":"e_1_3_2_125_2","volume-title":"Detecting Fine-Grained Similarity in Binaries","author":"Saebjornsen Andreas","year":"2014","unstructured":"Andreas Saebjornsen. 2014. Detecting Fine-Grained Similarity in Binaries. University of California, Davis."},{"key":"e_1_3_2_126_2","doi-asserted-by":"publisher","DOI":"10.1145\/3236024.3236026"},{"key":"e_1_3_2_127_2","doi-asserted-by":"publisher","DOI":"10.1145\/2884781.2884877"},{"issue":"6","key":"e_1_3_2_128_2","doi-asserted-by":"crossref","first-page":"151","DOI":"10.1007\/s10664-022-10168-9","article-title":"SSPCatcher: Learning to catch security patches","volume":"27","author":"Sawadogo Arthur D.","year":"2022","unstructured":"Arthur D. Sawadogo, Tegawend\u00e9 F. Bissyand\u00e9, Naouel Moha, Kevin Allix, Jacques Klein, Li Li, and Yves Le Traon. 2022. SSPCatcher: Learning to catch security patches. Empirical Software Engineering 27, 6 (2022), 151.","journal-title":"Empirical Software Engineering"},{"key":"e_1_3_2_129_2","doi-asserted-by":"publisher","DOI":"10.1162\/neco.1997.9.8.1735"},{"key":"e_1_3_2_130_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2010.26"},{"key":"e_1_3_2_131_2","doi-asserted-by":"publisher","DOI":"10.1049\/iet-sen.2020.0084"},{"key":"e_1_3_2_132_2","first-page":"235","volume-title":"Proceedings of the 2020 USENIX Annual Technical Conference (USENIX ATC\u201920)","author":"Serrano Lucas","unstructured":"Lucas Serrano, Van-Anh Nguyen, Ferdian Thung, Lingxiao Jiang, David Lo, Julia Lawall, and Gilles Muller. 2020. SPINFER. In Proceedings of the 2020 USENIX Annual Technical Conference (USENIX ATC\u201920). 235\u2013248."},{"key":"e_1_3_2_133_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE.2012.6227141"},{"key":"e_1_3_2_134_2","doi-asserted-by":"publisher","DOI":"10.1145\/3460319.3464821"},{"key":"e_1_3_2_135_2","doi-asserted-by":"publisher","DOI":"10.1155\/2020\/8858010"},{"key":"e_1_3_2_136_2","doi-asserted-by":"publisher","DOI":"10.5120\/ijca2016908896"},{"key":"e_1_3_2_137_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2016.17"},{"key":"e_1_3_2_138_2","doi-asserted-by":"crossref","first-page":"174","DOI":"10.1109\/AIIoT54504.2022.9817336","volume-title":"Proceedings of the 2022 IEEE World AI IoT Congress (AIIoT\u201922)","author":"Singh Kanchan","year":"2022","unstructured":"Kanchan Singh, Sakshi S. Grover, and Ranjini Kishen Kumar. 2022. Cyber security vulnerability detection using natural language processing. In Proceedings of the 2022 IEEE World AI IoT Congress (AIIoT\u201922). IEEE, 174\u2013178."},{"key":"e_1_3_2_139_2","article-title":"A comprehensive study of the capabilities of large language models for vulnerability detection","author":"Steenhoek Benjamin","year":"2024","unstructured":"Benjamin Steenhoek, Md. Mahbubur Rahman, Monoshi Kumar Roy, Mirza Sanjida Alam, Earl T. Barr, and Wei Le. 2024. A comprehensive study of the capabilities of large language models for vulnerability detection. arXiv preprint arXiv:2403.17218 (2024).","journal-title":"arXiv preprint arXiv:2403.17218"},{"key":"e_1_3_2_140_2","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2016.23368"},{"key":"e_1_3_2_141_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICSME.2014.77"},{"key":"e_1_3_2_142_2","article-title":"A survey on the evaluation of clone detection performance and benchmarking","author":"Svajlenko Jeffrey","year":"2020","unstructured":"Jeffrey Svajlenko and Chanchal K. Roy. 2020. A survey on the evaluation of clone detection performance and benchmarking. arXiv preprint arXiv:2006.15682 (2020).","journal-title":"arXiv preprint arXiv:2006.15682"},{"key":"e_1_3_2_143_2","doi-asserted-by":"publisher","DOI":"10.1145\/3485447.3512236"},{"key":"e_1_3_2_144_2","doi-asserted-by":"publisher","DOI":"10.1145\/3460120.3484593"},{"key":"e_1_3_2_145_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.jss.2023.111623"},{"key":"e_1_3_2_146_2","article-title":"Just-in-time security patch detection\u2014LLM at the rescue for data augmentation","author":"Tang Xunzhu","year":"2023","unstructured":"Xunzhu Tang, Zhenghan Chen, Kisub Kim, Haoye Tian, Saad Ezzini, and Jacques Klein. 2023. Just-in-time security patch detection\u2014LLM at the rescue for data augmentation. arXiv preprint arXiv:2312.01241 (2023).","journal-title":"arXiv preprint arXiv:2312.01241"},{"key":"e_1_3_2_147_2","article-title":"Multilevel semantic embedding of software patches: A fine-to-coarse grained approach towards security patch detection","author":"Tang Xunzhu","year":"2023","unstructured":"Xunzhu Tang, Zhenghan Chen, Saad Ezzini, Haoye Tian, Yewei Song, Jacques Klein, and Tegawende F. Bissyande. 2023. Multilevel semantic embedding of software patches: A fine-to-coarse grained approach towards security patch detection. arXiv preprint arXiv:2308.15233 (2023).","journal-title":"arXiv preprint arXiv:2308.15233"},{"key":"e_1_3_2_148_2","unstructured":"The MITRE Corporation. 2021. Common Vulnerability and Exposures. Retrieved September 10 2024 from https:\/\/www.cve.org"},{"key":"e_1_3_2_149_2","unstructured":"The MITRE Corporation. 2021. CVE Details. Retrieved September 10 2024 from https:\/\/www.cvedetails.com\/"},{"key":"e_1_3_2_150_2","unstructured":"The MITRE Corporation. 2024. Common Weakness Enumeration. Retrieved September 10 2024 from https:\/\/cwe.mitre.org\/"},{"key":"e_1_3_2_151_2","doi-asserted-by":"publisher","DOI":"10.5555\/869354"},{"key":"e_1_3_2_152_2","unstructured":"Ubuntu. 2023. Ubuntu CVE Reports. Retrieved September 10 2024 from https:\/\/ubuntu.com\/security\/cves"},{"key":"e_1_3_2_153_2","article-title":"Attention is all you need","volume":"30","author":"Vaswani Ashish","year":"2017","unstructured":"Ashish Vaswani, Noam Shazeer, Niki Parmar, Jakob Uszkoreit, Llion Jones, Aidan N. Gomez, \u0141ukasz Kaiser, and Illia Polosukhin. 2017. Attention is all you need. Advances in Neural Information Processing Systems 30 (2017), 1\u201311.","journal-title":"Advances in Neural Information Processing Systems"},{"key":"e_1_3_2_154_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-45744-4_29"},{"key":"e_1_3_2_155_2","doi-asserted-by":"publisher","DOI":"10.1109\/TIFS.2020.3044773"},{"key":"e_1_3_2_156_2","first-page":"76","volume-title":"Proceedings of the 2021 4th International Conference on Artificial Intelligence and Big Data (ICAIBD\u201921)","author":"Wang Jingjing","year":"2021","unstructured":"Jingjing Wang, Minhuan Huang, Yuanping Nie, and Jin Li. 2021. Static analysis of source code vulnerability using machine learning techniques: A survey. In Proceedings of the 2021 4th International Conference on Artificial Intelligence and Big Data (ICAIBD\u201921). IEEE, 76\u201386."},{"key":"e_1_3_2_157_2","doi-asserted-by":"crossref","first-page":"1066","DOI":"10.1145\/3180155.3180179","volume-title":"Proceedings of the 40th International Conference on Software Engineering","author":"Wang Pengcheng","year":"2018","unstructured":"Pengcheng Wang, Jeffrey Svajlenko, Yanzhao Wu, Yun Xu, and Chanchal K. Roy. 2018. CCAligner: A token based large-gap clone detector. In Proceedings of the 40th International Conference on Software Engineering. 1066\u20131077."},{"key":"e_1_3_2_158_2","first-page":"604","volume-title":"Proceedings of the 2023 IEEE Symposium on Security and Privacy (SP\u201922)","author":"Wang Shu","year":"2022","unstructured":"Shu Wang, Xinda Wang, Kun Sun, Sushil Jajodia, Haining Wang, and Qi Li. 2022. GraphSPD: Graph-based security patch detection with enriched code semantics. In Proceedings of the 2023 IEEE Symposium on Security and Privacy (SP\u201922). IEEE, 604\u2013621."},{"key":"e_1_3_2_159_2","first-page":"485","volume-title":"Proceedings of the 2019 49th Annual IEEE\/IFIP International Conference on Dependable Systems and Networks (DSN\u201919)","author":"Wang Xinda","year":"2019","unstructured":"Xinda Wang, Kun Sun, Archer Batcheller, and Sushil Jajodia. 2019. Detecting \u201c0-day\u201d vulnerability: An empirical study of secret security patch in OSS. In Proceedings of the 2019 49th Annual IEEE\/IFIP International Conference on Dependable Systems and Networks (DSN\u201919). IEEE, 485\u2013492."},{"key":"e_1_3_2_160_2","doi-asserted-by":"crossref","first-page":"149","DOI":"10.1109\/DSN48987.2021.00030","volume-title":"Proceedings of the 2021 51st Annual IEEE\/IFIP International Conference on Dependable Systems and Networks (DSN\u201921)","author":"Wang Xinda","year":"2021","unstructured":"Xinda Wang, Shu Wang, Pengbin Feng, Kun Sun, and Sushil Jajodia. 2021. PatchDB: A large-scale security patch dataset. In Proceedings of the 2021 51st Annual IEEE\/IFIP International Conference on Dependable Systems and Networks (DSN\u201921). IEEE, 149\u2013160."},{"key":"e_1_3_2_161_2","doi-asserted-by":"publisher","DOI":"10.1109\/MILCOM52596.2021.9652940"},{"key":"e_1_3_2_162_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.infsof.2021.106809"},{"key":"e_1_3_2_163_2","doi-asserted-by":"publisher","DOI":"10.24963\/ijcai.2017\/423"},{"key":"e_1_3_2_164_2","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.1984.5010248"},{"key":"e_1_3_2_165_2","first-page":"2275","volume-title":"Proceedings of the 2023 IEEE\/ACM 45th International Conference on Software Engineering (ICSE\u201923)","author":"Wen Xin-Cheng","year":"2023","unstructured":"Xin-Cheng Wen, Yupan Chen, Cuiyun Gao, Hongyu Zhang, Jie M. Zhang, and Qing Liao. 2023. Vulnerability detection with graph simplification and enhanced graph representation learning. In Proceedings of the 2023 IEEE\/ACM 45th International Conference on Software Engineering (ICSE\u201923). IEEE, 2275\u20132286."},{"key":"e_1_3_2_166_2","first-page":"3037","volume-title":"Proceedings of the 31st USENIX Security Symposium (USENIX Security\u201922)","author":"Woo Seunghoon","unstructured":"Seunghoon Woo, Hyunji Hong, Eunjin Choi, and Heejo Lee. 2022. MOVERY: A precise approach for modified vulnerable code clone discovery from modified open-source software components. In Proceedings of the 31st USENIX Security Symposium (USENIX Security\u201922). 3037\u20133053."},{"key":"e_1_3_2_167_2","doi-asserted-by":"publisher","DOI":"10.1109\/TDSC.2022.3192631"},{"key":"e_1_3_2_168_2","first-page":"2365","volume-title":"Proceedings of the 2022 IEEE\/ACM 44th International Conference on Software Engineering (ICSE\u201922)","author":"Wu Yueming","year":"2022","unstructured":"Yueming Wu, Deqing Zou, Shihan Dou, Wei Yang, Duo Xu, and Hai Jin. 2022. VulCNN: An image-inspired scalable vulnerability detection system. In Proceedings of the 2022 IEEE\/ACM 44th International Conference on Software Engineering (ICSE\u201922). IEEE, 2365\u20132376."},{"key":"e_1_3_2_169_2","first-page":"1165","volume-title":"Proceedings of the 29th USENIX Security Symposium (USENIX Security\u201920)","author":"Xiao Yang","unstructured":"Yang Xiao, Bihuan Chen, Chendong Yu, Zhengzi Xu, Zimu Yuan, Feng Li, Binghong Liu, Yang Liu, Wei Huo, Wei Zou, and Wenchang Shi. 2020. MVP: Detecting vulnerabilities using patch-enhanced vulnerability signatures. In Proceedings of the 29th USENIX Security Symposium (USENIX Security\u201920). 1165\u20131182."},{"key":"e_1_3_2_170_2","article-title":"TRACER: Finding patches for open source software vulnerabilities","author":"Xu Congying","year":"2021","unstructured":"Congying Xu, Bihuan Chen, Chenhao Lu, Kaifeng Huang, Xin Peng, and Yang Liu. 2021. TRACER: Finding patches for open source software vulnerabilities. arXiv preprint arXiv:2112.02240 (2021).","journal-title":"arXiv preprint arXiv:2112.02240"},{"key":"e_1_3_2_171_2","doi-asserted-by":"publisher","DOI":"10.1145\/3395363.3397361"},{"key":"e_1_3_2_172_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE.2017.49"},{"key":"e_1_3_2_173_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2014.44"},{"key":"e_1_3_2_174_2","doi-asserted-by":"publisher","DOI":"10.1145\/2508859.2516665"},{"key":"e_1_3_2_175_2","doi-asserted-by":"publisher","DOI":"10.1145\/3604608"},{"key":"e_1_3_2_176_2","doi-asserted-by":"crossref","first-page":"13","DOI":"10.1109\/DSA.2019.00012","volume-title":"Proceedings of the 2019 6th International Conference on Dependable Systems and Their Applications (DSA\u201920)","author":"Yuan Yuan","year":"2020","unstructured":"Yuan Yuan, Weiqiang Kong, Gang Hou, Yan Hu, Masahiko Watanabe, and Akira Fukuda. 2020. From local to global semantic clone detection. In Proceedings of the 2019 6th International Conference on Dependable Systems and Their Applications (DSA\u201920). IEEE, 13\u201324."},{"key":"e_1_3_2_177_2","first-page":"745","volume-title":"Proceedings of the 27th USENIX Security Symposium (USENIX Security\u201918)","author":"Yun Insu","unstructured":"Insu Yun, Sangho Lee, Meng Xu, Yeongjin Jang, and Taesoo Kim. 2018. QSYM: A practical concolic execution engine tailored for hybrid fuzzing. In Proceedings of the 27th USENIX Security Symposium (USENIX Security\u201918). 745\u2013761."},{"key":"e_1_3_2_178_2","doi-asserted-by":"publisher","DOI":"10.1109\/ACCESS.2020.3034766"},{"key":"e_1_3_2_179_2","article-title":"Prompt-enhanced software vulnerability detection using ChatGPT","author":"Zhang Chenyuan","year":"2023","unstructured":"Chenyuan Zhang, Hao Liu, Jiutian Zeng, Kejing Yang, Yuhong Li, and Hui Li. 2023. Prompt-enhanced software vulnerability detection using ChatGPT. arXiv preprint arXiv:2308.12697 (2023).","journal-title":"arXiv preprint arXiv:2308.12697"},{"key":"e_1_3_2_180_2","first-page":"887","volume-title":"Proceedings of the 27th USENIX Security Symposium (USENIX Security\u201918)","author":"Zhang Hang","year":"2018","unstructured":"Hang Zhang and Zhiyun Qian. 2018. Precise and accurate patch presence test for binaries. In Proceedings of the 27th USENIX Security Symposium (USENIX Security\u201918). 887\u2013902."},{"key":"e_1_3_2_181_2","doi-asserted-by":"publisher","DOI":"10.1109\/ACCESS.2021.3065872"},{"key":"e_1_3_2_182_2","doi-asserted-by":"crossref","first-page":"783","DOI":"10.1109\/ICSE.2019.00086","volume-title":"Proceedings of the 2019 IEEE\/ACM 41st International Conference on Software Engineering (ICSE\u201919)","author":"Zhang Jian","year":"2019","unstructured":"Jian Zhang, Xu Wang, Hongyu Zhang, Hailong Sun, Kaixuan Wang, and Xudong Liu. 2019. A novel neural source code representation based on abstract syntax tree. In Proceedings of the 2019 IEEE\/ACM 41st International Conference on Software Engineering (ICSE\u201919). IEEE, 783\u2013794."},{"key":"e_1_3_2_183_2","unstructured":"Yingzhou Zhang. 2023. LLVM-Slicing. Retrieved September 10 2024 from https:\/\/github.com\/zhangyz\/llvm-slicing"},{"key":"e_1_3_2_184_2","article-title":"ASTRO: An AST-assisted approach for generalizable neural clone detection","author":"Zhang Yifan","year":"2022","unstructured":"Yifan Zhang, Junwen Yang, Haoyu Dong, Qingchen Wang, Huajie Shao, Kevin Leach, and Yu Huang. 2022. ASTRO: An AST-assisted approach for generalizable neural clone detection. arXiv preprint arXiv:2208.08067 (2022).","journal-title":"arXiv preprint arXiv:2208.08067"},{"key":"e_1_3_2_185_2","first-page":"3649","volume-title":"Proceedings of the 30th USENIX Security Symposium (USENIX Security\u201921)","author":"Zhang Zheng","year":"2021","unstructured":"Zheng Zhang, Hang Zhang, Zhiyun Qian, and Billy Lau. 2021. An investigation of the Android kernel patch ecosystem. In Proceedings of the 30th USENIX Security Symposium (USENIX Security\u201921). 3649\u20133666."},{"key":"e_1_3_2_186_2","doi-asserted-by":"publisher","DOI":"10.1145\/3236024.3236068"},{"key":"e_1_3_2_187_2","volume-title":"Proceedings of the Network and Distributed System Security Symposium (NDSS\u201919)","author":"Zhao Lei","year":"2019","unstructured":"Lei Zhao, Yue Duan, Heng Yin, and Jifeng Xuan. 2019. Send hardest problems my way: Probabilistic path prioritization for hybrid fuzzing. In Proceedings of the Network and Distributed System Security Symposium (NDSS\u201919)."},{"key":"e_1_3_2_188_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.knosys.2022.110139"},{"key":"e_1_3_2_189_2","first-page":"457","volume-title":"Proceedings of the 2021 IEEE 32nd International Symposium on Software Reliability Engineering (ISSRE\u201921)","author":"Zheng Weining","year":"2021","unstructured":"Weining Zheng, Yuan Jiang, and Xiaohong Su. 2021. Vu1SPG: Vulnerability detection based on slice property graph representation learning. In Proceedings of the 2021 IEEE 32nd International Symposium on Software Reliability Engineering (ISSRE\u201921). IEEE, 457\u2013467."},{"key":"e_1_3_2_190_2","first-page":"705","volume-title":"Proceedings of the 2021 36th IEEE\/ACM International Conference on Automated Software Engineering (ASE\u201921)","author":"Zhou Jiayuan","year":"2021","unstructured":"Jiayuan Zhou, Michael Pacheco, Zhiyuan Wan, Xin Xia, David Lo, Yuan Wang, and Ahmed E. Hassan. 2021. Finding a needle in a haystack: Automated mining of silent vulnerability fixes. In Proceedings of the 2021 36th IEEE\/ACM International Conference on Automated Software Engineering (ASE\u201921). IEEE, 705\u2013716."},{"key":"e_1_3_2_191_2","article-title":"Devign: Effective vulnerability identification by learning comprehensive program semantics via graph neural networks","volume":"32","author":"Zhou Yaqin","year":"2019","unstructured":"Yaqin Zhou, Shangqing Liu, Jingkai Siow, Xiaoning Du, and Yang Liu. 2019. Devign: Effective vulnerability identification by learning comprehensive program semantics via graph neural networks. Advances in Neural Information Processing Systems 32 (2019), 1\u201311.","journal-title":"Advances in Neural Information Processing Systems"},{"key":"e_1_3_2_192_2","doi-asserted-by":"publisher","DOI":"10.1145\/3106237.3117771"},{"issue":"1","key":"e_1_3_2_193_2","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1145\/3468854","article-title":"SPI: Automated identification of security patches via commits","volume":"31","author":"Zhou Yaqin","year":"2021","unstructured":"Yaqin Zhou, Jing Kai Siow, Chenyu Wang, Shangqing Liu, and Yang Liu. 2021. SPI: Automated identification of security patches via commits. ACM Transactions on Software Engineering and Methodology 31, 1 (2021), 1\u201327.","journal-title":"ACM Transactions on Software Engineering and Methodology"},{"key":"e_1_3_2_194_2","first-page":"1","volume-title":"Proceedings of the 2021 IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS\u201921)","author":"Ziems Noah","year":"2021","unstructured":"Noah Ziems and Shaoen Wu. 2021. Security vulnerability detection using deep learning natural language processing. In Proceedings of the 2021 IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS\u201921). IEEE, 1\u20136."},{"key":"e_1_3_2_195_2","first-page":"325","volume-title":"Proceedings of the International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment","author":"Zou Deqing","year":"2017","unstructured":"Deqing Zou, Hanchao Qi, Zhen Li, Song Wu, Hai Jin, Guozhong Sun, Sujuan Wang, and Yuyi Zhong. 2017. SCVD: A new semantics-based approach for cloned vulnerable code detection. In Proceedings of the International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment. 325\u2013344."},{"issue":"5","key":"e_1_3_2_196_2","first-page":"2224","article-title":"\\(\\mu\\) VulDeePecker: A deep learning-based system for multiclass vulnerability detection","volume":"18","author":"Zou Deqing","year":"2019","unstructured":"Deqing Zou, Sujuan Wang, Shouhuai Xu, Zhen Li, and Hai Jin. 2019. \\(\\mu\\) VulDeePecker: A deep learning-based system for multiclass vulnerability detection. IEEE Transactions on Dependable and Secure Computing 18, 5 (2019), 2224\u20132236.","journal-title":"IEEE Transactions on Dependable and Secure Computing"},{"key":"e_1_3_2_197_2","doi-asserted-by":"crossref","first-page":"931","DOI":"10.1145\/3324884.3416541","volume-title":"Proceedings of the 2020 35th IEEE\/ACM International Conference on Automated Software Engineering (ASE\u201920)","author":"Zou Yue","year":"2020","unstructured":"Yue Zou, Bihuan Ban, Yinxing Xue, and Yun Xu. 2020. CCGraph: A PDG-based code clone detector with approximate graph matching. In Proceedings of the 2020 35th IEEE\/ACM International Conference on Automated Software Engineering (ASE\u201920). IEEE, 931\u2013942."},{"key":"e_1_3_2_198_2","first-page":"1513","article-title":"Vulnerability discovery based on source code patch commit mining: A systematic literature review","author":"Zuo Fei","year":"2024","unstructured":"Fei Zuo and Junghwan Rhee. 2024. Vulnerability discovery based on source code patch commit mining: A systematic literature review. International Journal of Information Security 12 (2024), 1513\u20131526.","journal-title":"International Journal of Information Security"}],"container-title":["ACM Computing Surveys"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3694782","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3694782","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,19]],"date-time":"2025-06-19T00:05:48Z","timestamp":1750291548000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3694782"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2024,10,7]]},"references-count":197,"journal-issue":{"issue":"1","published-print":{"date-parts":[[2025,1,31]]}},"alternative-id":["10.1145\/3694782"],"URL":"https:\/\/doi.org\/10.1145\/3694782","relation":{},"ISSN":["0360-0300","1557-7341"],"issn-type":[{"value":"0360-0300","type":"print"},{"value":"1557-7341","type":"electronic"}],"subject":[],"published":{"date-parts":[[2024,10,7]]},"assertion":[{"value":"2023-06-09","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2024-08-22","order":2,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2024-10-07","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}