{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,7,17]],"date-time":"2026-07-17T15:45:06Z","timestamp":1784303106330,"version":"3.55.0"},"reference-count":288,"publisher":"Association for Computing Machinery (ACM)","issue":"4","license":[{"start":{"date-parts":[[2025,4,28]],"date-time":"2025-04-28T00:00:00Z","timestamp":1745798400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"name":"Australian Research Council\u2019s Discovery Early Career Researcher Award (DECRA) funding scheme","award":["DE200100941"],"award-info":[{"award-number":["DE200100941"]}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["ACM Trans. Softw. Eng. Methodol."],"published-print":{"date-parts":[[2025,5,31]]},"abstract":"<jats:p>DevOps has emerged as one of the most rapidly evolving software development paradigms. With the growing concerns surrounding security in software systems, the DevSecOps paradigm has gained prominence, urging practitioners to incorporate security practices seamlessly into the DevOps workflow. However, integrating security into the DevOps workflow can impact agility and impede delivery speed. Recently, the advancement of artificial intelligence (AI) has revolutionized automation in various software domains, including software security. AI-driven security approaches, particularly those leveraging machine learning or deep learning, hold promise in automating security workflows. They have the potential to reduce manual efforts and can be incorporated into DevOps practices to support consistent delivery speed while aligning with the principles of the DevSecOps paradigm. This article seeks to contribute to the critical intersection of AI and DevSecOps by presenting a comprehensive landscape of AI-driven security techniques applicable to DevOps and identifying avenues for enhancing security, trust, and efficiency in software development processes. We analyzed 99 research papers spanning from 2017 to 2023. Specifically, we address two key research questions (RQs). In RQ1, we identified 12 security tasks associated with the DevSecOps process and reviewed existing AI-driven security approaches, the problems they addressed, and the 65 benchmarks used to evaluate those approaches. Drawing insights from our findings, in RQ2, we discussed state-of-the-art AI-driven security approaches, highlighted 15 challenges in existing research, and proposed 15 corresponding avenues for future opportunities.<\/jats:p>","DOI":"10.1145\/3712190","type":"journal-article","created":{"date-parts":[[2025,1,16]],"date-time":"2025-01-16T14:48:33Z","timestamp":1737038913000},"page":"1-61","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":44,"title":["AI for DevSecOps: A Landscape and Future Opportunities"],"prefix":"10.1145","volume":"34","author":[{"ORCID":"https:\/\/orcid.org\/0000-0001-7211-3491","authenticated-orcid":false,"given":"Michael","family":"Fu","sequence":"first","affiliation":[{"name":"The University of Melbourne, Melbourne, Australia"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-4059-757X","authenticated-orcid":false,"given":"Jirat","family":"Pasuksmit","sequence":"additional","affiliation":[{"name":"Atlassian Pty Ltd, Sydney, Australia"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-5516-9984","authenticated-orcid":false,"given":"Chakkrit","family":"Tantithamthavorn","sequence":"additional","affiliation":[{"name":"Department of Information Technology, Monash University, Clayton, Australia"}],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"320","published-online":{"date-parts":[[2025,4,28]]},"reference":[{"key":"e_1_3_1_2_2","doi-asserted-by":"publisher","DOI":"10.5555\/196108.196115"},{"key":"e_1_3_1_3_2","unstructured":"Josh Achiam Steven Adler Sandhini Agarwal Lama Ahmad Ilge Akkaya Florencia Leoni Aleman Diogo Almeida Janko Altenschmidt Sam Altman Shyamal Anadkat et al. 2023. Gpt-4 technical report. arXiv:2303.08774. Retrieved from https:\/\/arxiv.org\/abs\/2303.08774"},{"key":"e_1_3_1_4_2","doi-asserted-by":"publisher","DOI":"10.1109\/TDSC.2022.3148331"},{"key":"e_1_3_1_5_2","doi-asserted-by":"publisher","DOI":"10.1145\/3055366.3055375"},{"key":"e_1_3_1_6_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.infsof.2022.106894"},{"key":"e_1_3_1_7_2","volume-title":"6th International Conference on Learning Representations (ICLR)","author":"Ancona Marco","year":"2018","unstructured":"Marco Ancona, Enea Ceolini, Cengiz \u00d6ztireli, and Markus Gross. 2018. Towards better understanding of gradient-based attribution methods for deep neural networks. In 6th International Conference on Learning Representations (ICLR). Arxiv-Computer Science."},{"key":"e_1_3_1_8_2","doi-asserted-by":"publisher","DOI":"10.1109\/ISCC50000.2020.9219568"},{"key":"e_1_3_1_9_2","doi-asserted-by":"publisher","DOI":"10.1109\/ACCESS.2024.3424276"},{"key":"e_1_3_1_10_2","unstructured":"Aristiun. 2024. Automated threat modeling using AI. Retrieved from https:\/\/www.aristiun.com\/automated-threat-modeling-using-ai."},{"key":"e_1_3_1_11_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICSM.1993.366933"},{"key":"e_1_3_1_12_2","doi-asserted-by":"publisher","DOI":"10.3390\/info12040154"},{"key":"e_1_3_1_13_2","doi-asserted-by":"publisher","DOI":"10.1109\/ASE.2019.00051"},{"key":"e_1_3_1_14_2","doi-asserted-by":"publisher","DOI":"10.1177\/1475921718757405"},{"key":"e_1_3_1_15_2","unstructured":"Iz Beltagy Matthew E. Peters and Arman Cohan. 2020. Longformer: The long-document transformer. arXiv:2004.05150. Retrieved from https:\/\/arxiv.org\/abs\/2004.05150"},{"key":"e_1_3_1_16_2","first-page":"780","volume-title":"International Conference on Machine Learning","author":"Berabi Berkay","year":"2021","unstructured":"Berkay Berabi, Jingxuan He, Veselin Raychev, and Martin Vechev. 2021. Tfix: Learning to fix coding errors with a text-to-text transformer. In International Conference on Machine Learning. PMLR, 780\u2013791."},{"key":"e_1_3_1_17_2","doi-asserted-by":"publisher","DOI":"10.1145\/3475960.3475985"},{"key":"e_1_3_1_18_2","doi-asserted-by":"publisher","DOI":"10.1145\/3444690"},{"key":"e_1_3_1_19_2","unstructured":"G. Boetticher. 2007. The PROMISE repository of empirical software engineering data. Retrieved from http:\/\/promisedata.org\/repository"},{"key":"e_1_3_1_20_2","doi-asserted-by":"publisher","DOI":"10.1007\/s10664-022-10215-5"},{"key":"e_1_3_1_21_2","doi-asserted-by":"publisher","DOI":"10.1191\/1478088706qp063oa"},{"key":"e_1_3_1_22_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE.2019.00076"},{"key":"e_1_3_1_23_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.infsof.2023.107328"},{"key":"e_1_3_1_24_2","doi-asserted-by":"publisher","DOI":"10.7717\/peerj-cs.489"},{"key":"e_1_3_1_25_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.infsof.2021.106576"},{"key":"e_1_3_1_26_2","doi-asserted-by":"publisher","DOI":"10.21236\/ADA452086"},{"key":"e_1_3_1_27_2","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.2021.3087402"},{"key":"e_1_3_1_28_2","doi-asserted-by":"crossref","unstructured":"Wachiraphan Charoenwet Patanamon Thongtanunam Van-Thuan Pham and Christoph Treude. 2024. An empirical study of static analysis tools for secure code review. arXiv:2407.12241. Retrieved from https:\/\/arxiv.org\/abs\/2407.12241","DOI":"10.1145\/3650212.3680313"},{"key":"e_1_3_1_29_2","doi-asserted-by":"publisher","DOI":"10.1613\/jair.953"},{"key":"e_1_3_1_30_2","unstructured":"Checkmarx. 2006. Perspective API: Model cards. Retrieved from https:\/\/checkmarx.com\/"},{"key":"e_1_3_1_31_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.infsof.2017.08.004"},{"key":"e_1_3_1_32_2","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.2022.3147265"},{"issue":"9","key":"e_1_3_1_33_2","first-page":"1943","article-title":"Sequencer: Sequence-to-sequence learning for end-to-end program repair","volume":"47","author":"Chen Zimin","year":"2019","unstructured":"Zimin Chen, Steve Kommrusch, Michele Tufano, Louis-No\u00ebl Pouchet, Denys Poshyvanyk, and Martin Monperrus. 2019. Sequencer: Sequence-to-sequence learning for end-to-end program repair. IEEE Transactions on Software Engineering 47, 9 (2019), 1943\u20131959.","journal-title":"IEEE Transactions on Software Engineering"},{"key":"e_1_3_1_34_2","unstructured":"Zimin Chen and Martin Monperrus. 2018. The codrep machine learning on source code competition. arXiv:1807.03200. Retrieved from https:\/\/arxiv.org\/abs\/1807.03200"},{"key":"e_1_3_1_35_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.jss.2021.111028"},{"key":"e_1_3_1_36_2","doi-asserted-by":"publisher","DOI":"10.1145\/3436877"},{"key":"e_1_3_1_37_2","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.2022.3156637"},{"key":"e_1_3_1_38_2","first-page":"2019","article-title":"Seven winning DevSecOps metrics security should track","volume":"25","author":"Chickowski E.","year":"2018","unstructured":"E. Chickowski. 2018. Seven winning DevSecOps metrics security should track. Bitdefender 25 (2018), 2019.","journal-title":"Bitdefender"},{"key":"e_1_3_1_39_2","doi-asserted-by":"publisher","DOI":"10.1109\/SRDS.2015.16"},{"key":"e_1_3_1_40_2","doi-asserted-by":"publisher","DOI":"10.1109\/TDSC.2018.2821693"},{"key":"e_1_3_1_41_2","unstructured":"CORE. 2023. International CORE conference rankings: ICORE. Retrieved from https:\/\/www.core.edu.au\/icore-portal"},{"key":"e_1_3_1_42_2","doi-asserted-by":"publisher","DOI":"10.1109\/WCNC.2013.6555301"},{"key":"e_1_3_1_43_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE48619.2023.00022"},{"key":"e_1_3_1_44_2","doi-asserted-by":"publisher","DOI":"10.1145\/3475716.3475781"},{"key":"e_1_3_1_45_2","unstructured":"CWE. 2023. 2023 CWE top 25 most dangerous software weaknesses. Retrieved from https:\/\/cwe.mitre.org\/top25\/archive\/2023\/2023_top25_list.html"},{"key":"e_1_3_1_46_2","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.2021.3051492"},{"key":"e_1_3_1_47_2","doi-asserted-by":"publisher","DOI":"10.1109\/MSR.2019.00017"},{"key":"e_1_3_1_48_2","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.2018.2881961"},{"key":"e_1_3_1_49_2","doi-asserted-by":"publisher","DOI":"10.1109\/DSAA53316.2021.9564227"},{"key":"e_1_3_1_50_2","volume-title":"International Conference on Learning Representations (ICLR)","author":"Dinella Elizabeth","year":"2020","unstructured":"Elizabeth Dinella, Hanjun Dai, Ziyang Li, Mayur Naik, Le Song, and Ke Wang. 2020. Hoppity: Learning graph transformations to detect and fix bugs in programs. In International Conference on Learning Representations (ICLR)."},{"key":"e_1_3_1_51_2","doi-asserted-by":"publisher","DOI":"10.1109\/SANER53432.2022.00114"},{"key":"e_1_3_1_52_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.infsof.2023.107290"},{"key":"e_1_3_1_53_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.infsof.2023.107168"},{"key":"e_1_3_1_54_2","doi-asserted-by":"publisher","DOI":"10.1145\/3319535.3363226"},{"key":"e_1_3_1_55_2","doi-asserted-by":"publisher","DOI":"10.1145\/3133956.3134015"},{"key":"e_1_3_1_56_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE.2019.00024"},{"key":"e_1_3_1_57_2","author":"Edelman Benjamin G.","year":"2023","unstructured":"Benjamin G. Edelman, James Bono, Sida Peng, Roberto Rodriguez, and Sandra Ho. 2023. Randomized Controlled Trial for Microsoft Security Copilot. Available at: SSRN 4648700.","journal-title":"Randomized Controlled Trial for Microsoft Security Copilot"},{"key":"e_1_3_1_58_2","doi-asserted-by":"publisher","DOI":"10.1109\/MMUL.2018.023121167"},{"key":"e_1_3_1_59_2","doi-asserted-by":"publisher","DOI":"10.1002\/smr.1885"},{"key":"e_1_3_1_60_2","doi-asserted-by":"publisher","DOI":"10.1145\/3379597.3387501"},{"key":"e_1_3_1_61_2","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/2020.findings-emnlp.139"},{"key":"e_1_3_1_62_2","doi-asserted-by":"crossref","unstructured":"Jerome H. Friedman and Bogdan E. Popescu. 2008. Predictive learning via rule ensembles.","DOI":"10.1214\/07-AOAS148"},{"key":"e_1_3_1_63_2","doi-asserted-by":"publisher","DOI":"10.1145\/3632746"},{"key":"e_1_3_1_64_2","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.2023.3305244"},{"key":"e_1_3_1_65_2","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.2022.3158252"},{"key":"e_1_3_1_66_2","doi-asserted-by":"publisher","DOI":"10.1145\/3524842.3528452"},{"key":"e_1_3_1_67_2","doi-asserted-by":"publisher","DOI":"10.1007\/s10664-023-10346-3"},{"key":"e_1_3_1_68_2","doi-asserted-by":"publisher","DOI":"10.1145\/3540250.3549098"},{"key":"e_1_3_1_69_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE.2012.6227172"},{"key":"e_1_3_1_70_2","unstructured":"GitHub. 2024. About autofix for CodeQL code scanning. Retrieved from https:\/\/docs.github.com\/en\/code-security\/code-scanning\/managing-code-scanning-alerts\/about-autofix-for-codeql-code-scanning#supported-languages"},{"key":"e_1_3_1_71_2","unstructured":"GitHub. 2024. Dependabot. Retrieved from https:\/\/github.com\/dependabot"},{"key":"e_1_3_1_72_2","unstructured":"GitLab. 2024. European tech company cube drives secure software with AI in GitLab Duo. Retrieved from https:\/\/about.gitlab.com\/customers\/cube\/"},{"key":"e_1_3_1_73_2","unstructured":"Google. 2023. 2023 State of DevOps report. Retrieved from https:\/\/cloud.google.com\/devops\/state-of-devops"},{"key":"e_1_3_1_74_2","unstructured":"Alicja Gosiewska and Przemyslaw Biecek. 2019. IBreakDown: Uncertainty of model explanations for Non-additive predictive models. arXiv:1903.11420. Retrieved from https:\/\/arxiv.org\/abs\/1903.11420 (2019)"},{"key":"e_1_3_1_75_2","unstructured":"GuardRails. 2023. From security last to DevSecOps: The driving forces behind the transformation. Retrieved from https:\/\/www.guardrails.io\/blog\/from-security-last-to-devsecops-the-driving-forces-behind-the-transformation\/"},{"key":"e_1_3_1_76_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICSME.2019.00092"},{"key":"e_1_3_1_77_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE.2019.00113"},{"key":"e_1_3_1_78_2","doi-asserted-by":"publisher","DOI":"10.1145\/3442536.3442550"},{"key":"e_1_3_1_79_2","unstructured":"Susan Hall. 2024. AI-assisted dependency updates without breaking things. Retrieved from https:\/\/thenewstack.io\/ai-assisted-dependency-updates-without-breaking-things\/"},{"key":"e_1_3_1_80_2","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2023.24830"},{"key":"e_1_3_1_81_2","doi-asserted-by":"publisher","DOI":"10.1145\/3460120.3484589"},{"key":"e_1_3_1_82_2","doi-asserted-by":"publisher","DOI":"10.1109\/TIFS.2021.3053371"},{"key":"e_1_3_1_83_2","doi-asserted-by":"publisher","DOI":"10.1145\/2950290.2950308"},{"key":"e_1_3_1_84_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICSME58846.2023.00024"},{"key":"e_1_3_1_85_2","doi-asserted-by":"publisher","DOI":"10.1109\/SANER53432.2022.00057"},{"key":"e_1_3_1_86_2","unstructured":"A. W. Harzing. 2007. Publish or perish. Retrieved from https:\/\/harzing.com\/resources\/publish-or-perish"},{"key":"e_1_3_1_87_2","unstructured":"Shilin He Jieming Zhu Pinjia He and Michael R. Lyu. 2020. Loghub: A large collection of system log datasets towards automated log analytics. arXiv:2008.06448. Retrieved from https:\/\/arxiv.org\/abs\/2008.06448"},{"key":"e_1_3_1_88_2","doi-asserted-by":"publisher","DOI":"10.1145\/3524842.3527949"},{"key":"e_1_3_1_89_2","first-page":"6840","article-title":"Denoising diffusion probabilistic models","volume":"33","author":"Ho Jonathan","year":"2020","unstructured":"Jonathan Ho, Ajay Jain, and Pieter Abbeel. 2020. Denoising diffusion probabilistic models. Advances in Neural Information Processing Systems 33 (2020), 6840\u20136851.","journal-title":"Advances in Neural Information Processing Systems"},{"key":"e_1_3_1_90_2","doi-asserted-by":"publisher","DOI":"10.5555\/1202957"},{"key":"e_1_3_1_91_2","doi-asserted-by":"publisher","DOI":"10.1109\/MSP.2006.84"},{"key":"e_1_3_1_92_2","doi-asserted-by":"publisher","DOI":"10.1109\/ASE56229.2023.00138"},{"key":"e_1_3_1_93_2","doi-asserted-by":"publisher","DOI":"10.1109\/ASE56229.2023.00181"},{"key":"e_1_3_1_94_2","doi-asserted-by":"publisher","DOI":"10.1145\/2741948.2741963"},{"key":"e_1_3_1_95_2","volume-title":"Continuous Delivery: Reliable Software Releases through Build, Test, and Deployment Automation","author":"Humble Jez","year":"2010","unstructured":"Jez Humble and David Farley. 2010. Continuous Delivery: Reliable Software Releases through Build, Test, and Deployment Automation. Pearson Education."},{"key":"e_1_3_1_96_2","doi-asserted-by":"publisher","DOI":"10.3390\/s23031634"},{"key":"e_1_3_1_97_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE43902.2021.00107"},{"key":"e_1_3_1_98_2","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.2020.2982385"},{"key":"e_1_3_1_99_2","unstructured":"Matthew Jin Syed Shahriar Michele Tufano Xin Shi Shuai Lu Neel Sundaresan and Alexey Svyatkovskiy. 2023. Inferfix: End-to-end program repair with LLMs. arXiv:2303.07263. Retrieved from https:\/\/arxiv.org\/abs\/2303.07263"},{"key":"e_1_3_1_100_2","doi-asserted-by":"publisher","DOI":"10.1145\/2610384.2628055"},{"key":"e_1_3_1_101_2","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.2012.70"},{"key":"e_1_3_1_102_2","doi-asserted-by":"publisher","DOI":"10.1145\/3379597.3387491"},{"key":"e_1_3_1_103_2","unstructured":"Staffs Keele et al. 2007. Guidelines for performing systematic literature reviews in software engineering. EBSE Technical Report EBSE -2007-01."},{"key":"e_1_3_1_104_2","doi-asserted-by":"publisher","DOI":"10.1145\/3324884.3415295"},{"key":"e_1_3_1_105_2","doi-asserted-by":"publisher","DOI":"10.1109\/CNS59707.2023.10288690"},{"key":"e_1_3_1_106_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.infsof.2017.07.009"},{"key":"e_1_3_1_107_2","unstructured":"Anna Khrupa. 2022. What is software impact analysis. Retrieved from https:\/\/qarea.com\/blog\/what-is-software-impact-analysis"},{"key":"e_1_3_1_108_2","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.2022.3174092"},{"key":"e_1_3_1_109_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.eng.2019.08.016"},{"key":"e_1_3_1_110_2","doi-asserted-by":"publisher","DOI":"10.1007\/s10664-023-10342-7"},{"key":"e_1_3_1_111_2","unstructured":"Stuart Larsen. 2024. MongoDB security team enables secure development with snyk. Retrieved from https:\/\/snyk.io\/case-studies\/mongodb\/"},{"key":"e_1_3_1_112_2","doi-asserted-by":"publisher","DOI":"10.1145\/3524842.3528433"},{"key":"e_1_3_1_113_2","doi-asserted-by":"crossref","first-page":"717","DOI":"10.1109\/ASE51524.2021.9678622","volume-title":"2021 36th IEEE\/ACM International Conference on Automated Software Engineering (ASE)","author":"Le Triet Huynh Minh","year":"2021","unstructured":"Triet Huynh Minh Le, David Hin, Roland Croft, and M. Ali Babar. 2021. Deepcva: Automated commit-level vulnerability assessment with deep multi-task learning. In 2021 36th IEEE\/ACM International Conference on Automated Software Engineering (ASE). IEEE, 717\u2013729."},{"key":"e_1_3_1_114_2","doi-asserted-by":"publisher","DOI":"10.1109\/ASE51524.2021.9678773"},{"key":"e_1_3_1_115_2","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.2015.2454513"},{"key":"e_1_3_1_116_2","volume-title":"Writing Secure Code","author":"LeBlanc David","year":"2002","unstructured":"David LeBlanc and Michael Howard. 2002. Writing Secure Code. Pearson Education."},{"key":"e_1_3_1_117_2","doi-asserted-by":"publisher","DOI":"10.1109\/ASE56229.2023.00082"},{"key":"e_1_3_1_118_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-031-11510-3_12"},{"key":"e_1_3_1_119_2","doi-asserted-by":"publisher","DOI":"10.1109\/MS.2009.33"},{"key":"e_1_3_1_120_2","first-page":"1","article-title":"LogGraph: Log event graph learning aided robust fine-grained anomaly diagnosis","volume":"01","author":"Li Jiangming","year":"2023","unstructured":"Jiangming Li, Huasen He, Shuangwu Chen, and Dong Jin. 2023. LogGraph: Log event graph learning aided robust fine-grained anomaly diagnosis. IEEE Transactions on Dependable and Secure Computing 01 (2023), 1\u201315.","journal-title":"IEEE Transactions on Dependable and Secure Computing"},{"key":"e_1_3_1_121_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.infsof.2020.106364"},{"key":"e_1_3_1_122_2","doi-asserted-by":"publisher","DOI":"10.1109\/TDSC.2022.3162857"},{"key":"e_1_3_1_123_2","doi-asserted-by":"publisher","DOI":"10.1109\/SANER56733.2023.00062"},{"key":"e_1_3_1_124_2","doi-asserted-by":"publisher","DOI":"10.1145\/3377811.3380345"},{"key":"e_1_3_1_125_2","doi-asserted-by":"publisher","DOI":"10.1145\/3468264.3468597"},{"key":"e_1_3_1_126_2","doi-asserted-by":"publisher","DOI":"10.1145\/3611643.3616346"},{"key":"e_1_3_1_127_2","doi-asserted-by":"publisher","DOI":"10.1109\/TDSC.2021.3076142"},{"key":"e_1_3_1_128_2","unstructured":"Zhen Li Deqing Zou Shouhuai Xu Xinyu Ou Hai Jin Sujuan Wang Zhijun Deng and Yuyi Zhong. 2018. Vuldeepecker: A deep learning-based system for vulnerability detection. arXiv:1801.01681. Retrieved from https:\/\/arxiv.org\/abs\/1801.01681"},{"key":"e_1_3_1_129_2","doi-asserted-by":"publisher","DOI":"10.1145\/3135932.3135941"},{"key":"e_1_3_1_130_2","doi-asserted-by":"publisher","DOI":"10.1145\/3196494.3196546"},{"key":"e_1_3_1_131_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICCV.2017.324"},{"key":"e_1_3_1_132_2","doi-asserted-by":"publisher","DOI":"10.1145\/2133360.2133363"},{"key":"e_1_3_1_133_2","doi-asserted-by":"publisher","DOI":"10.1109\/TDSC.2020.2984505"},{"key":"e_1_3_1_134_2","doi-asserted-by":"publisher","DOI":"10.1145\/3597503.3639142"},{"key":"e_1_3_1_135_2","unstructured":"Shuai Lu Daya Guo Shuo Ren Junjie Huang Alexey Svyatkovskiy Ambrosio Blanco Colin Clement Dawn Drain Daxin Jiang Duyu Tang et al. 2021. Codexglue: A machine learning benchmark dataset for code understanding and generation. arXiv:2102.04664. Retrieved from https:\/\/arxiv.org\/abs\/2102.04664"},{"key":"e_1_3_1_136_2","doi-asserted-by":"publisher","DOI":"10.5555\/3295222.3295230"},{"key":"e_1_3_1_137_2","doi-asserted-by":"publisher","DOI":"10.1145\/3395363.3397369"},{"key":"e_1_3_1_138_2","doi-asserted-by":"publisher","DOI":"10.1080\/0951192X.2023.2294442"},{"key":"e_1_3_1_139_2","unstructured":"Andi Mann Michael Stahnke Alanna Brown and Nigel Kersten. 2019. State of DevOps report. Retrieved from https:\/\/cloud.google.com\/devops\/state-of-devops"},{"key":"e_1_3_1_140_2","article-title":"Metric learning for adversarial robustness","volume":"32","author":"Mao Chengzhi","year":"2019","unstructured":"Chengzhi Mao, Ziyuan Zhong, Junfeng Yang, Carl Vondrick, and Baishakhi Ray. 2019. Metric learning for adversarial robustness. Advances in Neural Information Processing Systems 32 (2019).","journal-title":"Advances in Neural Information Processing Systems"},{"key":"e_1_3_1_141_2","doi-asserted-by":"publisher","DOI":"10.1109\/QRS51102.2020.00064"},{"key":"e_1_3_1_142_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.jss.2020.110671"},{"key":"e_1_3_1_143_2","doi-asserted-by":"publisher","DOI":"10.1109\/MSR52588.2021.00063"},{"key":"e_1_3_1_144_2","doi-asserted-by":"publisher","DOI":"10.1109\/CySWater.2016.7469060"},{"key":"e_1_3_1_145_2","unstructured":"Taylor McCaslin. 2024. How to put generative AI to work in your DevSecOps environment. Retrieved from https:\/\/about.gitlab.com\/blog\/2024\/03\/07\/how-to-put-generative-ai-to-work-in-your-devsecops-environment\/"},{"key":"e_1_3_1_146_2","doi-asserted-by":"publisher","DOI":"10.1145\/3180155.3182514"},{"key":"e_1_3_1_147_2","doi-asserted-by":"publisher","DOI":"10.1145\/2884781.2884807"},{"key":"e_1_3_1_148_2","first-page":"435","article-title":"Rex: Preventing bugs and misconfiguration in large services using correlated change analysis","author":"Mehta Sonu","year":"2020","unstructured":"Sonu Mehta, Ranjita Bhagwan, Rahul Kumar, Chetan Bansal, Chandra Maddila, Balasubramanyan Ashok, Sumit Asthana, Christian Bird, and Aditya Kumar. 2020. Rex: Preventing bugs and misconfiguration in large services using correlated change analysis. In 17th USENIX Symposium on Networked Systems Design and Implementation (NSDI \u201920), 435\u2013448.","journal-title":"17th USENIX Symposium on Networked Systems Design and Implementation (NSDI \u201920)"},{"key":"e_1_3_1_149_2","first-page":"4739","article-title":"Loganomaly: Unsupervised detection of sequential and quantitative anomalies in unstructured logs","volume":"19","author":"Meng Weibin","year":"2019","unstructured":"Weibin Meng, Ying Liu, Yichen Zhu, Shenglin Zhang, Dan Pei, Yuqing Liu, Yihao Chen, Ruizhi Zhang, Shimin Tao, Pei Sun, et al. 2019. Loganomaly: Unsupervised detection of sequential and quantitative anomalies in unstructured logs. In International Joint Conference on Artificial Intelligence (IJCAI), Vol. 19, 4739\u20134745.","journal-title":"International Joint Conference on Artificial Intelligence (IJCAI)"},{"key":"e_1_3_1_150_2","unstructured":"Aditya Krishna Menon Sadeep Jayasumana Ankit Singh Rawat Himanshu Jain Andreas Veit and Sanjiv Kumar. 2020. Long-tail learning via logit adjustment. arXiv:2007.07314. Retrieved from https:\/\/arxiv.org\/abs\/2007.07314"},{"key":"e_1_3_1_151_2","doi-asserted-by":"publisher","DOI":"10.1109\/ASE51524.2021.9678758"},{"key":"e_1_3_1_152_2","unstructured":"Microsoft. 2022. DevSecOps controls. Retrieved from https:\/\/learn.microsoft.com\/en-us\/azure\/cloud-adoption-framework\/secure\/devsecops-controls"},{"key":"e_1_3_1_153_2","unstructured":"Microsoft. 2022. What is infrastructure as code (IaC)? Retrieved from https:\/\/learn.microsoft.com\/en-us\/devops\/deliver\/what-is-infrastructure-as-code"},{"key":"e_1_3_1_154_2","unstructured":"Microsoft. 2023. What is DevOps? Retrieved from https:\/\/learn.microsoft.com\/en-us\/devops\/what-is-devops"},{"key":"e_1_3_1_155_2","unstructured":"Microsoft. 2024. Microsoft copilot for security is generally available on April 1 2024 with new capabilities. Retrieved from https:\/\/www.microsoft.com\/en-us\/security\/blog\/2024\/03\/13\/microsoft-copilot-for-security-is-generally-available-on-april-1-2024-with-new-capabilities\/"},{"key":"e_1_3_1_156_2","unstructured":"Microsoft. 2024. Threat modeling. Retrieved from https:\/\/www.microsoft.com\/en-us\/securityengineering\/sdl\/threatmodeling"},{"key":"e_1_3_1_157_2","first-page":"6557","article-title":"VulChecker: Graph-based vulnerability localization in source code","author":"Mirsky Yisroel","year":"2023","unstructured":"Yisroel Mirsky, George Macon, Michael Brown, Carter Yagemann, Matthew Pruett, Evan Downing, Sukarno Mertoguno, and Wenke Lee. 2023. VulChecker: Graph-based vulnerability localization in source code. In 31st USENIX Security Symposium (Security \u201922), 6557\u20136574.","journal-title":"31st USENIX Security Symposium (Security \u201922)"},{"key":"e_1_3_1_158_2","first-page":"3","article-title":"Industrial control system simulation and data logging for intrusion detection system research","author":"Morris Thomas H.","year":"2015","unstructured":"Thomas H. Morris, Zach Thornton, and Ian Turnipseed. 2015. Industrial control system simulation and data logging for intrusion detection system research. In 7th Annual Southeastern Cyber Security Summit, 3\u20134.","journal-title":"7th Annual Southeastern Cyber Security Summit"},{"key":"e_1_3_1_159_2","doi-asserted-by":"publisher","DOI":"10.1109\/MilCIS.2015.7348942"},{"key":"e_1_3_1_160_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-67383-7_2"},{"key":"e_1_3_1_161_2","doi-asserted-by":"publisher","DOI":"10.34190\/eccws.21.1.295"},{"key":"e_1_3_1_162_2","doi-asserted-by":"publisher","DOI":"10.1007\/s10664-022-10223-5"},{"key":"e_1_3_1_163_2","doi-asserted-by":"crossref","unstructured":"Anh The Nguyen Triet Huynh Minh Le and M. Ali Babar. 2024. Automated code-centric software vulnerability assessment: How far are we? An empirical study in C\/C \\(++\\) . arXiv:2407.17053. Retrieved from https:\/\/arxiv.org\/abs\/2407.17053","DOI":"10.1145\/3674805.3686670"},{"key":"e_1_3_1_164_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICPC58990.2023.00048"},{"key":"e_1_3_1_165_2","doi-asserted-by":"publisher","DOI":"10.1109\/ASE56229.2023.00083"},{"key":"e_1_3_1_166_2","unstructured":"NSF. 2024. Cyber-physical systems. Retrieved from https:\/\/www.nsf.gov\/news\/special_reports\/cyber-physical\/"},{"key":"e_1_3_1_167_2","doi-asserted-by":"publisher","DOI":"10.1109\/DSN.2007.103"},{"key":"e_1_3_1_168_2","unstructured":"Yassine Ouali C\u00e9line Hudelot and Myriam Tami. 2020. An overview of deep semi-supervised learning. arXiv:2006.05278. Retrieved from https:\/\/arxiv.org\/abs\/2006.05278"},{"key":"e_1_3_1_169_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE48619.2023.00088"},{"key":"e_1_3_1_170_2","doi-asserted-by":"publisher","DOI":"10.1145\/3597503.3639110"},{"key":"e_1_3_1_171_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.jss.2018.12.001"},{"key":"e_1_3_1_172_2","doi-asserted-by":"publisher","DOI":"10.1145\/3239235.3268920"},{"key":"e_1_3_1_173_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP46215.2023.10179420"},{"key":"e_1_3_1_174_2","doi-asserted-by":"publisher","DOI":"10.1109\/MSR.2019.00064"},{"key":"e_1_3_1_175_2","doi-asserted-by":"publisher","DOI":"10.1109\/ASE51524.2021.9678763"},{"key":"e_1_3_1_176_2","doi-asserted-by":"publisher","DOI":"10.1109\/MSR52588.2021.00049"},{"key":"e_1_3_1_177_2","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.2022.3144348"},{"key":"e_1_3_1_178_2","doi-asserted-by":"publisher","DOI":"10.1007\/s10664-021-09959-3"},{"key":"e_1_3_1_179_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-29608-7_7"},{"key":"e_1_3_1_180_2","first-page":"12","article-title":"Deep just-in-time defect localization","volume":"48","author":"Qiu Fangcheng","year":"2021","unstructured":"Fangcheng Qiu, Zhipeng Gao, Xin Xia, David Lo, John Grundy, and Xinyu Wang. 2021. Deep just-in-time defect localization. IEEE Transactions on Software Engineering 48, 12 (2021), 5068\u20135086.","journal-title":"IEEE Transactions on Software Engineering"},{"key":"e_1_3_1_181_2","doi-asserted-by":"publisher","DOI":"10.1145\/3368089.3417927"},{"key":"e_1_3_1_182_2","doi-asserted-by":"publisher","DOI":"10.1109\/ACCESS.2020.2998819"},{"key":"e_1_3_1_183_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE.2019.00033"},{"key":"e_1_3_1_184_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICST.2018.00014"},{"key":"e_1_3_1_185_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.infsof.2019.04.013"},{"key":"e_1_3_1_186_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.infsof.2021.106700"},{"key":"e_1_3_1_187_2","unstructured":"RedHat. 2022. What is infrastructure as code (IaC)? Retrieved from https:\/\/www.redhat.com\/en\/topics\/automation\/what-is-infrastructure-as-code-iac"},{"key":"e_1_3_1_188_2","unstructured":"RedHat. 2023. What is CI\/CD security? Retrieved from https:\/\/www.redhat.com\/en\/topics\/security\/what-is-cicd-security"},{"key":"e_1_3_1_189_2","unstructured":"Yahoo Research. 2015. A benchmark dataset for time series anomaly detection. Retrieved from https:\/\/yahooresearch.tumblr.com\/post\/114590420346\/a-benchmark-dataset-for-time-series-anomaly"},{"key":"e_1_3_1_190_2","first-page":"1135","volume-title":"22nd ACM SIGKDD International Conference on Knowledge Discovery and Data Mining","author":"Ribeiro Marco Tulio","year":"2016","unstructured":"Marco Tulio Ribeiro, Sameer Singh, and Carlos Guestrin. 2016. \u201dWhy should I trust you?\u201d Explaining the predictions of any classifier. In 22nd ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, 1135\u20131144."},{"key":"e_1_3_1_191_2","unstructured":"Maria Rosala. 2019. How to analyze qualitative data from UX research: Thematic analysis. NN-Nielsen Norman Group. Retrieved from https:\/\/www.nngroup.com\/articles\/thematic-analysis\/"},{"key":"e_1_3_1_192_2","unstructured":"Baptiste Roziere Jonas Gehring Fabian Gloeckle Sten Sootla Itai Gat Xiaoqing Ellen Tan Yossi Adi Jingyu Liu Tal Remez J\u00e9r\u00e9my Rapin et al. 2023. Code llama: Open foundation models for code. arXiv:2308.12950. Retrieved from https:\/\/arxiv.org\/abs\/2308.12950"},{"key":"e_1_3_1_193_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.jss.2019.110406"},{"key":"e_1_3_1_194_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICMLA.2018.00120"},{"key":"e_1_3_1_195_2","doi-asserted-by":"publisher","DOI":"10.1145\/3196398.3196473"},{"key":"e_1_3_1_196_2","doi-asserted-by":"publisher","DOI":"10.1145\/3387940.3392233"},{"key":"e_1_3_1_197_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.jss.2018.01.039"},{"key":"e_1_3_1_198_2","doi-asserted-by":"publisher","DOI":"10.1186\/1471-2288-11-128"},{"key":"e_1_3_1_199_2","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.2014.2340398"},{"key":"e_1_3_1_200_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-59050-9_12"},{"key":"e_1_3_1_201_2","unstructured":"Abigail See Peter J. Liu and Christopher D. Manning. 2017. Get to the point: Summarization with pointer-generator networks. arXiv:1704.04368. Retrieved from https:\/\/arxiv.org\/abs\/1704.04368"},{"key":"e_1_3_1_202_2","first-page":"730","volume-title":"2024 IEEE\/ACM 46th International Conference on Software Engineering (ICSE)","author":"Sejfia Adriana","year":"2023","unstructured":"Adriana Sejfia, Satyaki Das, Saad Shafiq, and Nenad Medvidovi\u0107. 2023. Toward improved deep learning-based vulnerability detection. In 2024 IEEE\/ACM 46th International Conference on Software Engineering (ICSE). IEEE Computer Society, 730\u2013741."},{"key":"e_1_3_1_203_2","doi-asserted-by":"publisher","DOI":"10.1007\/s10664-018-9651-4"},{"key":"e_1_3_1_204_2","unstructured":"Chenze Shao and Yang Feng. 2022. Overcoming catastrophic forgetting beyond continual learning: Balanced training for neural machine translation. arXiv:2203.03910. Retrieved from https:\/\/arxiv.org\/abs\/2203.03910"},{"key":"e_1_3_1_205_2","doi-asserted-by":"publisher","DOI":"10.1007\/s10664-011-9190-8"},{"key":"e_1_3_1_206_2","volume-title":"Threat Modeling: Designing for Security","author":"Shostack Adam","year":"2014","unstructured":"Adam Shostack. 2014. Threat Modeling: Designing for Security. John Wiley & Sons."},{"key":"e_1_3_1_207_2","first-page":"3145","volume-title":"International Conference on Machine Learning","author":"Shrikumar Avanti","year":"2017","unstructured":"Avanti Shrikumar, Peyton Greenside, and Anshul Kundaje. 2017. Learning important features through propagating activation differences. In International Conference on Machine Learning. PMLR, 3145\u20133153."},{"key":"e_1_3_1_208_2","doi-asserted-by":"publisher","DOI":"10.1145\/3382494.3410677"},{"key":"e_1_3_1_209_2","doi-asserted-by":"publisher","DOI":"10.1109\/SANER50967.2021.00040"},{"key":"e_1_3_1_210_2","doi-asserted-by":"publisher","DOI":"10.1145\/2786805.2786845"},{"key":"e_1_3_1_211_2","unstructured":"Snyk. 2015. Snyk. Retrieved from https:\/\/snyk.io"},{"key":"e_1_3_1_212_2","unstructured":"Snyk. 2022. Software dependencies: How to manage dependencies at scale. Retrieved from https:\/\/snyk.io\/series\/open-source-security\/software-dependencies\/"},{"key":"e_1_3_1_213_2","unstructured":"Sonatype. 2024. Sonatype. Retrieved from https:\/\/www.sonatype.com\/"},{"key":"e_1_3_1_214_2","doi-asserted-by":"publisher","DOI":"10.1109\/SEAA.2017.8114695"},{"key":"e_1_3_1_215_2","doi-asserted-by":"publisher","DOI":"10.1109\/CCGRID.2008.107"},{"key":"e_1_3_1_216_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE48619.2023.00188"},{"key":"e_1_3_1_217_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE48619.2023.00188"},{"key":"e_1_3_1_218_2","doi-asserted-by":"publisher","DOI":"10.1109\/TDSC.2020.3037903"},{"key":"e_1_3_1_219_2","doi-asserted-by":"publisher","DOI":"10.1145\/3368089.3417062"},{"key":"e_1_3_1_220_2","doi-asserted-by":"publisher","DOI":"10.1109\/ASE.2017.8115627"},{"key":"e_1_3_1_221_2","unstructured":"Yutao Sun Li Dong Shaohan Huang Shuming Ma Yuqing Xia Jilong Xue Jianyong Wang and Furu Wei. 2023. Retentive network: A successor to transformer for large language models. arXiv:2307.08621. Retrieced from https:\/\/arxiv.org\/abs\/2307.08621"},{"key":"e_1_3_1_222_2","first-page":"3319","volume-title":"International Conference on Machine Learning","author":"Sundararajan Mukund","year":"2017","unstructured":"Mukund Sundararajan, Ankur Taly, and Qiqi Yan. 2017. Axiomatic attribution for deep networks. In International Conference on Machine Learning. PMLR, 3319\u20133328."},{"key":"e_1_3_1_223_2","unstructured":"Synopsys. 2024. Black Duck software composition analysis. Retrieved from https:\/\/www.synopsys.com\/"},{"key":"e_1_3_1_224_2","doi-asserted-by":"crossref","first-page":"180","DOI":"10.1109\/ICSE-C.2017.76","volume-title":"2017 IEEE\/ACM 39th International Conference on Software Engineering Companion (ICSE-C)","author":"Tan Shin Hwei","year":"2017","unstructured":"Shin Hwei Tan, Jooyong Yi, Sergey Mechtaev, Abhik Roychoudhury, et al. 2017. Codeflaws: A programming competition benchmark for evaluating automated program repair tools. In 2017 IEEE\/ACM 39th International Conference on Software Engineering Companion (ICSE-C). IEEE, 180\u2013182."},{"key":"e_1_3_1_225_2","doi-asserted-by":"publisher","DOI":"10.1061\/(ASCE)WR.1943-5452.0000969"},{"key":"e_1_3_1_226_2","unstructured":"Pierre Tempel and Eric Tooley. 2024. Found means fixed: Introducing code scanning autofix powered by GitHub Copilot and CodeQL. Retrieved from https:\/\/github.blog\/2024-03-20-found-means-fixed-introducing-code-scanning-autofix-powered-by-github-copilot-and-codeql\/"},{"key":"e_1_3_1_227_2","doi-asserted-by":"publisher","DOI":"10.1109\/SANER50967.2021.00056"},{"key":"e_1_3_1_228_2","unstructured":"Testsigma. 2023. Impact analysis in software testing \u2013 a complete overview. Retrieved from https:\/\/testsigma.com\/blog\/impact-analysis-in-testing\/"},{"key":"e_1_3_1_229_2","doi-asserted-by":"publisher","DOI":"10.1145\/3340544"},{"key":"e_1_3_1_230_2","doi-asserted-by":"publisher","DOI":"10.1002\/smr.4360060104"},{"key":"e_1_3_1_231_2","doi-asserted-by":"publisher","DOI":"10.1145\/3611643.3616267"},{"issue":"7","key":"e_1_3_1_232_2","first-page":"4578","article-title":"Towards the integration of security practices in agile software development:","volume":"13","author":"Vald\u00e9s-Rodr\u00edguez Yolanda","year":"2023","unstructured":"Yolanda Vald\u00e9s-Rodr\u00edguez, Jorge Hochstetter-Diez, Jaime D\u00edaz-Arancibia, and Rodrigo Cadena-Mart\u00ednez. 2023. Towards the integration of security practices in agile software development: A systematic mapping review. Applied Sciences 13, 7 (2023), 4578.","journal-title":"A systematic mapping review. Applied Sciences"},{"key":"e_1_3_1_233_2","unstructured":"Validata. 2024. AI-powered live impact analysis. Retrieved from https:\/\/www.validata-software.com\/products\/validata-sense-ai\/ai-powered-live-impact-analysis"},{"key":"e_1_3_1_234_2","article-title":"Attention is all you need","volume":"30","author":"Vaswani Ashish","year":"2017","unstructured":"Ashish Vaswani, Noam Shazeer, Niki Parmar, Jakob Uszkoreit, Llion Jones, Aidan N. Gomez, \u0141ukasz Kaiser, and Illia Polosukhin. 2017. Attention is all you need. Advances in Neural Information Processing Systems 30 (2017).","journal-title":"Advances in Neural Information Processing Systems"},{"key":"e_1_3_1_235_2","unstructured":"Vy Vo Van Nguyen Trung Le Quan Hung Tran Gholamreza Haffari Seyit Camtepe and Dinh Phung. 2022. An additive instance-wise approach to multi-class model interpretation. arXiv:2207.03113. Retrieved from https:\/\/arxiv.org\/abs\/2207.03113"},{"key":"e_1_3_1_236_2","doi-asserted-by":"publisher","DOI":"10.1109\/TIFS.2020.3044773"},{"key":"e_1_3_1_237_2","doi-asserted-by":"publisher","DOI":"10.1109\/CSE53436.2021.00030"},{"key":"e_1_3_1_238_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE48619.2023.00189"},{"key":"e_1_3_1_239_2","doi-asserted-by":"publisher","DOI":"10.1109\/ASE56229.2023.00043"},{"key":"e_1_3_1_240_2","doi-asserted-by":"publisher","DOI":"10.1109\/CNS48642.2020.9162237"},{"key":"e_1_3_1_241_2","doi-asserted-by":"crossref","unstructured":"Yue Wang Hung Le Akhilesh Deepak Gotmare Nghi D. Q. Bui Junnan Li and Steven CH Hoi. 2023. Codet5+: Open code large language models for code understanding and generation. arXiv:2305.07922. Retrieved from https:\/\/arxiv.org\/abs\/2305.07922","DOI":"10.18653\/v1\/2023.emnlp-main.68"},{"key":"e_1_3_1_242_2","doi-asserted-by":"crossref","unstructured":"Yue Wang Weishi Wang Shafiq Joty and Steven C. H. Hoi. 2021. Codet5: Identifier-aware unified pre-trained encoder-decoder models for code understanding and generation. arXiv:2109.00859. Retrieved from https:\/\/arxiv.org\/abs\/2109.00859","DOI":"10.18653\/v1\/2021.emnlp-main.685"},{"key":"e_1_3_1_243_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.infsof.2021.106809"},{"key":"e_1_3_1_244_2","doi-asserted-by":"publisher","DOI":"10.1145\/3485275"},{"key":"e_1_3_1_245_2","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.2020.3023177"},{"key":"e_1_3_1_246_2","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/D19-1670"},{"key":"e_1_3_1_247_2","doi-asserted-by":"publisher","DOI":"10.1145\/3180155.3180233"},{"key":"e_1_3_1_248_2","unstructured":"David A. Wheeler. 2024. Flawfinder. Retrieved from https:\/\/dwheeler.com\/flawfinder\/"},{"key":"e_1_3_1_249_2","doi-asserted-by":"publisher","DOI":"10.1145\/3540250.3558953"},{"key":"e_1_3_1_250_2","doi-asserted-by":"publisher","DOI":"10.1145\/3611643.3616351"},{"key":"e_1_3_1_251_2","doi-asserted-by":"publisher","DOI":"10.1145\/2025113.2025120"},{"key":"e_1_3_1_252_2","doi-asserted-by":"publisher","DOI":"10.1007\/s10664-023-10364-1"},{"key":"e_1_3_1_253_2","doi-asserted-by":"publisher","DOI":"10.1145\/3510003.3510229"},{"key":"e_1_3_1_254_2","first-page":"1","article-title":"Adaptive-correlation-aware unsupervised deep learning for anomaly detection in cyber-physical systems","volume":"01","author":"Xi Liang","year":"2023","unstructured":"Liang Xi, Dehua Miao, Menghan Li, Ruidong Wang, Han Liu, and Xunhua Huang. 2023. Adaptive-correlation-aware unsupervised deep learning for anomaly detection in cyber-physical systems. IEEE Transactions on Dependable and Secure Computing 01 (2023), 1\u201312.","journal-title":"IEEE Transactions on Dependable and Secure Computing"},{"key":"e_1_3_1_255_2","doi-asserted-by":"publisher","DOI":"10.1145\/3540250.3549101"},{"key":"e_1_3_1_256_2","doi-asserted-by":"publisher","DOI":"10.1109\/ASE56229.2023.00091"},{"key":"e_1_3_1_257_2","doi-asserted-by":"publisher","DOI":"10.1145\/3611643.3613861"},{"key":"e_1_3_1_258_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICST49551.2021.00031"},{"key":"e_1_3_1_259_2","doi-asserted-by":"publisher","DOI":"10.1145\/3582571"},{"key":"e_1_3_1_260_2","doi-asserted-by":"publisher","DOI":"10.1145\/3611643.3613879"},{"key":"e_1_3_1_261_2","doi-asserted-by":"publisher","DOI":"10.1145\/2791577"},{"key":"e_1_3_1_262_2","doi-asserted-by":"publisher","DOI":"10.1145\/1629575.1629587"},{"key":"e_1_3_1_263_2","unstructured":"Yahoo. 2024. Yahoo! Webscope dataset. Retrieved from https:\/\/webscope.sandbox.yahoo.com\/"},{"key":"e_1_3_1_264_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2014.44"},{"key":"e_1_3_1_265_2","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.2020.2978819"},{"key":"e_1_3_1_266_2","doi-asserted-by":"publisher","DOI":"10.1145\/3644386"},{"key":"e_1_3_1_267_2","first-page":"2327","article-title":"\\(\\{\\) CADE \\(\\}\\) : Detecting and explaining concept drift samples for security applications","author":"Yang Limin","year":"2021","unstructured":"Limin Yang, Wenbo Guo, Qingying Hao, Arridhana Ciptadi, Ali Ahmadzadeh, Xinyu Xing, and Gang Wang. 2021. \\(\\{\\) CADE \\(\\}\\) : Detecting and explaining concept drift samples for security applications. In 30th USENIX Security Symposium (USENIX Security \u201921), 2327\u20132344.","journal-title":"30th USENIX Security Symposium (USENIX Security \u201921)"},{"key":"e_1_3_1_268_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.infsof.2020.106397"},{"key":"e_1_3_1_269_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE48619.2023.00192"},{"key":"e_1_3_1_270_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE.2019.00075"},{"key":"e_1_3_1_271_2","article-title":"Gnnexplainer: Generating explanations for graph neural networks","volume":"32","author":"Ying Zhitao","year":"2019","unstructured":"Zhitao Ying, Dylan Bourgeois, Jiaxuan You, Marinka Zitnik, and Jure Leskovec. 2019. Gnnexplainer: Generating explanations for graph neural networks. Advances in Neural Information Processing Systems 32 (2019).","journal-title":"Advances in Neural Information Processing Systems"},{"key":"e_1_3_1_272_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE48619.2023.00190"},{"key":"e_1_3_1_273_2","doi-asserted-by":"publisher","DOI":"10.1145\/3433210.3453098"},{"key":"e_1_3_1_274_2","unstructured":"Kev Zettler. 2022. The DevSecOp tools that secure DevOps workflows. Retrieved from https:\/\/www.redhat.com\/en\/topics\/devops\/what-is-devsecops"},{"key":"e_1_3_1_275_2","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.2023.3285910"},{"key":"e_1_3_1_276_2","doi-asserted-by":"publisher","DOI":"10.1109\/ASE56229.2023.00059"},{"key":"e_1_3_1_277_2","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.2023.3286586"},{"key":"e_1_3_1_278_2","first-page":"1","article-title":"Pre-trained model-based automated software vulnerability repair: How far are we?","volume":"01","author":"Zhang Quanjun","year":"2023","unstructured":"Quanjun Zhang, Chunrong Fang, Bowen Yu, Weisong Sun, Tongke Zhang, and Zhenyu Chen. 2023. Pre-trained model-based automated software vulnerability repair: How far are we? IEEE Transactions on Dependable and Secure Computing 01 (2023), 1\u201318.","journal-title":"IEEE Transactions on Dependable and Secure Computing"},{"key":"e_1_3_1_279_2","doi-asserted-by":"publisher","DOI":"10.1109\/TKDE.2022.3222417"},{"key":"e_1_3_1_280_2","doi-asserted-by":"publisher","DOI":"10.1145\/3338906.3338931"},{"key":"e_1_3_1_281_2","doi-asserted-by":"publisher","DOI":"10.1145\/3567550"},{"key":"e_1_3_1_282_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE-SEIP52600.2021.00020"},{"key":"e_1_3_1_283_2","doi-asserted-by":"publisher","DOI":"10.1109\/TIFS.2022.3201379"},{"key":"e_1_3_1_284_2","article-title":"Devign: Effective vulnerability identification by learning comprehensive program semantics via graph neural networks","volume":"32","author":"Zhou Yaqin","year":"2019","unstructured":"Yaqin Zhou, Shangqing Liu, Jingkai Siow, Xiaoning Du, and Yang Liu. 2019. Devign: Effective vulnerability identification by learning comprehensive program semantics via graph neural networks. Advances in Neural Information Processing Systems 32 (2019).","journal-title":"Advances in Neural Information Processing Systems"},{"key":"e_1_3_1_285_2","doi-asserted-by":"publisher","DOI":"10.1145\/3468264.3468544"},{"key":"e_1_3_1_286_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE48619.2023.00126"},{"key":"e_1_3_1_287_2","doi-asserted-by":"publisher","DOI":"10.1145\/3631972"},{"key":"e_1_3_1_288_2","first-page":"1","article-title":"MVulPreter: A multi-granularity vulnerability detection system with interpretations","volume":"01","author":"Zou Deqing","year":"2022","unstructured":"Deqing Zou, Yutao Hu, Wenke Li, Yueming Wu, Haojun Zhao, and Hai Jin. 2022. MVulPreter: A multi-granularity vulnerability detection system with interpretations. IEEE Transactions on Dependable and Secure Computing 01 (2022), 1\u201312.","journal-title":"IEEE Transactions on Dependable and Secure Computing"},{"issue":"5","key":"e_1_3_1_289_2","first-page":"2224","article-title":"\\(\\mu\\) VulDeePecker: A deep learning-based system for multiclass vulnerability detection","volume":"18","author":"Zou Deqing","year":"2019","unstructured":"Deqing Zou, Sujuan Wang, Shouhuai Xu, Zhen Li, and Hai Jin. 2019. \\(\\mu\\) VulDeePecker: A deep learning-based system for multiclass vulnerability detection. IEEE Transactions on Dependable and Secure Computing 18, 5 (2019), 2224\u20132236.","journal-title":"IEEE Transactions on Dependable and Secure Computing"}],"container-title":["ACM Transactions on Software Engineering and Methodology"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3712190","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3712190","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,19]],"date-time":"2025-06-19T01:10:28Z","timestamp":1750295428000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3712190"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,4,28]]},"references-count":288,"journal-issue":{"issue":"4","published-print":{"date-parts":[[2025,5,31]]}},"alternative-id":["10.1145\/3712190"],"URL":"https:\/\/doi.org\/10.1145\/3712190","relation":{},"ISSN":["1049-331X","1557-7392"],"issn-type":[{"value":"1049-331X","type":"print"},{"value":"1557-7392","type":"electronic"}],"subject":[],"published":{"date-parts":[[2025,4,28]]},"assertion":[{"value":"2024-04-07","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2024-12-11","order":2,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2025-04-28","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}