{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,6,18]],"date-time":"2026-06-18T23:24:45Z","timestamp":1781825085824,"version":"3.54.5"},"reference-count":103,"publisher":"Association for Computing Machinery (ACM)","issue":"6","license":[{"start":{"date-parts":[[2026,5,13]],"date-time":"2026-05-13T00:00:00Z","timestamp":1778630400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/legalcode"}],"funder":[{"name":"Network Twinning Enhancement Methods project","award":["E3Z0111104"],"award-info":[{"award-number":["E3Z0111104"]}]},{"DOI":"10.13039\/501100025512","name":"Institute of Information Engineering, Chinese Academy of Sciences","doi-asserted-by":"crossref","id":[{"id":"10.13039\/501100025512","id-type":"DOI","asserted-by":"crossref"}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["ACM Trans. Softw. Eng. Methodol."],"published-print":{"date-parts":[[2026,6,30]]},"abstract":"<jats:p>\n                    Automated vulnerability detection is a critical issue in software security. The advent of Deep Learning (DL) has led to numerous studies employing DL to detect vulnerabilities in software source code. However, existing approaches still perform poorly, particularly with real-world vulnerabilities, due to the difficulty in accurately capturing their properties. To this end, we introduce PVDetector, a DL-based approach that utilizes rich code semantics, incorporates vulnerability knowledge, and leverages pretrained code representations for precise vulnerability detection. At its core, PVDetector employs a new model called Vulnerability-enriched Code Semantic Graph (VCSG), which accurately characterizes functions by distinguishing the semantics of identical variables and more finely capturing control dependencies, data dependencies, and vulnerability relationships. Additionally, we introduce four pretraining tasks specifically designed to learn the semantics of control, data, vulnerability, and variables from the VCSG model. These pretraining tasks significantly enhance PVDetector\u2019s capability to detect vulnerabilities in downstream tasks. Experimental results indicate that PVDetector outperforms SOTAs by 5.0\u201312.5% in precision, 0.2\u20139.7% in recall, and 3.0\u201315.1% in F1-score. Additionally, it supports six programming languages and demonstrates high efficiency (e.g., 10.6\n                    <jats:inline-formula content-type=\"math\/tex\">\n                      <jats:tex-math notation=\"LaTeX\" version=\"MathJax\">\\(\\times\\)<\/jats:tex-math>\n                    <\/jats:inline-formula>\n                    faster than DeepDFA). When applied to seven software products, PVDetector discovered 55 vulnerabilities, including 10 silently patched flaws that had not been previously reported.\n                  <\/jats:p>","DOI":"10.1145\/3768582","type":"journal-article","created":{"date-parts":[[2025,9,19]],"date-time":"2025-09-19T22:30:06Z","timestamp":1758321006000},"page":"1-31","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":1,"title":["PVDetector: Pretrained Vulnerability Detection on Vulnerability-enriched Code Semantic Graph"],"prefix":"10.1145","volume":"35","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-0784-3882","authenticated-orcid":false,"given":"Jiayuan","family":"Li","sequence":"first","affiliation":[{"name":"Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China and School of Cyber Security, University of Chinese Academy of Sciences, Beijing, China"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-8478-3297","authenticated-orcid":false,"given":"Lei","family":"Cui","sequence":"additional","affiliation":[{"name":"Guangxi Normal University, Guilin, China and Harbin Institute of Technology, Harbin, China"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-1135-2031","authenticated-orcid":false,"given":"Jie","family":"Zhang","sequence":"additional","affiliation":[{"name":"Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-6700-7835","authenticated-orcid":false,"given":"Lun","family":"Li","sequence":"additional","affiliation":[{"name":"Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0009-0002-1708-1487","authenticated-orcid":false,"given":"Rongrong","family":"Xi","sequence":"additional","affiliation":[{"name":"Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-3720-7403","authenticated-orcid":false,"given":"Hongsong","family":"Zhu","sequence":"additional","affiliation":[{"name":"Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China"}],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"320","published-online":{"date-parts":[[2026,5,13]]},"reference":[{"key":"e_1_3_1_2_2","doi-asserted-by":"publisher","DOI":"10.1145\/170035.170072"},{"key":"e_1_3_1_3_2","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/2021.naacl-main.211"},{"issue":"3","key":"e_1_3_1_4_2","doi-asserted-by":"crossref","first-page":"16","DOI":"10.37934\/araset.30.3.1631","article-title":"LSTM inefficiency in long-term dependencies regression problems","volume":"30","author":"Al-Selwi Safwan Mahmood","year":"2023","unstructured":"Safwan Mahmood Al-Selwi, Mohd Fadzil Hassan, Said Jadid Abdulkadir, and Amgad Muneer. 2023. LSTM inefficiency in long-term dependencies regression problems. J. Adv. Res. Appl. Sci. Eng. Technol. 30, 3 (2023), 16\u201331.","journal-title":"J. Adv. Res. Appl. Sci. Eng. Technol"},{"key":"e_1_3_1_5_2","doi-asserted-by":"crossref","first-page":"334","DOI":"10.1109\/EuroSP.2017.14","volume-title":"2017 IEEE European Symposium on Security and Privacy (EuroS&P \u201917)","author":"Backes Michael","year":"2017","unstructured":"Michael Backes, Konrad Rieck, Malte Skoruppa, Ben Stock, and Fabian Yamaguchi. 2017. Efficient and flexible discovery of PHP application vulnerabilities. In 2017 IEEE European Symposium on Security and Privacy (EuroS&P \u201917). IEEE, 334\u2013349."},{"key":"e_1_3_1_6_2","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.2017.2785841"},{"key":"e_1_3_1_7_2","volume-title":"Advances in Neural Information Processing Systems 33: Annual Conference on Neural Information Processing Systems 2020 (NeurIPS \u201920)","author":"Brown Tom B.","year":"2020","unstructured":"Tom B. Brown, Benjamin Mann, Nick Ryder, Melanie Subbiah, Jared Kaplan, Prafulla Dhariwal, Arvind Neelakantan, Pranav Shyam, Girish Sastry, Amanda Askell, et al. 2020. Language models are few-shot learners. In Advances in Neural Information Processing Systems 33: Annual Conference on Neural Information Processing Systems 2020 (NeurIPS \u201920)."},{"key":"e_1_3_1_8_2","first-page":"3043","volume-title":"Proceedings of the 31st International Conference on Computational Linguistics","author":"Cao Liuwen","year":"2025","unstructured":"Liuwen Cao, Hongkui He, Hailin Huang, Jiexin Wang, and Yi Cai. 2025. Rethinking-based code summarization with chain of comments. In Proceedings of the 31st International Conference on Computational Linguistics, 3043\u20133056."},{"key":"e_1_3_1_9_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2024.103903"},{"key":"e_1_3_1_10_2","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.2021.3087402"},{"key":"e_1_3_1_11_2","unstructured":"Checkmarx. 2024. Checkmarx\u2014Application Security. Retrieved February 3 2024 from https:\/\/www.checkmarx.com\/"},{"key":"e_1_3_1_12_2","first-page":"41","volume-title":"In 2019 24th International Conference on Engineering of Complex Computer Systems (ICECCS \u201919)","author":"Cheng Xiao","year":"2019","unstructured":"Xiao Cheng, Haoyu Wang, Jiayi Hua, Miao Zhang, Guoai Xu, Li Yi, and Yulei Sui. 2019. Static detection of control-flow-related vulnerabilities using graph embedding. In 2019 24th International Conference on Engineering of Complex Computer Systems (ICECCS \u201919). IEEE, 41\u201350."},{"key":"e_1_3_1_13_2","doi-asserted-by":"publisher","DOI":"10.1145\/3533767.3534371"},{"key":"e_1_3_1_14_2","first-page":"121","volume-title":"2023 IEEE\/ACM 45th International Conference on Software Engineering (ICSE \u201923)","author":"Croft Roland","year":"2023","unstructured":"Roland Croft, M. Ali Babar, and M. Mehdi Kholoosi. 2023. Data quality for software vulnerability datasets. In 2023 IEEE\/ACM 45th International Conference on Software Engineering (ICSE \u201923). IEEE, 121\u2013133."},{"key":"e_1_3_1_15_2","doi-asserted-by":"crossref","first-page":"2004","DOI":"10.1109\/TIFS.2020.3047756","article-title":"VulDetector: Detecting vulnerabilities using weighted feature graph comparison","volume":"16","author":"Cui Lei","year":"2021","unstructured":"Lei Cui, Zhiyu Hao, Yang Jiao, Haiqiang Fei, and Xiaochun Yun. 2021. VulDetector: Detecting vulnerabilities using weighted feature graph comparison. IEEE Trans. Inf. Forensics Secur. 16 (2021), 2004\u20132017.","journal-title":"IEEE Trans. Inf. Forensics Secur"},{"key":"e_1_3_1_16_2","unstructured":"CVE. 2024. CVE\u2014Common Vulnerabilities and Exposures. Retrieved February 3 2024 from https:\/\/cve.mitre.org\/"},{"key":"e_1_3_1_17_2","unstructured":"CWE. 2024. CWE\u2014Common Weakness Enumeration. Retrieved February 3 2024 from https:\/\/cwe.mitre.org\/top25\/"},{"key":"e_1_3_1_18_2","unstructured":"Hoa Khanh Dam Trang Pham Shien Wee Ng Truyen Tran John Grundy Aditya Ghose Taeksu Kim and Chul-Joo Kim. 2018. A deep tree-based model for software defect prediction. arXiv:1802.00921. Retrieved from https:\/\/arxiv.org\/abs\/1802.00921"},{"key":"e_1_3_1_19_2","unstructured":"DeepSeek-AI Daya Guo Dejian Yang Haowei Zhang Junxiao Song Ruoyu Zhang Runxin Xu Qihao Zhu Shirong Ma Peiyi Wang et al. 2025. DeepSeek-R1: Incentivizing reasoning capability in LLMs via reinforcement learning. arXiv:2501.12948. Retrieved from https:\/\/arxiv.org\/abs\/2501.12948"},{"key":"e_1_3_1_20_2","first-page":"4171","volume-title":"Proceedings of the 2019 Conference of the North American Chapter of the Association for Computational Linguistics: Human Language Technologies (NAACL-HLT \u201919) (Long and Short Papers)","author":"Devlin Jacob","year":"2019","unstructured":"Jacob Devlin, Ming-Wei Chang, Kenton Lee, and Kristina Toutanova. 2019. BERT: Pre-training of deep bidirectional transformers for language understanding. In Proceedings of the 2019 Conference of the North American Chapter of the Association for Computational Linguistics: Human Language Technologies (NAACL-HLT \u201919) (Long and Short Papers). Association for Computational Linguistics, 4171\u20134186."},{"key":"e_1_3_1_21_2","first-page":"60","volume-title":"Proceedings of the 41st International Conference on Software Engineering (ICSE \u201919)","author":"Du Xiaoning","year":"2019","unstructured":"Xiaoning Du, Bihuan Chen, Yuekang Li, Jianmin Guo, Yaqin Zhou, Yang Liu, and Yu Jiang. 2019. Leopard: Identifying vulnerable code for vulnerability assessment through program metrics. In Proceedings of the 41st International Conference on Software Engineering (ICSE \u201919). IEEE\/ACM, 60\u201371."},{"key":"e_1_3_1_22_2","first-page":"4665","volume-title":"Proceedings of the 28th International Joint Conference on Artificial Intelligence","author":"Duan Xu","year":"2019","unstructured":"Xu Duan, Jingzheng Wu, Shouling Ji, Zhiqing Rui, Tianyue Luo, Mutian Yang, and Yanjun Wu. 2019. VulSniper: Focus your attention to shoot fine-grained vulnerabilities. In Proceedings of the 28th International Joint Conference on Artificial Intelligence, 4665\u20134671."},{"key":"e_1_3_1_23_2","doi-asserted-by":"publisher","DOI":"10.1145\/3379597.3387501"},{"key":"e_1_3_1_24_2","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/2020.findings-emnlp.139"},{"key":"e_1_3_1_25_2","doi-asserted-by":"publisher","DOI":"10.1145\/3524842.3528452"},{"key":"e_1_3_1_26_2","doi-asserted-by":"crossref","first-page":"704","DOI":"10.1145\/3627106.3627188","volume-title":"Annual Computer Security Applications Conference (ACSAC \u201923)","author":"Ganz Tom","year":"2023","unstructured":"Tom Ganz, Erik Imgrund, Martin H\u00e4rterich, and Konrad Rieck. 2023. PAVUDI: Patch-based vulnerability discovery using machine learning. In Annual Computer Security Applications Conference (ACSAC \u201923). ACM, 704\u2013717."},{"key":"e_1_3_1_27_2","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/2022.acl-long.499"},{"key":"e_1_3_1_28_2","volume-title":"9th International Conference on Learning Representations (ICLR \u201921)","author":"Guo Daya","year":"2021","unstructured":"Daya Guo, Shuo Ren, Shuai Lu, Zhangyin Feng, Duyu Tang, Shujie Liu, Long Zhou, Nan Duan, Alexey Svyatkovskiy, Shengyu Fu, et al. 2021. GraphCodeBERT: Pre-training code representations with data flow. In 9th International Conference on Learning Representations (ICLR \u201921)."},{"key":"e_1_3_1_29_2","first-page":"292","volume-title":"Proceedings of the 14th International Conference on Innovative Mobile and Internet Services in Ubiquitous Computing (IMIS \u201920)","author":"Guo Yijia","year":"2021","unstructured":"Yijia Guo, Yuanwei Hou, Yongle Hao, and Wenjue Xu. 2021. Modeling and analysis of cyberspace threat sources based on vulnerabilities. In Proceedings of the 14th International Conference on Innovative Mobile and Internet Services in Ubiquitous Computing (IMIS \u201920). Springer, 292\u2013303."},{"key":"e_1_3_1_30_2","doi-asserted-by":"crossref","first-page":"3171","DOI":"10.1007\/s13369-019-04319-2","article-title":"Cyber security threats and vulnerabilities: A systematic mapping study","volume":"45","author":"Humayun Mamoona","year":"2020","unstructured":"Mamoona Humayun, Mahmood Niazi, N. Z. Jhanjhi, Mohammad Alshayeb, and Sajjad Mahmood. 2020. Cyber security threats and vulnerabilities: A systematic mapping study. Arab. J. Sci. Eng. 45 (2020), 3171\u20133189.","journal-title":"Arab. J. Sci. Eng"},{"key":"e_1_3_1_31_2","unstructured":"Hamel Husain Ho-Hsiang Wu Tiferet Gazit Miltiadis Allamanis and Marc Brockschmidt. 2019. CodeSearchNet challenge: Evaluating the state of semantic code search. arXiv:1909.09436. Retrieved from http:\/\/arxiv.org\/abs\/1909.09436"},{"issue":"6","key":"e_1_3_1_32_2","article-title":"ReDeBug: Finding unpatched code clones in entire OS distributions","volume":"37","author":"Jang Jiyong","year":"2012","unstructured":"Jiyong Jang, Maverick Woo, and David Brumley. 2012. ReDeBug: Finding unpatched code clones in entire OS distributions. Usenix 37, 6 (2012).","journal-title":"Usenix"},{"key":"e_1_3_1_33_2","first-page":"111","volume-title":"Proceedings of the 56th International Conference on Artificial Intelligence","author":"Japkowicz Nathalie","year":"2000","unstructured":"Nathalie Japkowicz. 2000. The class imbalance problem: Significance and strategies. In Proceedings of the 56th International Conference on Artificial Intelligence, 111\u2013117."},{"key":"e_1_3_1_34_2","doi-asserted-by":"publisher","DOI":"10.1145\/3238147.3238177"},{"key":"e_1_3_1_35_2","doi-asserted-by":"crossref","first-page":"96","DOI":"10.1109\/ICSE.2007.30","volume-title":"29th International Conference on Software Engineering (ICSE \u201907)","author":"Jiang Lingxiao","year":"2007","unstructured":"Lingxiao Jiang, Ghassan Misherghi, Zhendong Su, and St\u00e9phane Glondu. 2007. DECKARD: Scalable and accurate tree-based detection of code clones. In 29th International Conference on Software Engineering (ICSE \u201907). IEEE Computer Society, 96\u2013105."},{"key":"e_1_3_1_36_2","doi-asserted-by":"publisher","DOI":"10.1145\/2737924.2737957"},{"key":"e_1_3_1_37_2","doi-asserted-by":"publisher","DOI":"10.5555\/962289.962305"},{"key":"e_1_3_1_38_2","first-page":"258","volume-title":"2006 IEEE Symposium on Security and Privacy (S&P \u201906)","author":"Jovanovic Nenad","year":"2006","unstructured":"Nenad Jovanovic, Christopher Kr\u00fcgel, and Engin Kirda. 2006. Pixy: A static analysis tool for detecting web application vulnerabilities (short paper). In 2006 IEEE Symposium on Security and Privacy (S&P \u201906). IEEE Computer Society, 258\u2013263."},{"key":"e_1_3_1_39_2","first-page":"595","volume-title":"2017 IEEE Symposium on Security and Privacy (SP \u201917)","author":"Kim Seulbae","year":"2017","unstructured":"Seulbae Kim, Seunghoon Woo, Heejo Lee, and Hakjoo Oh. 2017. VUDDY: A scalable approach for vulnerable code clone discovery. In 2017 IEEE Symposium on Security and Privacy (SP \u201917). IEEE Computer Society, 595\u2013614."},{"key":"e_1_3_1_40_2","doi-asserted-by":"publisher","DOI":"10.1109\/WCRE.2006.18"},{"key":"e_1_3_1_41_2","first-page":"1","volume-title":"2025 IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP \u201925)","author":"Li Jiayuan","year":"2025","unstructured":"Jiayuan Li, Lei Cui, Jie Zhang, Haiqiang Fei, Yu Chen, and Hongsong Zhu. 2025. Steering large language models for vulnerability detection. In 2025 IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP \u201925). IEEE, 1\u20135."},{"key":"e_1_3_1_42_2","first-page":"7940","volume-title":"Findings of the Association for Computational Linguistics (ACL \u201925)","author":"Li Jiayuan","year":"2025","unstructured":"Jiayuan Li, Lei Cui, Sen Zhao, Yun Yang, Lun Li, and Hongsong Zhu. 2025. CLeVeR: Multi-modal contrastive learning for vulnerability code representation. In Findings of the Association for Computational Linguistics (ACL \u201925). Association for Computational Linguistics, 7940\u20137951."},{"key":"e_1_3_1_43_2","doi-asserted-by":"publisher","DOI":"10.5555\/2337223.2337260"},{"key":"e_1_3_1_44_2","doi-asserted-by":"publisher","DOI":"10.1145\/3503222.3507770"},{"key":"e_1_3_1_45_2","doi-asserted-by":"publisher","DOI":"10.1145\/3695250"},{"key":"e_1_3_1_46_2","doi-asserted-by":"publisher","DOI":"10.1145\/3468264.3468597"},{"key":"e_1_3_1_47_2","first-page":"533","volume-title":"Proceedings of the ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering (ESEC\/SIGSOFT FSE \u201919)","author":"Li Yuekang","year":"2019","unstructured":"Yuekang Li, Yinxing Xue, Hongxu Chen, Xiuheng Wu, Cen Zhang, Xiaofei Xie, Haijun Wang, and Yang Liu. 2019. Cerebro: Context-aware adaptive fuzzing for effective vulnerability detection. In Proceedings of the ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering (ESEC\/SIGSOFT FSE \u201919). ACM, 533\u2013544."},{"key":"e_1_3_1_48_2","doi-asserted-by":"publisher","DOI":"10.1109\/TDSC.2021.3076142"},{"key":"e_1_3_1_49_2","doi-asserted-by":"publisher","DOI":"10.1109\/TDSC.2021.3051525"},{"key":"e_1_3_1_50_2","volume-title":"25th Annual Network and Distributed System Security Symposium","author":"Li Zhen","year":"2018","unstructured":"Zhen Li, Deqing Zou, Shouhuai Xu, Xinyu Ou, Hai Jin, Sujuan Wang, Zhijun Deng, and Yuyi Zhong. 2018. VulDeePecker: A deep learning-based system for vulnerability detection. In 25th Annual Network and Distributed System Security Symposium."},{"key":"e_1_3_1_51_2","doi-asserted-by":"publisher","DOI":"10.1145\/3691620.3695054"},{"key":"e_1_3_1_52_2","doi-asserted-by":"crossref","first-page":"112031","DOI":"10.1016\/j.jss.2024.112031","article-title":"GRACE: Empowering LLM-based software vulnerability detection with graph structure and in-context learning","volume":"212","author":"Lu Guilong","year":"2024","unstructured":"Guilong Lu, Xiaolin Ju, Xiang Chen, Wenlong Pei, and Zhilong Cai. 2024. GRACE: Empowering LLM-based software vulnerability detection with graph structure and in-context learning. J. Syst. Softw. 212 (2024), 112031.","journal-title":"J. Syst. Softw"},{"key":"e_1_3_1_53_2","unstructured":"Qiheng Mao Zhenhao Li Xing Hu Kui Liu Xin Xia and Jianling Sun. 2024. Towards effectively detecting and explaining vulnerabilities using large language models. arXiv:2406.09701. Retrieved from https:\/\/arxiv.org\/abs\/2406.09701"},{"key":"e_1_3_1_54_2","doi-asserted-by":"publisher","DOI":"10.1109\/MSEC.2022.3176058"},{"issue":"2","key":"e_1_3_1_55_2","doi-asserted-by":"crossref","first-page":"38","DOI":"10.1007\/s10664-022-10276-6","article-title":"An empirical study of text-based machine learning models for vulnerability detection","volume":"28","author":"Napier Kollin","year":"2023","unstructured":"Kollin Napier, Tanmay Bhowmik, and Shaowei Wang. 2023. An empirical study of text-based machine learning models for vulnerability detection. Empir. Softw. Eng. 28, 2 (2023), 38.","journal-title":"Empir. Softw. Eng"},{"key":"e_1_3_1_56_2","first-page":"529","volume-title":"Proceedings of the 2007 ACM Conference on Computer and Communications Security (CCS \u201907)","author":"Neuhaus Stephan","year":"2007","unstructured":"Stephan Neuhaus, Thomas Zimmermann, Christian Holler, and Andreas Zeller. 2007. Predicting vulnerable software components. In Proceedings of the 2007 ACM Conference on Computer and Communications Security (CCS \u201907). ACM, 529\u2013540."},{"key":"e_1_3_1_57_2","doi-asserted-by":"publisher","DOI":"10.1145\/3611643.3616358"},{"key":"e_1_3_1_58_2","unstructured":"Yu Nong Mohammed Aldeen Long Cheng Hongxin Hu Feng Chen and Haipeng Cai. 2024. Chain-of-thought prompting of large language models for discovering and fixing software vulnerabilities. arXiv:2402.17230. Retrieved from https:\/\/arxiv.org\/abs\/2402.17230"},{"key":"e_1_3_1_59_2","unstructured":"NVD. 2024. National Vulnerability Database (NVD). Retrieved February 3 2024 from https:\/\/nvd.nist.gov\/"},{"key":"e_1_3_1_60_2","unstructured":"OpenAI. 2023. GPT-4 Technical Report. arXiv:2303.08774. Retrieved from https:\/\/arxiv.org\/abs\/2303.08774"},{"key":"e_1_3_1_61_2","first-page":"1","article-title":"Cyber security: Study on attack, threat, vulnerability","volume":"5","author":"Parikh Tushar P.","year":"2017","unstructured":"Tushar P. Parikh and Ashok R. Patel. 2017. Cyber security: Study on attack, threat, vulnerability. Int. J. Res. Mod. Eng. Emerg. Technol. 5 (2017), 1\u20137.","journal-title":"Int. J. Res. Mod. Eng. Emerg. Technol."},{"key":"e_1_3_1_62_2","volume-title":"Conference on Automated Knowledge Base Construction (AKBC \u201920)","author":"Petroni Fabio","year":"2020","unstructured":"Fabio Petroni, Patrick Lewis, Aleksandra Piktus, Tim Rockt\u00e4schel, Yuxiang Wu, Alexander H. Miller, and Sebastian Riedel. 2020. How context affects language models\u2019 factual predictions. In Conference on Automated Knowledge Base Construction (AKBC \u201920)."},{"key":"e_1_3_1_63_2","first-page":"1","volume-title":"Proceedings of the 46th IEEE\/ACM International Conference on Software Engineering (ICSE \u201924)","volume":"153","author":"Rahman Md Mahbubur","year":"2024","unstructured":"Md Mahbubur Rahman, Ira Ceka, Chengzhi Mao, Saikat Chakraborty, Baishakhi Ray, and Wei Le. 2024. Towards causal deep learning for vulnerability detection. In Proceedings of the 46th IEEE\/ACM International Conference on Software Engineering (ICSE \u201924). ACM, Article 153, 1\u201311."},{"key":"e_1_3_1_64_2","first-page":"172","volume-title":"The 16th IEEE International Conference on Program Comprehension (ICPC \u201908)","author":"Roy Chanchal Kumar","year":"2008","unstructured":"Chanchal Kumar Roy and James R. Cordy. 2008. NICAD: Accurate detection of near-miss intentional clones using flexible pretty-printing and code normalization. In The 16th IEEE International Conference on Program Comprehension (ICPC \u201908). IEEE Computer Society, 172\u2013181."},{"key":"e_1_3_1_65_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICMLA.2018.00120"},{"key":"e_1_3_1_66_2","first-page":"1157","volume-title":"Proceedings of the 38th International Conference on Software Engineering (ICSE \u201919)","author":"Sajnani Hitesh","year":"2016","unstructured":"Hitesh Sajnani, Vaibhav Saini, Jeffrey Svajlenko, Chanchal K. Roy, and Cristina V. Lopes. 2016. SourcererCC: Scaling code clone detection to big-code. In Proceedings of the 38th International Conference on Software Engineering (ICSE \u201919). ACM, 1157\u20131168."},{"key":"e_1_3_1_67_2","unstructured":"SARD. 2024. SARD. Retrieved February 3 2024 from https:\/\/samate.nist.gov\/SARD\/"},{"key":"e_1_3_1_68_2","unstructured":"Inc. Secure Software. 2024. Rough Auditing Tool for Security (RATS). Retrieved February 3 2024 from https:\/\/github.com\/wireghoul\/rats"},{"key":"e_1_3_1_69_2","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/P16-1162"},{"key":"e_1_3_1_70_2","doi-asserted-by":"publisher","DOI":"10.1109\/TDSC.2014.2373377"},{"key":"e_1_3_1_71_2","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.2010.81"},{"key":"e_1_3_1_72_2","doi-asserted-by":"crossref","first-page":"88852","DOI":"10.1109\/ACCESS.2021.3075385","article-title":"Context-aware software vulnerability classification using machine learning","volume":"9","author":"Siewruk Grzegorz","year":"2021","unstructured":"Grzegorz Siewruk and Wojciech Mazurczyk. 2021. Context-aware software vulnerability classification using machine learning. IEEE Access 9 (2021), 88852\u201388867.","journal-title":"IEEE Access"},{"key":"e_1_3_1_73_2","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1145\/3133923","article-title":"IDE \\({}^{\\mbox{\\emph{al}}}\\) : Efficient and precise alias-aware dataflow analysis","volume":"1","author":"Sp\u00e4th Johannes","year":"2017","unstructured":"Johannes Sp\u00e4th, Karim Ali, and Eric Bodden. 2017. IDE \\({}^{\\mbox{\\emph{al}}}\\) : Efficient and precise alias-aware dataflow analysis. Proc. ACM Program. Lang. 1, OOPSLA (2017), Article 99, 1\u201327.","journal-title":"Proc. ACM Program. Lang"},{"key":"e_1_3_1_74_2","first-page":"1","volume-title":"Proceedings of the 46th IEEE\/ACM International Conference on Software Engineering (ICSE \u201924)","volume":"16","author":"Steenhoek Benjamin","year":"2024","unstructured":"Benjamin Steenhoek, Hongyang Gao, and Wei Le. 2024. Dataflow analysis-inspired deep learning for efficient vulnerability detection. In Proceedings of the 46th IEEE\/ACM International Conference on Software Engineering (ICSE \u201924). ACM, Article 16, 1\u201313."},{"key":"e_1_3_1_75_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2021.102417"},{"key":"e_1_3_1_76_2","first-page":"740","volume-title":"16th International Conference on Mobility, Sensing and Networking (MSN \u201920)","author":"Sun Yizhen","year":"2020","unstructured":"Yizhen Sun, Dandan Lin, Hong Song, Minjia Yan, and Linjing Cao. 2020. A method to construct vulnerability knowledge graph based on heterogeneous data. In 16th International Conference on Mobility, Sensing and Networking (MSN \u201920). IEEE, 740\u2013745."},{"key":"e_1_3_1_77_2","unstructured":"Yuqiang Sun Daoyuan Wu Yue Xue Han Liu Wei Ma Lyuye Zhang Miaolei Shi and Yang Liu. 2024. LLM4Vuln: A unified evaluation framework for decoupling and enhancing LLMs\u2019 vulnerability reasoning. arXiv:2401.16185. Retrieved from https:\/\/arxiv.org\/abs\/2401.16185"},{"key":"e_1_3_1_78_2","unstructured":"Hugo Touvron Thibaut Lavril Gautier Izacard Xavier Martinet Marie-Anne Lachaux Timoth\u00e9e Lacroix Baptiste Rozi\u00e8re Naman Goyal Eric Hambro Faisal Azhar et al. 2023. LLaMA: Open and efficient foundation language models. arXiv:2302.13971. Retrieved from https:\/\/arxiv.org\/abs\/2302.13971"},{"key":"e_1_3_1_79_2","unstructured":"tree-sitter. [n.\u2009d.]. tree-sitter. Retrieved February 3 2024 from https:\/\/tree-sitter.github.io\/tree-sitter\/"},{"key":"e_1_3_1_80_2","doi-asserted-by":"crossref","first-page":"862","DOI":"10.1109\/SP54263.2024.00210","volume-title":"IEEE Symposium on Security and Privacy (SP \u201924)","author":"Ullah Saad","year":"2024","unstructured":"Saad Ullah, Mingji Han, Saurabh Pujar, Hammond Pearce, Ayse K. Coskun, and Gianluca Stringhini. 2024. LLMs cannot reliably identify and reason about security vulnerabilities (yet?): A comprehensive evaluation, framework, and benchmarks. In IEEE Symposium on Security and Privacy (SP \u201924). IEEE, 862\u2013880."},{"key":"e_1_3_1_81_2","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.2018.2828848"},{"key":"e_1_3_1_82_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2013.12"},{"key":"e_1_3_1_83_2","first-page":"5998","volume-title":"Advances in Neural Information Processing Systems 30: Annual Conference on Neural Information Processing Systems","author":"Vaswani Ashish","year":"2017","unstructured":"Ashish Vaswani, Noam Shazeer, Niki Parmar, Jakob Uszkoreit, Llion Jones, Aidan N. Gomez, Lukasz Kaiser, and Illia Polosukhin. 2017. Attention is all you need. In Advances in Neural Information Processing Systems 30: Annual Conference on Neural Information Processing Systems, 5998\u20136008."},{"key":"e_1_3_1_84_2","first-page":"23","volume-title":"25th IEEE International Symposium on Software Reliability Engineering (ISSRE \u201914)","author":"Walden James","year":"2014","unstructured":"James Walden, Jeff Stuckman, and Riccardo Scandariato. 2014. Predicting vulnerable components: Software metrics vs text mining. In 25th IEEE International Symposium on Software Reliability Engineering (ISSRE \u201914). IEEE Computer Society, 23\u201333."},{"key":"e_1_3_1_85_2","doi-asserted-by":"publisher","DOI":"10.1109\/ASE56229.2023.00199"},{"key":"e_1_3_1_86_2","doi-asserted-by":"publisher","DOI":"10.1145\/2884781.2884804"},{"key":"e_1_3_1_87_2","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/2021.emnlp-main.685"},{"key":"e_1_3_1_88_2","doi-asserted-by":"publisher","DOI":"10.1145\/3442520.3442535"},{"key":"e_1_3_1_89_2","article-title":"Emergent abilities of large language models","volume":"2022","author":"Wei Jason","year":"2022","unstructured":"Jason Wei, Yi Tay, Rishi Bommasani, Colin Raffel, Barret Zoph, Sebastian Borgeaud, Dani Yogatama, Maarten Bosma, Denny Zhou, Donald Metzler, et al. 2022. Emergent abilities of large language models. Trans. Mach. Learn. Res 2022 (2022).","journal-title":"Trans. Mach. Learn. Res"},{"key":"e_1_3_1_90_2","volume-title":"Advances in Neural Information Processing Systems 35: Annual Conference on Neural Information Processing Systems 2022 (NeurIPS \u201922)","author":"Wei Jason","year":"2022","unstructured":"Jason Wei, Xuezhi Wang, Dale Schuurmans, Maarten Bosma, Brian Ichter, Fei Xia, Ed. H. Chi, Quoc V. Le, and Denny Zhou. 2022. Chain-of-thought prompting elicits reasoning in large language models. In Advances in Neural Information Processing Systems 35: Annual Conference on Neural Information Processing Systems 2022 (NeurIPS \u201922)."},{"key":"e_1_3_1_91_2","first-page":"2275","volume-title":"45th IEEE\/ACM International Conference on Software Engineering (ICSE \u201923)","author":"Wen Xin-Cheng","year":"2023","unstructured":"Xin-Cheng Wen, Yupan Chen, Cuiyun Gao, Hongyu Zhang, Jie M. Zhang, and Qing Liao. 2023. Vulnerability detection with graph simplification and enhanced graph representation learning. In 45th IEEE\/ACM International Conference on Software Engineering (ICSE \u201923). IEEE, 2275\u20132286."},{"key":"e_1_3_1_92_2","unstructured":"David A. Wheeler. 2024. Flawfinder\u2014A Static Analysis Tool for Finding Security Vulnerabilities in C\/C++ Source Code. Retrieved February 3 2024 from https:\/\/dwheeler.com\/flawfinder\/"},{"key":"e_1_3_1_93_2","first-page":"378","volume-title":"2021 IEEE 32nd International Symposium on Software Reliability Engineering (ISSRE \u201921)","author":"Wu Hongjun","year":"2021","unstructured":"Hongjun Wu, Zhuo Zhang, Shangwen Wang, Yan Lei, Bo Lin, Yihao Qin, Haoyu Zhang, and Xiaoguang Mao. 2021. Peculiar: Smart contract vulnerability detection based on crucial data flow graph and pre-training techniques. In 2021 IEEE 32nd International Symposium on Software Reliability Engineering (ISSRE \u201921). IEEE, 378\u2013389."},{"key":"e_1_3_1_94_2","doi-asserted-by":"publisher","DOI":"10.1145\/3510003.3510229"},{"key":"e_1_3_1_95_2","first-page":"1165","volume-title":"29th USENIX Security Symposium (USENIX Security \u201920)","author":"Xiao Yang","year":"2020","unstructured":"Yang Xiao, Bihuan Chen, Chendong Yu, Zhengzi Xu, Zimu Yuan, Feng Li, Binghong Liu, Yang Liu, Wei Huo, Wei Zou, and Wenchang Shi. 2020. MVP: Detecting vulnerabilities using patch-enhanced vulnerability signatures. In 29th USENIX Security Symposium (USENIX Security \u201920). USENIX Association, 1165\u20131182."},{"key":"e_1_3_1_96_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2014.44"},{"key":"e_1_3_1_97_2","doi-asserted-by":"publisher","DOI":"10.1145\/2420950.2421003"},{"key":"e_1_3_1_98_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2015.54"},{"key":"e_1_3_1_99_2","first-page":"499","volume-title":"2013 ACM SIGSAC Conference on Computer and Communications Security (CCS \u201913)","author":"Yamaguchi Fabian","year":"2013","unstructured":"Fabian Yamaguchi, Christian Wressnegger, Hugo Gascon, and Konrad Rieck. 2013. Chucky: exposing missing checks in source code for vulnerability discovery. In 2013 ACM SIGSAC Conference on Computer and Communications Security (CCS \u201913). ACM, 499\u2013510."},{"key":"e_1_3_1_100_2","first-page":"5511","volume-title":"62nd Annual Meeting of the Association for Computational Linguistics (ACL \u201924)","author":"Yan Weixiang","year":"2024","unstructured":"Weixiang Yan, Haitian Liu, Yunkun Wang, Yunzhe Li, Qian Chen, Wen Wang, Tingyu Lin, Weishan Zhao, Li Zhu, Hari Sundaram, et al. 2024. CodeScope: An execution-based multilingual multitask multidimensional benchmark for evaluating LLMs on code understanding and generation. In 62nd Annual Meeting of the Association for Computational Linguistics (ACL \u201924). Association for Computational Linguistics (ACL), 5511\u20135558."},{"key":"e_1_3_1_101_2","doi-asserted-by":"crossref","first-page":"1274","DOI":"10.1145\/3650212.3680359","volume-title":"Proceedings of the 33rd ACM SIGSOFT International Symposium on Software Testing and Analysis","author":"Yin Xin","year":"2024","unstructured":"Xin Yin, Chao Ni, Shaohua Wang, Zhenhao Li, Limin Zeng, and Xiaohu Yang. 2024. Thinkrepair: Self-directed automated program repair. In Proceedings of the 33rd ACM SIGSOFT International Symposium on Software Testing and Analysis, 1274\u20131286."},{"key":"e_1_3_1_102_2","doi-asserted-by":"publisher","DOI":"10.1007\/s11859-019-1380-z"},{"key":"e_1_3_1_103_2","first-page":"10197","volume-title":"Annual Conference on Neural Information Processing Systems","author":"Zhou Yaqin","year":"2019","unstructured":"Yaqin Zhou, Shangqing Liu, Jing Kai Siow, Xiaoning Du, and Yang Liu. 2019. Devign: Effective vulnerability identification by learning comprehensive program semantics via graph neural networks. In Annual Conference on Neural Information Processing Systems, 10197\u201310207."},{"issue":"5","key":"e_1_3_1_104_2","first-page":"2224","article-title":"\\(\\mu\\)  VulDeePecker: A deep learning-based system for multiclass vulnerability detection","volume":"18","author":"Zou Deqing","year":"2019","unstructured":"Deqing Zou, Sujuan Wang, Shouhuai Xu, Zhen Li, and Hai Jin. 2019. \\(\\mu\\) VulDeePecker: A deep learning-based system for multiclass vulnerability detection. IEEE Trans. Dependable Secur. Comput. 18, 5 (2019), 2224\u20132236.","journal-title":"IEEE Trans. Dependable Secur. Comput"}],"container-title":["ACM Transactions on Software Engineering and Methodology"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3768582","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2026,5,14]],"date-time":"2026-05-14T02:33:23Z","timestamp":1778726003000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3768582"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2026,5,13]]},"references-count":103,"journal-issue":{"issue":"6","published-print":{"date-parts":[[2026,6,30]]}},"alternative-id":["10.1145\/3768582"],"URL":"https:\/\/doi.org\/10.1145\/3768582","relation":{},"ISSN":["1049-331X","1557-7392"],"issn-type":[{"value":"1049-331X","type":"print"},{"value":"1557-7392","type":"electronic"}],"subject":[],"published":{"date-parts":[[2026,5,13]]},"assertion":[{"value":"2025-03-01","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2025-09-09","order":2,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2026-05-13","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}