University of Oulu

Lomio, F., Iannone, E., De Lucia, A., Palomba, F., & Lenarduzzi, V. (2022). Just-in-time software vulnerability detection: Are we there yet? Journal of Systems and Software, 188, 111283.

Just-in-time software vulnerability detection : are we there yet?

Saved in:
Author: Lomio, Francesco1; Iannone, Emanuele2; De Lucia, Andrea2;
Organizations: 1Tampere University, Finland
2SeSa Lab — Department of Computer Science, University of Salerno, Italy
3University of Oulu, Finland
Format: article
Version: published version
Access: open
Online Access: PDF Full Text (PDF, 0.8 MB)
Persistent link:
Language: English
Published: Elsevier, 2022
Publish Date: 2022-06-22


Background: Software vulnerabilities are weaknesses in source code that might be exploited to cause harm or loss. Previous work has proposed a number of automated machine learning approaches to detect them. Most of these techniques work at release-level, meaning that they aim at predicting the files that will potentially be vulnerable in a future release. Yet, researchers have shown that a commit-level identification of source code issues might better fit the developer’s needs, speeding up their resolution.

Objective: To investigate how currently available machine learning-based vulnerability detection mechanisms can support developers in the detection of vulnerabilities at commit-level.

Method: We perform an empirical study where we consider nine projects accounting for 8991 commits and experiment with eight machine learners built using process, product, and textual metrics.

Results: We point out three main findings: (1) basic machine learners rarely perform well; (2) the use of ensemble machine learning algorithms based on boosting can substantially improve the performance; and (3) the combination of more metrics does not necessarily improve the classification capabilities.

Conclusions: Further research should focus on just-in-time vulnerability detection, especially with respect to the introduction of smart approaches for feature selection and training strategies.

see all

Series: Journal of systems and software
ISSN: 0164-1212
ISSN-E: 1873-1228
ISSN-L: 0164-1212
Volume: 188
Article number: 111283
DOI: 10.1016/j.jss.2022.111283
Type of Publication: A1 Journal article – refereed
Field of Science: 113 Computer and information sciences
Copyright information: © 2022 The Author(s). This is an open access article under the CC BY license (