Just-in-time software vulnerability detection: Are we there yet?

Francesco Lomio, Emanuele Iannone, Andrea De Lucia, Fabio Palomba, Valentina Lenarduzzi

Research output: Contribution to journalArticleScientificpeer-review

4 Downloads (Pure)


Software vulnerabilities are weaknesses in source code that might be exploited to cause harm or loss. Previous work has proposed a number of automated machine learning approaches to detect them. Most of these techniques work at release-level, meaning that they aim at predicting the files that will potentially be vulnerable in a future release. Yet, researchers have shown that a commit-level identification of source code issues might better fit the developer’s needs, speeding up their resolution.

To investigate how currently available machine learning-based vulnerability detection mechanisms can support developers in the detection of vulnerabilities at commit-level.

We perform an empirical study where we consider nine projects accounting for 8991 commits and experiment with eight machine learners built using process, product, and textual metrics.

We point out three main findings: (1) basic machine learners rarely perform well; (2) the use of ensemble machine learning algorithms based on boosting can substantially improve the performance; and (3) the combination of more metrics does not necessarily improve the classification capabilities.

Further research should focus on just-in-time vulnerability detection, especially with respect to the introduction of smart approaches for feature selection and training strategies.
Original languageEnglish
Article number111283
JournalJournal of Systems and Software
Publication statusPublished - 21 Feb 2022
Publication typeA1 Journal article-refereed


  • Software Vulnerabilities
  • Empirical SE
  • Machine Learning

Publication forum classification

  • Publication forum level 3


Dive into the research topics of 'Just-in-time software vulnerability detection: Are we there yet?'. Together they form a unique fingerprint.

Cite this