Allix K, Bissyandé T F, Klein J, Le Traon Y (2015) Are your training datasets yet relevant?. In: International Symposium on Engineering Secure Software and Systems. Springer, pp 51–67
Arnold R S (1996) Software change impact analysis. IEEE Computer Society Press, California
Berr J (2017) “wannacry” ransomware attack losses could reach $4 billion. https://www.cbsnews.com/news/wannacry-ransomware-attacks-wannacry-virus-losses/, Available: August 2018
Bissyande T F, Thung F, Wang S, Lo D, Jiang L, Reveillere L (2013) Empirical evaluation of bug linking. In: Software Maintenance and Reengineering (CSMR), 2013 17th European Conference on. IEEE, pp 89–98
Blum A, Mitchell T (1998) Combining labeled and unlabeled data with co-training. In: Proceedings of the eleventh annual conference on Computational learning theory. ACM, pp 92–100
Brooks T N (2017) Survey of automated vulnerability detection and exploit generation techniques in cyber reasoning systems. arXiv preprint arXiv: 1702.06162
Cadar C, Dunbar D, Engler D R, et al. (2008) Klee: Unassisted and automatic generation of high-coverage tests for complex systems programs. In: OSDI, vol 8, pp 209–224
Cha S K, Avgerinos T, Rebert A, Brumley D (2012) Unleashing mayhem on binary code. In: Security and Privacy (SP), 2012 IEEE Symposium on. IEEE, pp 380–394
Chang R-Y, Podgurski A, Yang J (2008) Discovering neglected conditions in software by mining dependence graphs. IEEE Trans Softw Eng 34 (5):579–596 DOI: 10.1109/TSE.2008.24
Chawla N V, Bowyer K W, Hall L O, Kegelmeyer W P (2002) Smote: synthetic minority over-sampling technique. Journal of artificial intelligence research 16:321–357 DOI: 10.1613/jair.953
Chowdhury I, Chan B, Zulkernine M (2008) Security metrics for source code structures. In: Proceedings of the fourth international workshop on Software engineering for secure systems. ACM, pp 57–64
Du X, Chen B, Li Y, Guo J, Zhou Y, Liu Y, Jiang Y (2019) Leopard: Identifying vulnerable code for vulnerability assessment through program metrics. 2019 IEEE/ACM 41st International Conference on Software Engineering (ICSE), 60–71
Godefroid P, Levin M Y, Molnar D A, et al. (2008) Automated whitebox fuzz testing. In: NDSS, vol 8, pp 151–166
Hempstalk K, Frank E (2008) Discriminating against new classes: One-class versus multi-class classification. In: Australasian Joint Conference on Artificial Intelligence. Springer, pp 325–336
Hoang T, Lawall J, Oentaryo R J, Tian Y, Lo D (2018) Patchnet: A tool for deep patch classification. In: Tool Demonstrations of International Conference on Software Engineering
Jay G, Hale J E, Smith R K, Hale D P, Kraft N A, Ward C (2009) Cyclomatic complexity and lines of code: Empirical evidence of a stable linear relationship. JSEA 2(3):137–143 DOI: 10.4236/jsea.2009.23020
Ji T, Wu Y, Wang C, Zhang X, Wang Z (2018) The coming era of alphahacking?: A survey of automatic software vulnerability detection, exploitation and patching techniques. In: 2018 IEEE Third International Conference on Data Science in Cyberspace (DSC). IEEE
Jimenez M, Le Traon Y, Papadakis M (2018) Enabling the continous analysis of security vulnerabilities with vuldata7. In: IEEE International Working Conference on Source Code Analysis and Manipulation
Knight W (2017) The dark secret at the heart of ai. MIT Technology Review https://www.technologyreview.com/s/604087/the-dark-secret-at-the-heart-of-ai/
Koyuncu A, Bissyandé T F, Kim D, Klein J, Monperrus M, Le Traon Y (2017) Impact of tool support in patch construction. In: Proceedings of the 26th ACM SIGSOFT International Symposium on Software Testing and Analysis. ACM, pp 237–248
Krogel M-A, Scheffer T (2004) Multi-relational learning, text mining, and semi-supervised learning for functional genomics. Mach Learn 57(1-2):61–81 DOI: 10.1023/B:MACH.0000035472.73496.0c
Li B, Sun X, Leung H, Zhang S (2013) A survey of code-based change impact analysis techniques. Softw Test Verification Reliab 23(8):613–646 DOI: 10.1002/stvr.1475
Li L, Bartel A, Bissyandé T F, Klein J, Le Traon Y, Arzt S, Rasthofer S, Bodden E, Octeau D, McDaniel P (2015) Iccta: Detecting inter-component privacy leaks in android apps. In: Proceedings of the 37th International Conference on Software Engineering-Volume 1. IEEE Press, pp 280–291
Li X, Liu B (2003) Learning to classify text using positive and unlabeled data. In: IJCAI. ACM, pp 587– 592
Li Z, Zou D, Xu S, Ou X, Jin H, Wang S, Deng Z, Zhong Y (2018) Vuldeepecker: A deep learning-based system for vulnerability detection. arXiv: 1801.01681
Mann H B, Whitney D R (1947) On a test of whether one of two random variables is stochastically larger than the other. The annals of mathematical statistics, pp. 50–60
Newsome J, Song D X (2005) Dynamic taint analysis for automatic detection, analysis, and signaturegeneration of exploits on commodity software. In: NDSS, vol 5. Citeseer, pp 3–4
Nguyen A T, Nguyen T T, Nguyen H A, Nguyen T N (2012) Multi-layered approach for recovering links between bug reports and fixes. In: Proceedings of the ACM SIGSOFT 20th International Symposium on the Foundations of Software Engineering. ACM, p 63
Nigam K, Ghani R (2000) Analyzing the effectiveness and applicability of co-training. In: Proceedings of the ninth international conference on Information and knowledge management. ACM, pp 86–93
NIST (2018) National vulnerability database. https://nvd.nist.gov
Perl H, Dechand S, Smith M, Arp D, Yamaguchi F, Rieck K, Fahl S, Acar Y (2015) Vccfinder: Finding potential vulnerabilities in open-source projects to assist code audits. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. ACM, pp 426–437
Ponta S E, Plate H, Sabetta A, Bezzi M, Dangremont C (2019) A manually-curated dataset of fixes to vulnerabilities of open-source software. arXiv preprint arXiv: 1902.02595
Pontin J (2018) Greedy, brittle, opaque, and shallow: The downsides to deep learning. https://www.wired.com/story/greedy-brittle-opaque-and-shallow-the-downsides-to-deep-learning/
Porter M F (1980) An algorithm for suffix stripping. Program 14 (3):130–137 DOI: 10.1108/eb046814
Reis S, Abreu R (2017) SECBENCH: A database of real security vulnerabilities. In: Jaatun M G, Cruzes D S (eds) Proceedings of the International Workshop on Secure Software Engineering in DevOps and Agile Development co-located with the 22nd European Symposium on Research in Computer Security (ESORICS 2017), Oslo, Norway, September 14, 2017. CEUR Workshop Proceedings, vol 1977, CEUR-WS.org, pp 69–85
Ribeiro M T, Singh S, Guestrin C (2016) Why should i trust you?: Explaining the predictions of any classifier. In: Proceedings of the 22nd ACM SIGKDD international conference on knowledge discovery and data mining. ACM, pp 1135–1144
Sabetta A, Bezzi M (2018) A practical approach to the automatic classification of security-relevant commits. In: 34th IEEE International Conference on Software Maintenance and Evolution (ICSME)
Scandariato R, Walden J, Hovsepyan A, Joosen W (2014) Predicting vulnerable software components via text mining. IEEE Trans Softw Eng 40(10):993–1006 DOI: 10.1109/TSE.2014.2340398
Snyk.io (2017) The state of open-source security. https://snyk.io/stateofossecurity/pdf/The%20State%20of%20Open%20Source.pdf, Available: August 2018
Sutton M, Greene A, Amini P (2007) Fuzzing: brute force vulnerability discovery. Pearson Education, California
Szekeres L, Payer M, Wei T, Song D (2013) Sok: Eternal war in memory. In: Security and Privacy (SP), 2013 IEEE Symposium on. IEEE, pp 48–62
Tian Y, Lawall J, Lo D (2012) Identifying linux bug fixing patches. In: Proceedings of the 34th International Conference on Software Engineering. IEEE Press, pp 386–396
Trend Micro (2017) Patching problems and how to solve them. https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/patching-problems-and-how-to-solve-them, Available: August 2018
van Rossum G (2008) Origin of bdfl. All Things Pythonic Weblogs. http://www.artima.com/weblogs/viewpost.jsp
Vapnik V (2013) The nature of statistical learning theory. Springer, New York
Wu R, Zhang H, Kim S, Cheung S-C (2011) Relink: recovering links between bugs and changes. In: Proceedings of the 19th ACM SIGSOFT symposium and the 13th European conference on Foundations of software engineering. ACM, pp 15–25
Xiao Y, Chen B, Yu C, Xu Z, Yuan Z, Li F, Liu B, Liu Y, Huo W, Zou W, Shi W (2020) Mvp: Detecting vulnerabilities using patch-enhanced vulnerability signatures. In: USENIX Security Symposium
Yamaguchi F, Golde N, Arp D, Rieck K (2014) Modeling and discovering vulnerabilities with code property graphs. In: 2014 IEEE Symposium on Security and Privacy, pp 590–604
Yamaguchi F, Golde N, Arp D, Rieck K (2014) Modeling and discovering vulnerabilities with code property graphs. In: Security and Privacy (SP), 2014 IEEE Symposium on. IEEE, pp 590–604
Yamaguchi F, Wressnegger C, Gascon H, Rieck K (2013) Chucky: Exposing missing checks in source code for vulnerability discovery. In: Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security. ACM, pp 499–510
Ying Annie TT, Murphy G C, Ng R, Chu-Carroll M C (2004) Predicting source code changes by mining change history. IEEE Trans Softw Eng 30 (9):574–586 DOI: 10.1109/TSE.2004.52
Zhou Y, Liu S, Siow J, Du X, Liu Y (2019) Devign: Effective vulnerability identification by learning comprehensive program semantics via graph neural networks. In: NeurIPS
Zhou Y, Sharma A (2017) Automated identification of security issues from commit messages and bug reports. In: Proceedings of the 2017 11th Joint Meeting on Foundations of Software Engineering. ACM, pp 914–919
Zimmermann T, Nagappan N, Williams L (2010) Searching for a needle in a haystack: Predicting security vulnerabilities for windows vista. In: Software Testing, Verification and Validation (ICST), 2010 Third International Conference on. IEEE, pp 421–428
