pith. sign in

arxiv: 2403.18624 · v2 · pith:SLFAEP5Wnew · submitted 2024-03-27 · 💻 cs.SE · cs.CL

Vulnerability Detection with Code Language Models: How Far Are We?

classification 💻 cs.SE cs.CL
keywords codevulnerabilitydatadetectionmodelsperformanceprimevulaccuracy
0
0 comments X
read the original abstract

In the context of the rising interest in code language models (code LMs) and vulnerability detection, we study the effectiveness of code LMs for detecting vulnerabilities. Our analysis reveals significant shortcomings in existing vulnerability datasets, including poor data quality, low label accuracy, and high duplication rates, leading to unreliable model performance in realistic vulnerability detection scenarios. Additionally, the evaluation methods used with these datasets are not representative of real-world vulnerability detection. To address these challenges, we introduce PrimeVul, a new dataset for training and evaluating code LMs for vulnerability detection. PrimeVul incorporates a novel set of data labeling techniques that achieve comparable label accuracy to human-verified benchmarks while significantly expanding the dataset. It also implements a rigorous data de-duplication and chronological data splitting strategy to mitigate data leakage issues, alongside introducing more realistic evaluation metrics and settings. This comprehensive approach aims to provide a more accurate assessment of code LMs' performance in real-world conditions. Evaluating code LMs on PrimeVul reveals that existing benchmarks significantly overestimate the performance of these models. For instance, a state-of-the-art 7B model scored 68.26% F1 on BigVul but only 3.09% F1 on PrimeVul. Attempts to improve performance through advanced training techniques and larger models like GPT-3.5 and GPT-4 were unsuccessful, with results akin to random guessing in the most stringent settings. These findings underscore the considerable gap between current capabilities and the practical requirements for deploying code LMs in security roles, highlighting the need for more innovative research in this domain.

This paper has not been read by Pith yet.

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Forward citations

Cited by 26 Pith papers

Reviewed papers in the Pith corpus that reference this work. Sorted by Pith novelty score.

  1. Satisfiability Solving with LLMs: A Matched-Pair Evaluation of Reasoning Capability

    cs.AI 2026-05 unverdicted novelty 7.0

    A matched-pair protocol and Accurate Differentiation Rate metric reveal that conventional LLM accuracy on SAT problems is often inflated by over-predicting satisfiability, while cross-representation agreement exceeds ...

  2. ASSEMBLAGE-DEEPHISTORY: A Cross-Build Binary Dataset with Temporal Coverage

    cs.CR 2026-05 unverdicted novelty 7.0

    A new queryable binary dataset combining cross-build diversity, temporal history, and CVE labels with linked metadata for vulnerability research.

  3. BioDefect: The First Dataset for Defect Detection in Bioinformatics Software

    cs.SE 2026-05 unverdicted novelty 7.0

    BioDefect is a new dataset for defect detection in bioinformatics software that improves average F1-scores by 29.61% to 38.04% over existing datasets when evaluated on nine language models.

  4. VulTriage: Triple-Path Context Augmentation for LLM-Based Vulnerability Detection

    cs.AI 2026-05 conditional novelty 7.0

    VulTriage improves LLM-based vulnerability detection by combining control-flow verbalization, CWE knowledge retrieval, and semantic summarization, achieving state-of-the-art results on the PrimeVul dataset.

  5. RealVuln: Benchmarking Rule-Based, General-Purpose LLM, and Security-Specialized Scanners on Real-World Code

    cs.CR 2026-04 unverdicted novelty 7.0

    RealVuln benchmark finds security-specialized scanners outperform general-purpose LLMs and rule-based SAST tools on hand-labeled vulnerable Python code under F3 scoring, with all artifacts released.

  6. Focus on What Matters: Fisher-Guided Adaptive Multimodal Fusion for Vulnerability Detection

    cs.SE 2026-01 unverdicted novelty 7.0

    Fisher information selects task-relevant parts of graph features to fuse with pretrained code models, improving vulnerability detection F1 by up to 6.3 points on BigVul, Devign, and ReVeal.

  7. ReDef: Do Code Language Models Truly Understand Code Changes for Just-in-Time Software Defect Prediction?

    cs.SE 2025-09 unverdicted novelty 7.0

    ReDef creates a revert-anchored dataset of 3,164 defective and 10,268 clean code modifications and shows that code language models perform better with diff encodings but maintain stable performance under counterfactua...

  8. Direction for Detection: A Survey of Automated Vulnerability Detection and all of its Pain Points

    cs.SE 2024-12 conditional novelty 7.0

    ML4AVD research remains locked into binary function-level classification of C/C++ vulnerabilities because twelve pain points in the pipeline reinforce each other through feedback loops.

  9. Representation Matters: An Empirical Study of Program Representations for LLM Vulnerability Reasoning

    cs.CR 2026-06 unverdicted novelty 6.0

    Empirical benchmark RepBench shows AST+PDG yields 83.2% accuracy for LLM vulnerability reasoning vs 53.5% for raw source, with graph-only prompts superior due to reduced context dilution.

  10. Calibration Without Comprehension: Diagnosing the Limits of Fine-Tuning LLMs for Vulnerability Detection in Systems Software

    cs.CR 2026-06 conditional novelty 6.0

    A curated temporal-split benchmark shows LLMs achieve at most 52.1% vulnerability detection accuracy after fine-tuning because backbone directional biases resist correction and contamination provides no benefit.

  11. On the Shoulders of Giants: Empowering Automated Smart Contract Auditing via the GiAnt Corpus

    cs.CR 2026-06 unverdicted novelty 6.0

    GiANT uses divide-and-conquer and Chain-of-Thought prompting on 388 Code4rena reports to produce a 7,711-finding vulnerability corpus validated at 4.76/5 quality by manual review.

  12. CyberGym-E2E: Scalable Real-World Benchmark for AI Agents' End-to-End Cybersecurity Capabilities

    cs.CR 2026-06 unverdicted novelty 6.0

    CyberGym-E2E is a new end-to-end benchmark that evaluates AI agents on vulnerability discovery, PoC generation, and patch generation using 920 real-world cases from open-source projects.

  13. Dissecting the Black Box: Circuit-Level Analysis of LLM Vulnerability Detection

    cs.CR 2026-05 unverdicted novelty 6.0

    LLM vulnerability detection in Gemma-2-2b relies on sparse safety-detector circuits in early layers rather than direct vulnerability signatures, identified via circuit tracing and ablation on 472 C/C++ samples.

  14. Veritas: A Semantically Grounded Agentic Framework for Memory Corruption Vulnerability Detection in Binaries

    cs.SE 2026-05 unverdicted novelty 6.0

    Veritas detects memory corruption vulnerabilities in stripped binaries by combining static value-flow slicing, dual-view LLM reasoning, and multi-agent runtime validation, reporting 90% recall, zero false positives on...

  15. Code-Centric Detection of Vulnerability-Fixing Commits: A Unified Benchmark and Empirical Study

    cs.SE 2026-05 accept novelty 6.0

    Code language models show no transferable security understanding from code diffs alone, rely on commit messages, miss over 93% of fixes at 0.5% false positive rate, and suffer large drops under group or temporal splits.

  16. Verify Before You Fix: Agentic Execution Grounding for Trustworthy Cross-Language Code Analysis

    cs.SE 2026-04 unverdicted novelty 6.0

    A framework combining universal AST normalization, hybrid graph-LLM embeddings, and strict execution-grounded validation achieves 89-92% intra-language accuracy and 74-80% cross-language F1 while resolving 70% of vuln...

  17. Vulnerability Detection with Interprocedural Context in Multiple Languages: Assessing Effectiveness and Cost of Modern LLMs

    cs.SE 2026-04 unverdicted novelty 6.0

    Adding interprocedural context from callers or callees enables LLMs to detect vulnerabilities more effectively, with Gemini 3 Flash achieving F1 scores of at least 0.978 for C at low cost and Claude Haiku 4.5 excellin...

  18. PoC-Adapt: Semantic-Aware Automated Vulnerability Reproduction with LLM Multi-Agents and Reinforcement Learning-Driven Adaptive Policy

    cs.CR 2026-04 unverdicted novelty 6.0

    PoC-Adapt improves automated PoC exploit generation reliability by 25% and lowers cost using semantic state validation and RL adaptive policies, verifying 12 PoCs from 80 recent CVE attempts at $0.42 each.

  19. Do Fine-Tuned LLMs Understand Vulnerabilities? An Investigation into the Semantic Trap

    cs.CR 2026-01 unverdicted novelty 6.0

    Fine-tuned decoder-only LLMs fall into a Semantic Trap on vulnerability detection, achieving high scores on unpaired normal code but failing on paired vulnerable-patched code, semantic perturbations, and gap analysis,...

  20. A Metamorphic Testing Perspective on Knowledge Distillation for Language Models of Code: Does the Student Deeply Mimic the Teacher?

    cs.SE 2025-11 unverdicted novelty 6.0

    Student models distilled from code language models often fail to deeply mimic teachers, showing up to 62% behavioral discrepancies and 285% worse drops under attacks that accuracy metrics miss.

  21. XOXO: Stealthy Cross-Origin Context Poisoning Attacks against AI Coding Assistants

    cs.CR 2025-03 unverdicted novelty 6.0

    XOXO is a cross-origin context poisoning attack on AI coding assistants that uses a Cayley Graph search algorithm (GCGS) to find stealthy perturbations, achieving 75.72% average success rate across five tasks and elev...

  22. Bastet: A Fine-Grained Expert-Labeled Dataset for DeFi Smart Contract Vulnerability Detection

    cs.CR 2026-06 unverdicted novelty 5.0

    Bastet is an expert-labeled dataset for DeFi smart contract vulnerabilities drawn from 2021-2024 Code4rena audits, using consensus annotation and a fine-grained two-layer taxonomy to address gaps in prior datasets.

  23. LCC-LLM: Leveraging Code-Centric Large Language Models for Malware Attribution

    cs.CR 2026-05 unverdicted novelty 5.0

    LCC-LLM creates a code-centric dataset and RAG-based LLM framework that reaches 0.634 average semantic similarity on 43 malware tasks and 10/10 pass rate in real-world case studies.

  24. Learning Generalizable Multimodal Representations for Software Vulnerability Detection

    cs.SE 2026-04 unverdicted novelty 5.0

    MultiVul uses multimodal contrastive learning to align code and comment representations, yielding up to 27% F1 gains on vulnerability detection benchmarks over prompting and code-only baselines.

  25. VulWeaver: Weaving Broken Semantics for Grounded Vulnerability Detection

    cs.SE 2026-04 unverdicted novelty 5.0

    VulWeaver improves Java vulnerability detection to 0.75 F1 by enhancing dependency graphs with LLM semantic fixes, extracting full context from slices plus implicit usage info, and applying type-specific meta-promptin...

  26. VulTriage: Triple-Path Context Augmentation for LLM-Based Vulnerability Detection

    cs.AI 2026-05 conditional novelty 4.0

    VulTriage combines control dependency extraction, CWE knowledge retrieval, and semantic summarization to improve LLM accuracy on vulnerability detection, reaching SOTA on PrimeVul and generalizing to Kotlin.