|
|
--- |
|
|
license: apache-2.0 |
|
|
language: |
|
|
- en |
|
|
base_model: |
|
|
- microsoft/codebert-base |
|
|
pipeline_tag: text-classification |
|
|
library_name: transformers |
|
|
tags: |
|
|
- code |
|
|
--- |
|
|
# Model Card for vuteco-cb-e2e |
|
|
|
|
|
<!-- Provide a quick summary of what the model is/does. --> |
|
|
|
|
|
`vuteco-cb-e2e` is a fine-tuned [CodeBERT](https://huggingface.co/microsoft/codebert-base) that classifies pairs of JUnit test methods and vulnerability descriptions (from CVE) into two classes: |
|
|
- `Related` if it the method is testing the vulnerability described. |
|
|
- `NotRelated` if it the method is not testing the vulnerability described. |
|
|
|
|
|
## Model Details |
|
|
|
|
|
### Model Description |
|
|
|
|
|
<!-- Provide a longer summary of what this model is. --> |
|
|
|
|
|
VuTeCo is a framework for finding vulnerability-witnessing test cases in Java repositories (Finding) and match them with the right known vulnerability (Matching). |
|
|
More info in its [GitHub repository](https://github.com/tuhh-softsec/vuteco). |
|
|
|
|
|
This model (`vuteco-cb-e2e`) is a fine-tuned [CodeBERT](https://huggingface.co/microsoft/codebert-base) with a classification head on top of it. |
|
|
|
|
|
This model is used in VuTeCo for the "Matching" task, which can classify a pair of (1) JUnit test method and (2) an English description of a vulnerability (e.g., the one from CVE) into two classes (it actually returns a probability, with `0.5` used as a classification threshold): |
|
|
- `Related` if it the method is testing the vulnerability described. |
|
|
- `NotRelated` if it the method is not testing the vulnerability described. |
|
|
|
|
|
The model input is (1) the raw text of a JUnit test method and (2) the raw text of a vulnerability description, both with no preprocessing. |
|
|
|
|
|
- **Developed by:** Hamburg University of Technology |
|
|
- **Funded by:** [Sec4AI4Sec](https://www.sec4ai4sec-project.eu/) (Horizon EU) |
|
|
- **Shared by:**: Hugging Face |
|
|
- **Model type:** Text Classification |
|
|
- **Language(s) (NLP):** en |
|
|
- **License:** Apache-2.0 |
|
|
- **Finetuned from model:** [CodeBERT](https://huggingface.co/microsoft/codebert-base) |
|
|
|
|
|
### Model Sources [optional] |
|
|
|
|
|
<!-- Provide the basic links for the model. --> |
|
|
|
|
|
- **Repository:** [VuTeCo's GitHub repository](https://github.com/tuhh-softsec/vuteco) |
|
|
- **Paper:** [MSR'26 paper](https://arxiv.org/abs/2502.03365) |
|
|
|
|
|
## Uses |
|
|
|
|
|
<!-- Address questions around how the model is intended to be used, including the foreseeable users of the model and those affected by the model. --> |
|
|
|
|
|
### Direct Use |
|
|
|
|
|
<!-- This section is for the model use without fine-tuning or plugging into a larger ecosystem/app. --> |
|
|
|
|
|
The model can be used right away to classify specific types of vulnerability-witnessing tests, e.g., distinguishing the exact vulnerability types that is tested. |
|
|
|
|
|
### Downstream Use [optional] |
|
|
|
|
|
<!-- This section is for the model use when fine-tuned for a task, or when plugged into a larger ecosystem/app --> |
|
|
|
|
|
The model can be further fine-tuned to classify specific types of vulnerability-witnessing tests, e.g., distinguishing the exact vulnerability types that is tested. |
|
|
|
|
|
It could also be fine-tuned for other testing frameworks (beyond JUnit) and programming languages (Python). |
|
|
|
|
|
### Out-of-Scope Use |
|
|
|
|
|
<!-- This section addresses misuse, malicious use, and uses that the model will not work well for. --> |
|
|
|
|
|
N/A |
|
|
|
|
|
## Bias, Risks, and Limitations |
|
|
|
|
|
<!-- This section is meant to convey both technical and sociotechnical limitations. --> |
|
|
|
|
|
The model predictions may be inaccurate (misclassified test methods). |
|
|
In particular, the reported performance show the model has limited recall, so it often says `NotRelated` (i.e., returns low probability scores). |
|
|
|
|
|
### Recommendations |
|
|
|
|
|
<!-- This section is meant to convey recommendations with respect to the bias, risk, and technical limitations. --> |
|
|
|
|
|
Manually validate the predictions made by the model. |
|
|
|
|
|
## How to Get Started with the Model |
|
|
|
|
|
Please, refer to [VuTeCo's GitHub repository](https://github.com/tuhh-softsec/vuteco) for loading and using the model in the correct way. |
|
|
|
|
|
## Training Details |
|
|
|
|
|
### Training Data |
|
|
|
|
|
<!-- This should link to a Dataset Card, perhaps with a short stub of information on what the training data is all about as well as documentation related to data pre-processing or additional filtering. --> |
|
|
|
|
|
This model was fine-tuned on Java repositories and vulnerabilities from [Vul4J](https://github.com/tuhh-softsec/vul4j). |
|
|
Please refer to [VuTeCo's GitHub repository](https://github.com/tuhh-softsec/vuteco) for loading the dataset in the correct way. |
|
|
|
|
|
### Training Procedure |
|
|
|
|
|
<!-- This relates heavily to the Technical Specifications. Content here should link to that section when it is relevant to the training procedure. --> |
|
|
|
|
|
Please refer to [VuTeCo's GitHub repository](https://github.com/tuhh-softsec/vuteco) for customizing the model training. |
|
|
|
|
|
## Evaluation |
|
|
|
|
|
<!-- This section describes the evaluation protocols and provides the results. --> |
|
|
|
|
|
Please refer to [VuTeCo's GitHub repository](https://github.com/tuhh-softsec/vuteco) for customizing the model evaluation. |
|
|
|
|
|
### Results |
|
|
|
|
|
Please, refer to the [MSR'26 paper](https://arxiv.org/abs/2502.03365) for an overview of the main evaluation results. |
|
|
The complete raw results can be found in the paper's online appendix on [Zenodo](https://doi.org/10.5281/zenodo.18258566). |
|
|
|
|
|
## Model Examination [optional] |
|
|
|
|
|
<!-- Relevant interpretability work for the model goes here --> |
|
|
|
|
|
[More Information Needed] |
|
|
|
|
|
## Environmental Impact |
|
|
|
|
|
<!-- Total emissions (in grams of CO2eq) and additional considerations, such as electricity usage, go here. Edit the suggested text below accordingly --> |
|
|
|
|
|
N/A |
|
|
|
|
|
## Citation |
|
|
|
|
|
<!-- If there is a paper or blog post introducing the model, the APA and Bibtex information for that should go in this section. --> |
|
|
|
|
|
If you use this model, please cite the [MSR'26 paper](https://arxiv.org/abs/2502.03365) (the publisher's reference will be available soon): |
|
|
|
|
|
**BibTeX:** |
|
|
|
|
|
``` |
|
|
@misc{iannone2026matchheavenaidrivenmatching, |
|
|
title={A Match Made in Heaven? AI-driven Matching of Vulnerabilities and Security Unit Tests}, |
|
|
author={Emanuele Iannone and Quang-Cuong Bui and Riccardo Scandariato}, |
|
|
year={2026}, |
|
|
eprint={2502.03365}, |
|
|
archivePrefix={arXiv}, |
|
|
primaryClass={cs.SE}, |
|
|
url={https://arxiv.org/abs/2502.03365}, |
|
|
} |
|
|
``` |
|
|
|
|
|
## Model Card Authors |
|
|
|
|
|
[emaiannone](https://huggingface.co/emaiannone) |
