| | --- |
| | license: apache-2.0 |
| | language: |
| | - en |
| | base_model: |
| | - codellama/CodeLlama-7b-Instruct-hf |
| | pipeline_tag: text-classification |
| | library_name: transformers |
| | tags: |
| | - code |
| | --- |
| | # Model Card for vuteco-cl-e2e |
| |
|
| | <!-- Provide a quick summary of what the model is/does. --> |
| |
|
| | `vuteco-cl-e2e` is a fine-tuned [Codellama 7B Instruct](https://huggingface.co/codellama/CodeLlama-7b-Instruct-hf) that classifies pairs of JUnit test methods and vulnerability descriptions (from CVE) into two classes: |
| | - `Related` if it the method is testing the vulnerability described. |
| | - `NotRelated` if it the method is not testing the vulnerability described. |
| |
|
| | ## Model Details |
| |
|
| | ### Model Description |
| |
|
| | <!-- Provide a longer summary of what this model is. --> |
| |
|
| | VuTeCo is a framework for finding vulnerability-witnessing test cases in Java repositories (Finding) and match them with the right known vulnerability (Matching). |
| | More info in its [GitHub repository](https://github.com/tuhh-softsec/vuteco). |
| |
|
| | This model (`vuteco-cl-e2e`) is a fine-tuned [Codellama 7B Instruct](https://huggingface.co/codellama/CodeLlama-7b-Instruct-hf) with a simple classification prompt. |
| |
|
| | This model is used in VuTeCo for the "Matching" task, which can classify a pair of (1) JUnit test method and (2) an English description of a vulnerability (e.g., the one from CVE) into two classes: |
| | - `Related` if it the method is testing the vulnerability described. |
| | - `NotRelated` if it the method is not testing the vulnerability described. |
| |
|
| | The model input is (1) the raw text of a JUnit test method and (2) the raw text of a vulnerability description, both with no preprocessing. |
| |
|
| | - **Developed by:** Hamburg University of Technology |
| | - **Funded by:** [Sec4AI4Sec](https://www.sec4ai4sec-project.eu/) (Horizon EU) |
| | - **Shared by:**: Hugging Face |
| | - **Model type:** Text Classification |
| | - **Language(s) (NLP):** en |
| | - **License:** Apache-2.0 |
| | - **Finetuned from model:** [Codellama 7B Instruct](https://huggingface.co/codellama/CodeLlama-7b-Instruct-hf) |
| |
|
| | ### Model Sources [optional] |
| |
|
| | <!-- Provide the basic links for the model. --> |
| |
|
| | - **Repository:** [VuTeCo's GitHub repository](https://github.com/tuhh-softsec/vuteco) |
| | - **Paper:** [MSR'26 paper](https://arxiv.org/abs/2502.03365) |
| |
|
| | ## Uses |
| |
|
| | <!-- Address questions around how the model is intended to be used, including the foreseeable users of the model and those affected by the model. --> |
| |
|
| | ### Direct Use |
| |
|
| | <!-- This section is for the model use without fine-tuning or plugging into a larger ecosystem/app. --> |
| |
|
| | The model can be used right away to classify specific types of vulnerability-witnessing tests, e.g., distinguishing the exact vulnerability types that is tested. |
| |
|
| | ### Downstream Use [optional] |
| |
|
| | <!-- This section is for the model use when fine-tuned for a task, or when plugged into a larger ecosystem/app --> |
| |
|
| | The model can be further fine-tuned to classify specific types of vulnerability-witnessing tests, e.g., distinguishing the exact vulnerability types that is tested. |
| |
|
| | It could also be fine-tuned for other testing frameworks (beyond JUnit) and programming languages (Python). |
| |
|
| | ### Out-of-Scope Use |
| |
|
| | <!-- This section addresses misuse, malicious use, and uses that the model will not work well for. --> |
| |
|
| | N/A |
| |
|
| | ## Bias, Risks, and Limitations |
| |
|
| | <!-- This section is meant to convey both technical and sociotechnical limitations. --> |
| |
|
| | The model predictions may be inaccurate (misclassified test methods). |
| | In particular, the reported performance show the model has limited recall, so it often says `NotRelated`. |
| |
|
| | ### Recommendations |
| |
|
| | <!-- This section is meant to convey recommendations with respect to the bias, risk, and technical limitations. --> |
| |
|
| | Manually validate the predictions made by the model. |
| |
|
| | ## How to Get Started with the Model |
| |
|
| | Please, refer to [VuTeCo's GitHub repository](https://github.com/tuhh-softsec/vuteco) for loading and using the model in the correct way. |
| |
|
| | ## Training Details |
| |
|
| | ### Training Data |
| |
|
| | <!-- This should link to a Dataset Card, perhaps with a short stub of information on what the training data is all about as well as documentation related to data pre-processing or additional filtering. --> |
| |
|
| | This model was fine-tuned on Java repositories and vulnerabilities from [Vul4J](https://github.com/tuhh-softsec/vul4j). |
| | Please refer to [VuTeCo's GitHub repository](https://github.com/tuhh-softsec/vuteco) for loading the dataset in the correct way. |
| |
|
| | ### Training Procedure |
| |
|
| | <!-- This relates heavily to the Technical Specifications. Content here should link to that section when it is relevant to the training procedure. --> |
| |
|
| | Please refer to [VuTeCo's GitHub repository](https://github.com/tuhh-softsec/vuteco) for customizing the model training. |
| |
|
| | ## Evaluation |
| |
|
| | <!-- This section describes the evaluation protocols and provides the results. --> |
| |
|
| | Please refer to [VuTeCo's GitHub repository](https://github.com/tuhh-softsec/vuteco) for customizing the model evaluation. |
| |
|
| | ### Results |
| |
|
| | Please, refer to the [MSR'26 paper](https://arxiv.org/abs/2502.03365) for an overview of the main evaluation results. |
| | The complete raw results can be found in the paper's online appendix on [Zenodo](https://doi.org/10.5281/zenodo.18258566). |
| |
|
| | ## Model Examination [optional] |
| |
|
| | <!-- Relevant interpretability work for the model goes here --> |
| |
|
| | [More Information Needed] |
| |
|
| | ## Environmental Impact |
| |
|
| | <!-- Total emissions (in grams of CO2eq) and additional considerations, such as electricity usage, go here. Edit the suggested text below accordingly --> |
| |
|
| | N/A |
| |
|
| | ## Citation |
| |
|
| | <!-- If there is a paper or blog post introducing the model, the APA and Bibtex information for that should go in this section. --> |
| |
|
| | If you use this model, please cite the [MSR'26 paper](https://arxiv.org/abs/2502.03365) (the publisher's reference will be available soon): |
| |
|
| | **BibTeX:** |
| |
|
| | ``` |
| | @misc{iannone2026matchheavenaidrivenmatching, |
| | title={A Match Made in Heaven? AI-driven Matching of Vulnerabilities and Security Unit Tests}, |
| | author={Emanuele Iannone and Quang-Cuong Bui and Riccardo Scandariato}, |
| | year={2026}, |
| | eprint={2502.03365}, |
| | archivePrefix={arXiv}, |
| | primaryClass={cs.SE}, |
| | url={https://arxiv.org/abs/2502.03365}, |
| | } |
| | ``` |
| |
|
| | ## Model Card Authors |
| |
|
| | [emaiannone](https://huggingface.co/emaiannone) |