Hugging Face's logo

emaiannone
/
vuteco-cl-e2e

Text Classification
Transformers
Safetensors
English
end2end
code
Model card Files
xet
 Community
emaiannone commited on
Commit
0f91a0c
·
verified ·
1 Parent(s): 336559d

Create README.md

Browse files
Files changed (1) hide show
  1. README.md +153 -0
README.md ADDED
@@ -0,0 +1,153 @@
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
+ ---
2
+ license: apache-2.0
3
+ language:
4
+ - en
5
+ base_model:
6
+ - codellama/CodeLlama-7b-Instruct-hf
7
+ pipeline_tag: text-classification
8
+ library_name: transformers
9
+ tags:
10
+ - code
11
+ ---
12
+ # Model Card for vuteco-cl-e2e
13
+
14
+ <!-- Provide a quick summary of what the model is/does. -->
15
+
16
+ `vuteco-cl-e2e` is a fine-tuned [Codellama 7B Instruct](https://huggingface.co/codellama/CodeLlama-7b-Instruct-hf) that classifies pairs of JUnit test methods and vulnerability descriptions (from CVE) into two classes:
17
+ - `Related` if it the method is testing the vulnerability described.
18
+ - `NotRelated` if it the method is not testing the vulnerability described.
19
+
20
+ ## Model Details
21
+
22
+ ### Model Description
23
+
24
+ <!-- Provide a longer summary of what this model is. -->
25
+
26
+ VuTeCo is a framework for finding vulnerability-witnessing test cases in Java repositories (Finding) and match them with the right known vulnerability (Matching).
27
+ More info in its [GitHub repository](https://github.com/tuhh-softsec/vuteco).
28
+
29
+ This model (`vuteco-cl-e2e`) is a fine-tuned [Codellama 7B Instruct](https://huggingface.co/codellama/CodeLlama-7b-Instruct-hf) with a simple classification prompt.
30
+
31
+ This model is used in VuTeCo for the "Matching" task, which can classify a pair of (1) JUnit test method and (2) an English description of a vulnerability (e.g., the one from CVE) into two classes:
32
+ - `Related` if it the method is testing the vulnerability described.
33
+ - `NotRelated` if it the method is not testing the vulnerability described.
34
+
35
+ The model input is (1) the raw text of a JUnit test method and (2) the raw text of a vulnerability description, both with no preprocessing.
36
+
37
+ - **Developed by:** Hamburg University of Technology
38
+ - **Funded by:** [Sec4AI4Sec](https://www.sec4ai4sec-project.eu/) (Horizon EU)
39
+ - **Shared by:**: Hugging Face
40
+ - **Model type:** Text Classification
41
+ - **Language(s) (NLP):** en
42
+ - **License:** Apache-2.0
43
+ - **Finetuned from model:** [Codellama 7B Instruct](https://huggingface.co/codellama/CodeLlama-7b-Instruct-hf)
44
+
45
+ ### Model Sources [optional]
46
+
47
+ <!-- Provide the basic links for the model. -->
48
+
49
+ - **Repository:** [VuTeCo's GitHub repository](https://github.com/tuhh-softsec/vuteco)
50
+ - **Paper:** [MSR'26 paper](https://arxiv.org/abs/2502.03365)
51
+
52
+ ## Uses
53
+
54
+ <!-- Address questions around how the model is intended to be used, including the foreseeable users of the model and those affected by the model. -->
55
+
56
+ ### Direct Use
57
+
58
+ <!-- This section is for the model use without fine-tuning or plugging into a larger ecosystem/app. -->
59
+
60
+ The model can be used right away to classify specific types of vulnerability-witnessing tests, e.g., distinguishing the exact vulnerability types that is tested.
61
+
62
+ ### Downstream Use [optional]
63
+
64
+ <!-- This section is for the model use when fine-tuned for a task, or when plugged into a larger ecosystem/app -->
65
+
66
+ The model can be further fine-tuned to classify specific types of vulnerability-witnessing tests, e.g., distinguishing the exact vulnerability types that is tested.
67
+
68
+ It could also be fine-tuned for other testing frameworks (beyond JUnit) and programming languages (Python).
69
+
70
+ ### Out-of-Scope Use
71
+
72
+ <!-- This section addresses misuse, malicious use, and uses that the model will not work well for. -->
73
+
74
+ N/A
75
+
76
+ ## Bias, Risks, and Limitations
77
+
78
+ <!-- This section is meant to convey both technical and sociotechnical limitations. -->
79
+
80
+ The model predictions may be inaccurate (misclassified test methods).
81
+ In particular, the reported performance show the model has limited recall, so it often says `NotRelated`.
82
+
83
+ ### Recommendations
84
+
85
+ <!-- This section is meant to convey recommendations with respect to the bias, risk, and technical limitations. -->
86
+
87
+ Manually validate the predictions made by the model.
88
+
89
+ ## How to Get Started with the Model
90
+
91
+ Please, refer to [VuTeCo's GitHub repository](https://github.com/tuhh-softsec/vuteco) for loading and using the model in the correct way.
92
+
93
+ ## Training Details
94
+
95
+ ### Training Data
96
+
97
+ <!-- This should link to a Dataset Card, perhaps with a short stub of information on what the training data is all about as well as documentation related to data pre-processing or additional filtering. -->
98
+
99
+ This model was fine-tuned on Java repositories and vulnerabilities from [Vul4J](https://github.com/tuhh-softsec/vul4j).
100
+ Please refer to [VuTeCo's GitHub repository](https://github.com/tuhh-softsec/vuteco) for loading the dataset in the correct way.
101
+
102
+ ### Training Procedure
103
+
104
+ <!-- This relates heavily to the Technical Specifications. Content here should link to that section when it is relevant to the training procedure. -->
105
+
106
+ Please refer to [VuTeCo's GitHub repository](https://github.com/tuhh-softsec/vuteco) for customizing the model training.
107
+
108
+ ## Evaluation
109
+
110
+ <!-- This section describes the evaluation protocols and provides the results. -->
111
+
112
+ Please refer to [VuTeCo's GitHub repository](https://github.com/tuhh-softsec/vuteco) for customizing the model evaluation.
113
+
114
+ ### Results
115
+
116
+ Please, refer to the [MSR'26 paper](https://arxiv.org/abs/2502.03365) for an overview of the main evaluation results.
117
+ The complete raw results can be found in the paper's online appendix on [Zenodo](https://doi.org/10.5281/zenodo.18258566).
118
+
119
+ ## Model Examination [optional]
120
+
121
+ <!-- Relevant interpretability work for the model goes here -->
122
+
123
+ [More Information Needed]
124
+
125
+ ## Environmental Impact
126
+
127
+ <!-- Total emissions (in grams of CO2eq) and additional considerations, such as electricity usage, go here. Edit the suggested text below accordingly -->
128
+
129
+ N/A
130
+
131
+ ## Citation
132
+
133
+ <!-- If there is a paper or blog post introducing the model, the APA and Bibtex information for that should go in this section. -->
134
+
135
+ If you use this model, please cite the [MSR'26 paper](https://arxiv.org/abs/2502.03365) (the publisher's reference will be available soon):
136
+
137
+ **BibTeX:**
138
+
139
+ ```
140
+ @misc{iannone2026matchheavenaidrivenmatching,
141
+ title={A Match Made in Heaven? AI-driven Matching of Vulnerabilities and Security Unit Tests},
142
+ author={Emanuele Iannone and Quang-Cuong Bui and Riccardo Scandariato},
143
+ year={2026},
144
+ eprint={2502.03365},
145
+ archivePrefix={arXiv},
146
+ primaryClass={cs.SE},
147
+ url={https://arxiv.org/abs/2502.03365},
148
+ }
149
+ ```
150
+
151
+ ## Model Card Authors
152
+
153
+ [emaiannone](https://huggingface.co/emaiannone)