{"id":"https://openalex.org/W4415647391","doi":"https://doi.org/10.1007/s10664-025-10749-4","title":"A zero-shot framework for cross-project vulnerability detection in source code","display_name":"A zero-shot framework for cross-project vulnerability detection in source code","publication_year":2025,"publication_date":"2025-10-29","ids":{"openalex":"https://openalex.org/W4415647391","doi":"https://doi.org/10.1007/s10664-025-10749-4"},"language":"en","primary_location":{"id":"doi:10.1007/s10664-025-10749-4","is_oa":true,"landing_page_url":"https://doi.org/10.1007/s10664-025-10749-4","pdf_url":"https://link.springer.com/content/pdf/10.1007/s10664-025-10749-4.pdf","source":{"id":"https://openalex.org/S109852484","display_name":"Empirical Software Engineering","issn_l":"1382-3256","issn":["1382-3256","1573-7616"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310319900","host_organization_name":"Springer Science+Business Media","host_organization_lineage":["https://openalex.org/P4310319900","https://openalex.org/P4310319965"],"host_organization_lineage_names":["Springer Science+Business Media","Springer Nature"],"type":"journal"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Empirical Software Engineering","raw_type":"journal-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":true,"oa_status":"hybrid","oa_url":"https://link.springer.com/content/pdf/10.1007/s10664-025-10749-4.pdf","any_repository_has_fulltext":true},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5026422346","display_name":"Radowanul Haque","orcid":"https://orcid.org/0009-0001-6928-1598"},"institutions":[{"id":"https://openalex.org/I138801177","display_name":"University of Ulster","ror":"https://ror.org/01yp9g959","country_code":"GB","type":"education","lineage":["https://openalex.org/I138801177"]}],"countries":["GB"],"is_corresponding":true,"raw_author_name":"Radowanul Haque","raw_affiliation_strings":["School of Computing, Ulster University, Belfast, BT15 1ED, U.K"],"affiliations":[{"raw_affiliation_string":"School of Computing, Ulster University, Belfast, BT15 1ED, U.K","institution_ids":["https://openalex.org/I138801177"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5052938628","display_name":"Aftab Ali","orcid":"https://orcid.org/0000-0002-4578-7631"},"institutions":[{"id":"https://openalex.org/I138801177","display_name":"University of Ulster","ror":"https://ror.org/01yp9g959","country_code":"GB","type":"education","lineage":["https://openalex.org/I138801177"]}],"countries":["GB"],"is_corresponding":false,"raw_author_name":"Aftab Ali","raw_affiliation_strings":["School of Computing, Ulster University, Belfast, BT15 1ED, U.K"],"affiliations":[{"raw_affiliation_string":"School of Computing, Ulster University, Belfast, BT15 1ED, U.K","institution_ids":["https://openalex.org/I138801177"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5022378204","display_name":"Sally McClean","orcid":"https://orcid.org/0000-0002-6871-3504"},"institutions":[{"id":"https://openalex.org/I138801177","display_name":"University of Ulster","ror":"https://ror.org/01yp9g959","country_code":"GB","type":"education","lineage":["https://openalex.org/I138801177"]}],"countries":["GB"],"is_corresponding":false,"raw_author_name":"Sally McClean","raw_affiliation_strings":["School of Computing, Ulster University, Belfast, BT15 1ED, U.K"],"affiliations":[{"raw_affiliation_string":"School of Computing, Ulster University, Belfast, BT15 1ED, U.K","institution_ids":["https://openalex.org/I138801177"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5101859267","display_name":"Naveed Khan","orcid":"https://orcid.org/0000-0002-9301-5855"},"institutions":[{"id":"https://openalex.org/I138801177","display_name":"University of Ulster","ror":"https://ror.org/01yp9g959","country_code":"GB","type":"education","lineage":["https://openalex.org/I138801177"]}],"countries":["GB"],"is_corresponding":false,"raw_author_name":"Naveed Khan","raw_affiliation_strings":["School of Computing, Ulster University, Belfast, BT15 1ED, U.K"],"affiliations":[{"raw_affiliation_string":"School of Computing, Ulster University, Belfast, BT15 1ED, U.K","institution_ids":["https://openalex.org/I138801177"]}]}],"institutions":[],"countries_distinct_count":1,"institutions_distinct_count":4,"corresponding_author_ids":["https://openalex.org/A5026422346"],"corresponding_institution_ids":["https://openalex.org/I138801177"],"apc_list":{"value":2290,"currency":"EUR","value_usd":2890},"apc_paid":{"value":2290,"currency":"EUR","value_usd":2890},"fwci":3.3959,"has_fulltext":true,"cited_by_count":1,"citation_normalized_percentile":{"value":0.94461699,"is_in_top_1_percent":false,"is_in_top_10_percent":true},"cited_by_percentile_year":{"min":91,"max":95},"biblio":{"volume":"31","issue":"1","first_page":null,"last_page":null},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T10260","display_name":"Software Engineering Research","score":0.646399974822998,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T10260","display_name":"Software Engineering Research","score":0.646399974822998,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10734","display_name":"Information and Cyber Security","score":0.20640000700950623,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T12479","display_name":"Web Application Security Vulnerabilities","score":0.03840000182390213,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/source-code","display_name":"Source code","score":0.6647999882698059},{"id":"https://openalex.org/keywords/classifier","display_name":"Classifier (UML)","score":0.5889999866485596},{"id":"https://openalex.org/keywords/secure-coding","display_name":"Secure coding","score":0.5631999969482422},{"id":"https://openalex.org/keywords/vulnerability","display_name":"Vulnerability (computing)","score":0.506600022315979},{"id":"https://openalex.org/keywords/software","display_name":"Software","score":0.4729999899864197},{"id":"https://openalex.org/keywords/coding","display_name":"Coding (social sciences)","score":0.453000009059906},{"id":"https://openalex.org/keywords/feature","display_name":"Feature (linguistics)","score":0.4341999888420105},{"id":"https://openalex.org/keywords/process","display_name":"Process (computing)","score":0.41839998960494995}],"concepts":[{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.7558000087738037},{"id":"https://openalex.org/C43126263","wikidata":"https://www.wikidata.org/wiki/Q128751","display_name":"Source code","level":2,"score":0.6647999882698059},{"id":"https://openalex.org/C95623464","wikidata":"https://www.wikidata.org/wiki/Q1096149","display_name":"Classifier (UML)","level":2,"score":0.5889999866485596},{"id":"https://openalex.org/C22680326","wikidata":"https://www.wikidata.org/wiki/Q7444867","display_name":"Secure coding","level":5,"score":0.5631999969482422},{"id":"https://openalex.org/C154945302","wikidata":"https://www.wikidata.org/wiki/Q11660","display_name":"Artificial intelligence","level":1,"score":0.5376999974250793},{"id":"https://openalex.org/C124101348","wikidata":"https://www.wikidata.org/wiki/Q172491","display_name":"Data mining","level":1,"score":0.5145000219345093},{"id":"https://openalex.org/C95713431","wikidata":"https://www.wikidata.org/wiki/Q631425","display_name":"Vulnerability (computing)","level":2,"score":0.506600022315979},{"id":"https://openalex.org/C119857082","wikidata":"https://www.wikidata.org/wiki/Q2539","display_name":"Machine learning","level":1,"score":0.49959999322891235},{"id":"https://openalex.org/C2777904410","wikidata":"https://www.wikidata.org/wiki/Q7397","display_name":"Software","level":2,"score":0.4729999899864197},{"id":"https://openalex.org/C179518139","wikidata":"https://www.wikidata.org/wiki/Q5140297","display_name":"Coding (social sciences)","level":2,"score":0.453000009059906},{"id":"https://openalex.org/C2776401178","wikidata":"https://www.wikidata.org/wiki/Q12050496","display_name":"Feature (linguistics)","level":2,"score":0.4341999888420105},{"id":"https://openalex.org/C98045186","wikidata":"https://www.wikidata.org/wiki/Q205663","display_name":"Process (computing)","level":2,"score":0.41839998960494995},{"id":"https://openalex.org/C36503486","wikidata":"https://www.wikidata.org/wiki/Q11235244","display_name":"Domain (mathematical analysis)","level":2,"score":0.3774000108242035},{"id":"https://openalex.org/C143587482","wikidata":"https://www.wikidata.org/wiki/Q1543216","display_name":"Iterative and incremental development","level":2,"score":0.3659999966621399},{"id":"https://openalex.org/C207685749","wikidata":"https://www.wikidata.org/wiki/Q2088941","display_name":"Domain knowledge","level":2,"score":0.362199991941452},{"id":"https://openalex.org/C2776760102","wikidata":"https://www.wikidata.org/wiki/Q5139990","display_name":"Code (set theory)","level":3,"score":0.3571999967098236},{"id":"https://openalex.org/C153180895","wikidata":"https://www.wikidata.org/wiki/Q7148389","display_name":"Pattern recognition (psychology)","level":2,"score":0.3441999852657318},{"id":"https://openalex.org/C52622490","wikidata":"https://www.wikidata.org/wiki/Q1026626","display_name":"Feature extraction","level":2,"score":0.33379998803138733},{"id":"https://openalex.org/C50644808","wikidata":"https://www.wikidata.org/wiki/Q192776","display_name":"Artificial neural network","level":2,"score":0.33239999413490295},{"id":"https://openalex.org/C77637269","wikidata":"https://www.wikidata.org/wiki/Q7002051","display_name":"Neural coding","level":2,"score":0.32190001010894775},{"id":"https://openalex.org/C167063184","wikidata":"https://www.wikidata.org/wiki/Q1400839","display_name":"Vulnerability assessment","level":3,"score":0.30090001225471497},{"id":"https://openalex.org/C2776151529","wikidata":"https://www.wikidata.org/wiki/Q3045304","display_name":"Object detection","level":3,"score":0.2822999954223633},{"id":"https://openalex.org/C35525427","wikidata":"https://www.wikidata.org/wiki/Q745881","display_name":"Intrusion detection system","level":2,"score":0.28110000491142273},{"id":"https://openalex.org/C150899416","wikidata":"https://www.wikidata.org/wiki/Q1820378","display_name":"Transfer of learning","level":2,"score":0.27090001106262207}],"mesh":[],"locations_count":2,"locations":[{"id":"doi:10.1007/s10664-025-10749-4","is_oa":true,"landing_page_url":"https://doi.org/10.1007/s10664-025-10749-4","pdf_url":"https://link.springer.com/content/pdf/10.1007/s10664-025-10749-4.pdf","source":{"id":"https://openalex.org/S109852484","display_name":"Empirical Software Engineering","issn_l":"1382-3256","issn":["1382-3256","1573-7616"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310319900","host_organization_name":"Springer Science+Business Media","host_organization_lineage":["https://openalex.org/P4310319900","https://openalex.org/P4310319965"],"host_organization_lineage_names":["Springer Science+Business Media","Springer Nature"],"type":"journal"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Empirical Software Engineering","raw_type":"journal-article"},{"id":"pmh:oai:pure.atira.dk:openaire/1f38d81b-710c-40c8-83e4-1ec03f7e2478","is_oa":true,"landing_page_url":"https://pure.ulster.ac.uk/en/publications/1f38d81b-710c-40c8-83e4-1ec03f7e2478","pdf_url":null,"source":{"id":"https://openalex.org/S4306402454","display_name":"Ulster University Research Portal (Ulster University)","issn_l":null,"issn":null,"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I138801177","host_organization_name":"University of Ulster","host_organization_lineage":["https://openalex.org/I138801177"],"host_organization_lineage_names":[],"type":"repository"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":"Haque, R, Ali, A, McClean, S & Khan, N 2025, 'A zero-shot framework for cross-project vulnerability detection in source code', Empirical Software Engineering, vol. 31, no. 1, 3, pp. 1-27. https://doi.org/10.1007/s10664-025-10749-4","raw_type":"article"}],"best_oa_location":{"id":"doi:10.1007/s10664-025-10749-4","is_oa":true,"landing_page_url":"https://doi.org/10.1007/s10664-025-10749-4","pdf_url":"https://link.springer.com/content/pdf/10.1007/s10664-025-10749-4.pdf","source":{"id":"https://openalex.org/S109852484","display_name":"Empirical Software Engineering","issn_l":"1382-3256","issn":["1382-3256","1573-7616"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310319900","host_organization_name":"Springer Science+Business Media","host_organization_lineage":["https://openalex.org/P4310319900","https://openalex.org/P4310319965"],"host_organization_lineage_names":["Springer Science+Business Media","Springer Nature"],"type":"journal"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Empirical Software Engineering","raw_type":"journal-article"},"sustainable_development_goals":[],"awards":[],"funders":[{"id":"https://openalex.org/F4320314204","display_name":"Invest Northern Ireland","ror":"https://ror.org/00qnrsq87"},{"id":"https://openalex.org/F4320335322","display_name":"European Regional Development Fund","ror":"https://ror.org/00k4n6c32"}],"has_content":{"grobid_xml":true,"pdf":true},"content_urls":{"pdf":"https://content.openalex.org/works/W4415647391.pdf","grobid_xml":"https://content.openalex.org/works/W4415647391.grobid-xml"},"referenced_works_count":28,"referenced_works":["https://openalex.org/W2781491433","https://openalex.org/W2796200341","https://openalex.org/W2885030880","https://openalex.org/W2963341956","https://openalex.org/W3014780393","https://openalex.org/W3033053557","https://openalex.org/W3033777149","https://openalex.org/W3097867666","https://openalex.org/W3098605233","https://openalex.org/W3166095789","https://openalex.org/W4210660460","https://openalex.org/W4221166942","https://openalex.org/W4292258179","https://openalex.org/W4294811443","https://openalex.org/W4309484938","https://openalex.org/W4312690534","https://openalex.org/W4312727366","https://openalex.org/W4320915502","https://openalex.org/W4380520352","https://openalex.org/W4387298393","https://openalex.org/W4389747935","https://openalex.org/W4393166720","https://openalex.org/W4396773564","https://openalex.org/W4402671749","https://openalex.org/W4403733433","https://openalex.org/W4404293760","https://openalex.org/W4406610709","https://openalex.org/W4411552541"],"related_works":[],"abstract_inverted_index":{"Abstract":[0],"The":[1,86],"growing":[2],"prevalence":[3],"of":[4,46,78],"software":[5,174],"vulnerabilities":[6],"has":[7],"increased":[8],"the":[9,44,105,129],"need":[10],"for":[11,104],"effective":[12],"detection":[13,27,58,164],"methods,":[14,147],"particularly":[15],"in":[16,38,93],"cross-project":[17,56],"settings":[18],"where":[19],"domain":[20],"differences":[21,121],"create":[22],"significant":[23],"challenges.":[24],"Existing":[25],"vulnerability":[26,57,163],"models":[28],"often":[29],"struggle":[30],"to":[31,36,61,71,116,145,167],"generalise":[32],"across":[33,172],"projects":[34],"due":[35],"variations":[37],"coding":[39],"styles,":[40],"feature":[41],"distributions,":[42],"and":[43,75,98,118,124,131,141],"absence":[45],"labelled":[47],"target":[48,106,125],"data.":[49],"This":[50],"paper":[51],"presents":[52],"ZSVulD,":[53],"a":[54,95,113],"zero-shot,":[55],"framework":[59,87],"designed":[60],"operate":[62],"without":[63],"target-domain":[64],"labels.":[65],"ZSVulD":[66,136,159],"uses":[67],"domain-agnostic":[68],"CodeBERT":[69],"embeddings":[70],"capture":[72],"both":[73],"syntactic":[74],"semantic":[76],"features":[77],"source":[79,123],"code,":[80],"enabling":[81],"knowledge":[82],"transfer":[83],"between":[84,122],"projects.":[85,175],"applies":[88],"an":[89,149],"iterative":[90],"pseudo-labelling":[91],"process":[92],"which":[94],"neural":[96],"network":[97],"XGBoost":[99],"classifier":[100],"collaboratively":[101],"refine":[102],"predictions":[103],"domain.":[107],"Feature":[108],"alignment":[109],"is":[110],"incorporated":[111],"as":[112],"diagnostic":[114],"technique":[115],"assess":[117],"visualise":[119],"distributional":[120],"datasets.":[126],"Experiments":[127],"on":[128,151],"Devign":[130],"REVEAL":[132],"datasets":[133],"show":[134],"that":[135,158],"achieves":[137],"higher":[138],"recall,":[139],"F1,":[140],"F2":[142],"scores":[143],"compared":[144],"existing":[146],"with":[148],"emphasis":[150],"reducing":[152],"false":[153],"negatives.":[154],"These":[155],"findings":[156],"indicate":[157],"can":[160],"support":[161],"automated":[162],"pipelines,":[165],"contributing":[166],"more":[168],"reliable":[169],"security":[170],"assessments":[171],"different":[173]},"counts_by_year":[{"year":2025,"cited_by_count":1}],"updated_date":"2026-03-20T23:20:44.827607","created_date":"2025-10-29T00:00:00"}