{"id":"https://openalex.org/W4411450259","doi":"https://doi.org/10.1145/3729360","title":"Teaching AI the \u2018Why\u2019 and \u2018How\u2019 of Software Vulnerability Fixes","display_name":"Teaching AI the \u2018Why\u2019 and \u2018How\u2019 of Software Vulnerability Fixes","publication_year":2025,"publication_date":"2025-06-19","ids":{"openalex":"https://openalex.org/W4411450259","doi":"https://doi.org/10.1145/3729360"},"language":"en","primary_location":{"id":"doi:10.1145/3729360","is_oa":true,"landing_page_url":"https://doi.org/10.1145/3729360","pdf_url":null,"source":{"id":"https://openalex.org/S4404663975","display_name":"Proceedings of the ACM on software engineering.","issn_l":"2994-970X","issn":["2994-970X"],"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/P4310319798","host_organization_name":"Association for Computing Machinery","host_organization_lineage":["https://openalex.org/P4310319798"],"host_organization_lineage_names":["Association for Computing Machinery"],"type":"journal"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the ACM on Software Engineering","raw_type":"journal-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":true,"oa_status":"hybrid","oa_url":"https://doi.org/10.1145/3729360","any_repository_has_fulltext":false},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5004198267","display_name":"Amiao Gao","orcid":null},"institutions":[{"id":"https://openalex.org/I178169726","display_name":"Southern Methodist University","ror":"https://ror.org/042tdr378","country_code":"US","type":"education","lineage":["https://openalex.org/I178169726"]}],"countries":["US"],"is_corresponding":true,"raw_author_name":"Amiao Gao","raw_affiliation_strings":["Southern Methodist University, Dallas, USA"],"raw_orcid":"https://orcid.org/0009-0006-1074-1912","affiliations":[{"raw_affiliation_string":"Southern Methodist University, Dallas, USA","institution_ids":["https://openalex.org/I178169726"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5034622192","display_name":"Zenong Zhang","orcid":"https://orcid.org/0000-0002-3811-675X"},"institutions":[{"id":"https://openalex.org/I162577319","display_name":"The University of Texas at Dallas","ror":"https://ror.org/049emcs32","country_code":"US","type":"education","lineage":["https://openalex.org/I162577319"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Zenong Zhang","raw_affiliation_strings":["University of Texas at Dallas, Richardson, USA"],"raw_orcid":"https://orcid.org/0000-0002-3811-675X","affiliations":[{"raw_affiliation_string":"University of Texas at Dallas, Richardson, USA","institution_ids":["https://openalex.org/I162577319"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5041970576","display_name":"Simin Wang","orcid":"https://orcid.org/0000-0002-7383-276X"},"institutions":[{"id":"https://openalex.org/I178169726","display_name":"Southern Methodist University","ror":"https://ror.org/042tdr378","country_code":"US","type":"education","lineage":["https://openalex.org/I178169726"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Simin Wang","raw_affiliation_strings":["Southern Methodist University, Dallas, USA"],"raw_orcid":"https://orcid.org/0000-0002-7383-276X","affiliations":[{"raw_affiliation_string":"Southern Methodist University, Dallas, USA","institution_ids":["https://openalex.org/I178169726"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5028716858","display_name":"LiGuo Huang","orcid":"https://orcid.org/0000-0001-7790-0195"},"institutions":[{"id":"https://openalex.org/I178169726","display_name":"Southern Methodist University","ror":"https://ror.org/042tdr378","country_code":"US","type":"education","lineage":["https://openalex.org/I178169726"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"LiGuo Huang","raw_affiliation_strings":["Southern Methodist University, Dallas, USA"],"raw_orcid":"https://orcid.org/0000-0001-7790-0195","affiliations":[{"raw_affiliation_string":"Southern Methodist University, Dallas, USA","institution_ids":["https://openalex.org/I178169726"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5033317811","display_name":"Shiyi Wei","orcid":"https://orcid.org/0000-0002-2826-1857"},"institutions":[{"id":"https://openalex.org/I162577319","display_name":"The University of Texas at Dallas","ror":"https://ror.org/049emcs32","country_code":"US","type":"education","lineage":["https://openalex.org/I162577319"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Shiyi Wei","raw_affiliation_strings":["University of Texas at Dallas, Richardson, USA"],"raw_orcid":"https://orcid.org/0000-0002-2826-1857","affiliations":[{"raw_affiliation_string":"University of Texas at Dallas, Richardson, USA","institution_ids":["https://openalex.org/I162577319"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5102732054","display_name":"Vincent Ng","orcid":"https://orcid.org/0000-0001-8237-429X"},"institutions":[{"id":"https://openalex.org/I162577319","display_name":"The University of Texas at Dallas","ror":"https://ror.org/049emcs32","country_code":"US","type":"education","lineage":["https://openalex.org/I162577319"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Vincent Ng","raw_affiliation_strings":["University of Texas at Dallas, Richardson, USA"],"raw_orcid":"https://orcid.org/0000-0001-8237-429X","affiliations":[{"raw_affiliation_string":"University of Texas at Dallas, Richardson, USA","institution_ids":["https://openalex.org/I162577319"]}]}],"institutions":[],"countries_distinct_count":1,"institutions_distinct_count":6,"corresponding_author_ids":["https://openalex.org/A5004198267"],"corresponding_institution_ids":["https://openalex.org/I178169726"],"apc_list":null,"apc_paid":null,"fwci":0.0,"has_fulltext":false,"cited_by_count":0,"citation_normalized_percentile":{"value":0.19612917,"is_in_top_1_percent":false,"is_in_top_10_percent":false},"cited_by_percentile_year":null,"biblio":{"volume":"2","issue":"FSE","first_page":"2006","last_page":"2029"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T10260","display_name":"Software Engineering Research","score":0.9998999834060669,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T10260","display_name":"Software Engineering Research","score":0.9998999834060669,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T12423","display_name":"Software Reliability and Analysis Research","score":0.9979000091552734,"subfield":{"id":"https://openalex.org/subfields/1712","display_name":"Software"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T12479","display_name":"Web Application Security Vulnerabilities","score":0.9959999918937683,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.7896431684494019},{"id":"https://openalex.org/keywords/code","display_name":"Code (set theory)","score":0.540181577205658},{"id":"https://openalex.org/keywords/trace","display_name":"TRACE (psycholinguistics)","score":0.5329383611679077},{"id":"https://openalex.org/keywords/vulnerability","display_name":"Vulnerability (computing)","score":0.5103442072868347},{"id":"https://openalex.org/keywords/traceability","display_name":"Traceability","score":0.5009403228759766},{"id":"https://openalex.org/keywords/source-code","display_name":"Source code","score":0.4852611720561981},{"id":"https://openalex.org/keywords/natural-language-processing","display_name":"Natural language processing","score":0.45667076110839844},{"id":"https://openalex.org/keywords/artificial-intelligence","display_name":"Artificial intelligence","score":0.4382472336292267},{"id":"https://openalex.org/keywords/software","display_name":"Software","score":0.42987480759620667},{"id":"https://openalex.org/keywords/program-comprehension","display_name":"Program comprehension","score":0.426796555519104},{"id":"https://openalex.org/keywords/action","display_name":"Action (physics)","score":0.424783855676651},{"id":"https://openalex.org/keywords/commit","display_name":"Commit","score":0.41945913434028625},{"id":"https://openalex.org/keywords/sentence","display_name":"Sentence","score":0.41764628887176514},{"id":"https://openalex.org/keywords/programming-language","display_name":"Programming language","score":0.33995965123176575},{"id":"https://openalex.org/keywords/software-system","display_name":"Software system","score":0.2594531178474426},{"id":"https://openalex.org/keywords/computer-security","display_name":"Computer security","score":0.21996569633483887},{"id":"https://openalex.org/keywords/software-engineering","display_name":"Software engineering","score":0.16789108514785767},{"id":"https://openalex.org/keywords/database","display_name":"Database","score":0.13672134280204773},{"id":"https://openalex.org/keywords/linguistics","display_name":"Linguistics","score":0.1348666548728943}],"concepts":[{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.7896431684494019},{"id":"https://openalex.org/C2776760102","wikidata":"https://www.wikidata.org/wiki/Q5139990","display_name":"Code (set theory)","level":3,"score":0.540181577205658},{"id":"https://openalex.org/C75291252","wikidata":"https://www.wikidata.org/wiki/Q1315756","display_name":"TRACE (psycholinguistics)","level":2,"score":0.5329383611679077},{"id":"https://openalex.org/C95713431","wikidata":"https://www.wikidata.org/wiki/Q631425","display_name":"Vulnerability (computing)","level":2,"score":0.5103442072868347},{"id":"https://openalex.org/C153876917","wikidata":"https://www.wikidata.org/wiki/Q899704","display_name":"Traceability","level":2,"score":0.5009403228759766},{"id":"https://openalex.org/C43126263","wikidata":"https://www.wikidata.org/wiki/Q128751","display_name":"Source code","level":2,"score":0.4852611720561981},{"id":"https://openalex.org/C204321447","wikidata":"https://www.wikidata.org/wiki/Q30642","display_name":"Natural language processing","level":1,"score":0.45667076110839844},{"id":"https://openalex.org/C154945302","wikidata":"https://www.wikidata.org/wiki/Q11660","display_name":"Artificial intelligence","level":1,"score":0.4382472336292267},{"id":"https://openalex.org/C2777904410","wikidata":"https://www.wikidata.org/wiki/Q7397","display_name":"Software","level":2,"score":0.42987480759620667},{"id":"https://openalex.org/C2777561058","wikidata":"https://www.wikidata.org/wiki/Q2652119","display_name":"Program comprehension","level":4,"score":0.426796555519104},{"id":"https://openalex.org/C2780791683","wikidata":"https://www.wikidata.org/wiki/Q846785","display_name":"Action (physics)","level":2,"score":0.424783855676651},{"id":"https://openalex.org/C153180980","wikidata":"https://www.wikidata.org/wiki/Q19776675","display_name":"Commit","level":2,"score":0.41945913434028625},{"id":"https://openalex.org/C2777530160","wikidata":"https://www.wikidata.org/wiki/Q41796","display_name":"Sentence","level":2,"score":0.41764628887176514},{"id":"https://openalex.org/C199360897","wikidata":"https://www.wikidata.org/wiki/Q9143","display_name":"Programming language","level":1,"score":0.33995965123176575},{"id":"https://openalex.org/C149091818","wikidata":"https://www.wikidata.org/wiki/Q2429814","display_name":"Software system","level":3,"score":0.2594531178474426},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.21996569633483887},{"id":"https://openalex.org/C115903868","wikidata":"https://www.wikidata.org/wiki/Q80993","display_name":"Software engineering","level":1,"score":0.16789108514785767},{"id":"https://openalex.org/C77088390","wikidata":"https://www.wikidata.org/wiki/Q8513","display_name":"Database","level":1,"score":0.13672134280204773},{"id":"https://openalex.org/C41895202","wikidata":"https://www.wikidata.org/wiki/Q8162","display_name":"Linguistics","level":1,"score":0.1348666548728943},{"id":"https://openalex.org/C177264268","wikidata":"https://www.wikidata.org/wiki/Q1514741","display_name":"Set (abstract data type)","level":2,"score":0.0},{"id":"https://openalex.org/C121332964","wikidata":"https://www.wikidata.org/wiki/Q413","display_name":"Physics","level":0,"score":0.0},{"id":"https://openalex.org/C138885662","wikidata":"https://www.wikidata.org/wiki/Q5891","display_name":"Philosophy","level":0,"score":0.0},{"id":"https://openalex.org/C62520636","wikidata":"https://www.wikidata.org/wiki/Q944","display_name":"Quantum mechanics","level":1,"score":0.0}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.1145/3729360","is_oa":true,"landing_page_url":"https://doi.org/10.1145/3729360","pdf_url":null,"source":{"id":"https://openalex.org/S4404663975","display_name":"Proceedings of the ACM on software engineering.","issn_l":"2994-970X","issn":["2994-970X"],"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/P4310319798","host_organization_name":"Association for Computing Machinery","host_organization_lineage":["https://openalex.org/P4310319798"],"host_organization_lineage_names":["Association for Computing Machinery"],"type":"journal"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the ACM on Software Engineering","raw_type":"journal-article"}],"best_oa_location":{"id":"doi:10.1145/3729360","is_oa":true,"landing_page_url":"https://doi.org/10.1145/3729360","pdf_url":null,"source":{"id":"https://openalex.org/S4404663975","display_name":"Proceedings of the ACM on software engineering.","issn_l":"2994-970X","issn":["2994-970X"],"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/P4310319798","host_organization_name":"Association for Computing Machinery","host_organization_lineage":["https://openalex.org/P4310319798"],"host_organization_lineage_names":["Association for Computing Machinery"],"type":"journal"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the ACM on Software Engineering","raw_type":"journal-article"},"sustainable_development_goals":[{"id":"https://metadata.un.org/sdg/16","display_name":"Peace, Justice and strong institutions","score":0.5899999737739563}],"awards":[],"funders":[],"has_content":{"pdf":false,"grobid_xml":false},"content_urls":null,"referenced_works_count":44,"referenced_works":["https://openalex.org/W2043223258","https://openalex.org/W2043837581","https://openalex.org/W2062973095","https://openalex.org/W2069268700","https://openalex.org/W2101234009","https://openalex.org/W2110374486","https://openalex.org/W2126166995","https://openalex.org/W2139092060","https://openalex.org/W2149321161","https://openalex.org/W2153869077","https://openalex.org/W2153881107","https://openalex.org/W2160517961","https://openalex.org/W2162840341","https://openalex.org/W2164777277","https://openalex.org/W2166336492","https://openalex.org/W2243325463","https://openalex.org/W2408181256","https://openalex.org/W2540556128","https://openalex.org/W2741600166","https://openalex.org/W2774752913","https://openalex.org/W2924629359","https://openalex.org/W2965373594","https://openalex.org/W2972082064","https://openalex.org/W2979826702","https://openalex.org/W3014902313","https://openalex.org/W3040257249","https://openalex.org/W3086007799","https://openalex.org/W3086623535","https://openalex.org/W3152918650","https://openalex.org/W3162044134","https://openalex.org/W3192256856","https://openalex.org/W3206719451","https://openalex.org/W4220678421","https://openalex.org/W4226395508","https://openalex.org/W4237143884","https://openalex.org/W4238463311","https://openalex.org/W4240869246","https://openalex.org/W4245329948","https://openalex.org/W4285141508","https://openalex.org/W4286331380","https://openalex.org/W4299358159","https://openalex.org/W4309047827","https://openalex.org/W4389393572","https://openalex.org/W4390637152"],"related_works":["https://openalex.org/W2122804569","https://openalex.org/W2982483023","https://openalex.org/W2240979497","https://openalex.org/W2025599150","https://openalex.org/W4396224778","https://openalex.org/W3104152981","https://openalex.org/W2598318421","https://openalex.org/W4241100723","https://openalex.org/W2158202016","https://openalex.org/W2020166315"],"abstract_inverted_index":{"Understanding":[0],"software":[1,11],"vulnerabilities":[2],"and":[3,39,74,115,143,167,221,245],"their":[4,52,168],"resolutions":[5],"is":[6,108],"crucial":[7],"for":[8,42,128,185,197,223],"securing":[9],"modern":[10],"systems.":[12],"This":[13],"study":[14],"presents":[15],"a":[16,22,43,68,75,99,129,191,199,216],"novel":[17],"traceability":[18,62],"model":[19],"that":[20,89],"links":[21,66],"pair":[23,54,69,76,200,207],"of":[24,30,34,55,70,77,175,194,201,208,219,227,238],"sentences":[25,73,120,155,204,229],"describing":[26,121],"at":[27],"least":[28],"one":[29],"the":[31,60,82,90,173,236],"three":[32],"types":[33],"semantics":[35],"(triggers,":[36],"crash":[37,123],"phenomenon":[38,124],"fix":[40,126],"action)":[41],"vulnerability":[44,49,100,130,243],"in":[45,98,110,182,241],"natural":[46],"language":[47],"(NL)":[48],"artifacts,":[50],"to":[51,152,156,205,230],"corresponding":[53,157,206],"code":[56,78,86,96,149,158,170,209,231],"statements.":[57,159,210,232],"Different":[58],"from":[59,136],"traditional":[61],"models,":[63],"our":[64,176,239],"trace":[65,153],"between":[67,85],"related":[71,202],"NL":[72,137,186,203,228],"statements":[79,87],"can":[80,101],"recover":[81],"semantic":[83],"relationship":[84],"so":[88],"specific":[91],"role":[92],"played":[93],"by":[94],"each":[95],"statement":[97],"be":[102],"automatically":[103,118],"identified.":[104],"Our":[105,160],"end-to-end":[106,212],"approach":[107],"implemented":[109],"two":[111,225],"key":[112],"steps:":[113],"VulnExtract":[114,117],"VulnTrace.":[116],"extracts":[119],"triggers,":[122],"and/or":[125],"action":[127],"using":[131],"37":[132],"discourse":[133],"patterns":[134],"derived":[135],"artifacts":[138],"(CVE":[139],"summary,":[140],"bug":[141],"reports":[142],"commit":[144],"messages).":[145],"VulnTrace":[146,189],"employs":[147],"pre-trained":[148],"search":[150],"models":[151],"these":[154],"empirical":[161],"study,":[162],"based":[163],"on":[164],"341":[165],"CVEs":[166],"associated":[169],"snippets,":[171],"demonstrates":[172],"effectiveness":[174],"approach,":[177],"with":[178],"recall":[179],"exceeding":[180],"90%":[181],"most":[183],"cases":[184],"sentence":[187],"extraction.":[188],"achieves":[190,215],"Top5":[192,217],"accuracy":[193,218],"over":[195],"68.2%":[196],"mapping":[198,224],"The":[211],"combined":[213],"VulnExtract+VulnTrace":[214],"59.6%":[220],"53.1%":[222],"pairs":[226],"These":[233],"results":[234],"highlight":[235],"potential":[237],"method":[240],"automating":[242],"comprehension":[244],"reducing":[246],"manual":[247],"effort.":[248]},"counts_by_year":[],"updated_date":"2026-03-27T05:58:40.876381","created_date":"2025-10-10T00:00:00"}