02373nab a2200277 i 4500 publ38520 20251216083840.0 251216s2025 hu o 000 eng d 1049-331X 10.1145/3769105 doi 36362772 mtmt SZTE Publicatio Repozitórium hun eng Hinrichs Torge Back to the Roots [elektronikus dokumentum] : Assessing Mining Techniques for Java Vulnerability-Contributing Commits / Hinrichs Torge 2025 ACM TRANSACTIONS ON SOFTWARE ENGINEERING AND METHODOLOGY 1 Context : Vulnerability-contributing commits (VCCs) are code changes that introduce vulnerabilities. Mining historical VCCs relies on SZZ-based algorithms that trace from known vulnerability-fixing commits. Objective : Although these techniques have been used, e.g., to train just-in-time vulnerability predictors, they lack systematic benchmarking to evaluate their precision, recall, and error sources. Method : We empirically assessed 12 VCC mining techniques in Java repositories using two benchmark datasets (one from the literature and one newly curated). We also explored combinations of techniques, through intersections, voting schemes, and machine learning, to improve performance. Results : Individual techniques achieved at most 0.60 precision but up to 0.89 recall. The precision rose to 0.75 when the outputs were combined with the logical AND, at the expense of recall. Machine learning ensembles reached 0.80 precision with a better precision–recall balance. Performance varied significantly by dataset. Analyzing “fixing commits” showed that certain fix types (e.g., filtering or sanitization) affect retrieval accuracy, and failure patterns highlighted weaknesses when fixes involve external data handling. Conclusion : Such results help software security researchers select the most suitable mining technique for their studies and understand new ways to design more accurate solutions. Számítás- és információtudomány Iannone Emanuele aut Aladics Tamás aut Hegedűs Péter aut De Lucia Andrea aut Palomba Fabio aut Scandariato Riccardo aut http://publicatio.bibl.u-szeged.hu/38520/1/j6.pdf Dokumentum-elérés