Abstract
Flaws in the design of the computer systems, bugs, and vulnerabilities cause failures in computer systems. Various techniques such as machine learning and deep learning algorithms are used to predict and detect vulnerabilities. Such techniques use text mining and software metrics as features set in the building and training of the predictive model. This paper investigates the impact of the non-investigated software metrics and the known software metrics in predicting the availability of bugs in software source code. The deep learning algorithm used in the design of the predictive model includes the Inception model, which is a variant of convolutional neural network, attention-based multilayer perceptron, and long short-term memory. The experimental results show that known and non-investigated or new software metrics are not ideal for vulnerability prediction in source code.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
Data Availability
No datasets were generated or analysed during the current study.
Change history
24 May 2025
This article has been updated to include updated funding information: This work was partly supported by the National Natural Science Foundation of China (NSFC) (Grant nos. 62172194, 62202206 and U1836116), the Natural Science Foundation of Jiangsu Province, China (Grant no. BK20220515), the China Postdoctoral Science Foundation, China (Grant no. 2021M691310), and Qinglan Project of Jiangsu Province, China.
References
Alshammari, B., & Colin, F. (2009). Security metrics for object oriented class design. Proceedings of the 9th International Conference on Quality Software, 11–20.
Chowdhury, I., & Zulkernine, M. (2011). Using complexity, coupling, and cohesion metrics as early indicators of vulnerabilities. Journal of Systems Architecture, 57(3), 294–313. https://doi.org/10.1016/j.sysarc.2010.06.003
Clemente, C. J. (2018). Is Predicting Software Security Bugs using Deep Learning Better than the Traditional Machine Learning Algorithms ? https://doi.org/10.1109/QRS.2018.00023
Davis, C., & White, E. (2023). Transfer Learning for Cross-Project Software Vulnerability Prediction. Proceedings of the IEEE/ACM International Conference on Automated Software Engineering (ASE).
Doe, J., & Smith, J. (2023). Deep Learning-Based Vulnerability Prediction in Software Systems. Proceedings of the International Conference on Software Engineering (ICSE).
Fenton, N. E., & Pfleeger, S. L. (1997). Software Metrics: A Rigorous and Practical Approach. PWS Publishing Co.
Garg, A., Degiovanni, R., Jimenez, M., Cordy, M., Papadakis, M., & Le Traon, Y. (2022). Learning from what we know: How to perform vulnerability prediction using noisy historical data. Empirical Software Engineering, 27(7). https://doi.org/10.1007/s10664-022-10197-4
Harris, G., & Taylor, H. (2023). A Comparative Study of Machine Learning Models for Software Vulnerability Prediction. Proceedings of the International Conference on Predictive Models and Data Analytics in Software Engineering (PROMISE).
Ilias, Kalouptsoglou Miltiadis, S., Dionysios, K., Alexandros, C., Ampatzoglou, & Apostolos. (2022). Examining the Capacity of Text Mining and Software Metrics in Vulnerability Prediction. MDPI, Entropy, 24(651).
Jaquith. (2007). Security Metrics: Replacing Fear, Uncertainty, and Doubt, Pearson Education Inc.
Johnson, A., & Brown, B. (2023). Leveraging Graph Neural Networks for Software Vulnerability Detection. Proceedings of the ACM SIGSOFT International Symposium on Foundations of Software Engineering (FSE).
Kalouptsoglou, I. B. M. S., & Tsoukalas, D. (2020). Cross-Project Vulnerability Prediction Based on Software Metrics and Deep. Springer International Publishing. https://doi.org/10.1007/978-3-030-58811-3
Lee, D., & Green, F. (2023). Explainable AI for Software Vulnerability Prediction. Proceedings of the European Software Engineering Conference and Symposium on the Foundations of Software Engineering (ESEC/FSE).
Li, J., Chen, J., Huang, M., Zhou, M., Zhang, L., & Xie, W. (2017). An integration testing platform for software vulnerability detection method. Proceedings - 16th IEEE International Conference on Trust, Security and Privacy in Computing and Communications, 11th IEEE International Conference on Big Data Science and Engineering and 14th IEEE International Conference on Embedded Software and Systems, 1, 984–989. https://doi.org/10.1109/Trustcom/BigDataSE/ICESS.2017.341
Li, Z., Zou, D., Xu, S., Ou, X., Jin, H., Wang, S., Deng, Z., & Zhong, Y. (2018a). VulDeePecker: A Deep Learning-Based System for Vulnerability Detection. February. https://doi.org/10.14722/ndss.2018.23158
Li, Z., Zou, D., Xu, S., Ou, X., Jin, H., Wang, S., Deng, Z., & Zhong, Y. (2018b). Vuldeepecker: A deep learning-based system for vulnerability detection.
Li, Z., Zou, D., Tang, J., Zhang, Z., Sun, M., & Jin, H. (2019). A comparative study of deep learning-based vulnerability detection system. IEEE Access, 7, 103184–103197. https://doi.org/10.1109/ACCESS.2019.2930578
Liu, L., De Vel, O., Han, Q.-L., Zhang, J., & Xiang, Y. (2018). Detecting and preventing cyber insider threats: A survey. Ieee Communication Survey and Tutorial, 20(2), 1397–1417.
Seacord, R. (2005). Secure coding in C and C++ (1st ed.). Addison Wesley Professional.
Shamal, P. K., Rahamathulla, K., & Akbar, A. (2017). A Study on Software Vulnerability Prediction Model. 703–706.
Shin, Y., Meneely, A., Williams, L., & Osborne, J. A. (2011). Evaluating complexity, code churn, and developer activity metrics as indicators of software vulnerabilities. IEEE Transactions on Software Engineering, 37(6), 772–787. https://doi.org/10.1109/TSE.2010.81
Siavvas, M., Kehagias, D., & Tzovaras, D. (2017). A preliminary study on the relationship among software metrics and specific vulnerability types. 916–921. https://doi.org/10.1109/CSCI.2017.159
Votipka, D., Stevens, R., Redmiles, E., Hu, J., & Mazurek, M. (2018). Hackers Vs Testers: a comparison of software vulnerability discovery processes. Proceedings of the 2018 IEEE Symposium on Security and Privacy, 374–391.
Walden, J., Stuckman, J., & Scandariato, R. (2014). Predicting vulnerable components: Software metrics vs text mining. Proceedings - International Symposium on Software Reliability Engineering, ISSRE, 23–33. https://doi.org/10.1109/ISSRE.2014.32
Williams, B. J. (2018). A Comparison of Nano-patterns Vs . Software Metrics in Vulnerability Prediction. 355–364. https://doi.org/10.1109/APSEC.2018.00050
Yun, Z., David, L., Xin, X., Bowen, X., Jianling, S., & Shanping, L. (2015). Combining Software Metrics and Text Features for Vulnerable File Prediction. 20th International Conference on Engineering of Complex Computer Systems. https://doi.org/10.1109/ICECCS.2015.15
Zagane, M., Abdi, M. K., & Alenezi, M. (2020). Deep Learning for Software Vulnerabilities Detection Using Code Metrics. IEEE Access, 8, 74562–74570. https://doi.org/10.1109/ACCESS.2020.2988557
Funding
This work was partly supported by the National Natural Science Foundation of China (NSFC) (Grant nos. 62172194, 62202206 and U1836116), the Natural Science Foundation of Jiangsu Province, China (Grant no. BK20220515), the China Postdoctoral Science Foundation, China (Grant no. 2021M691310), and Qinglan Project of Jiangsu Province, China.
Author information
Authors and Affiliations
Contributions
Francis Kwadzo Agbenyegah conceived the idea of the paper and wrote the introduction, literature review, and discussion. Ernest Akpaku wrote the methodology and the experiment. The research was supervised by Jinfu Chen and Micheal Asante.
Corresponding author
Ethics declarations
Conflict of interest
The authors declare no competing interests.
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.
About this article
Cite this article
Agbenyegah, F.K., Chen, J., Asante, M. et al. Predicting Vulnerabilities in Computer Source Code Using Non-Investigated Software Metrics. Software Qual J 33, 18 (2025). https://doi.org/10.1007/s11219-025-09715-6
Accepted:
Published:
Version of record:
DOI: https://doi.org/10.1007/s11219-025-09715-6