English

Revisiting Pre-trained Language Models for Vulnerability Detection

Cryptography and Security 2025-11-25 v3 Artificial Intelligence Machine Learning Software Engineering

Abstract

The rapid advancement of pre-trained language models (PLMs) has demonstrated promising results for various code-related tasks. However, their effectiveness in detecting real-world vulnerabilities remains a critical challenge. While existing empirical studies evaluate PLMs for vulnerability detection (VD), they suffer from data leakage, limited scope, and superficial analysis, hindering the accuracy and comprehensiveness of evaluations. This paper begins by revisiting the common issues in existing research on PLMs for VD through the evaluation pipeline. It then proceeds with an accurate and extensive evaluation of 18 PLMs on high-quality datasets that feature accurate labeling, diverse vulnerability types, and various projects. Specifically, we compare the performance of PLMs under both fine-tuning and prompt engineering, assess their effectiveness and generalizability across various training and testing settings, and analyze their robustness to a series of perturbations. Our findings reveal that PLMs incorporating pre-training tasks designed to capture the syntactic and semantic patterns of code outperform both general-purpose PLMs and those solely pre-trained or fine-tuned on large code corpora. However, these models face notable challenges in real-world scenarios, such as difficulties in detecting vulnerabilities with complex dependencies, handling perturbations introduced by code normalization and abstraction, and identifying semantic-preserving vulnerable code transformations. Also, the truncation caused by the limited context windows of PLMs can lead to a non-negligible number of labeling errors, which is overlooked by previous work. This study underscores the importance of thorough evaluations of model performance in practical scenarios and outlines future directions to help enhance the effectiveness of PLMs for realistic VD applications.

Keywords

Cite

@article{arxiv.2507.16887,
  title  = {Revisiting Pre-trained Language Models for Vulnerability Detection},
  author = {Youpeng Li and Weiliang Qi and Xuyu Wang and Fuxun Yu and Xinda Wang},
  journal= {arXiv preprint arXiv:2507.16887},
  year   = {2025}
}

Comments

Accepted by the 21st ACM ASIA Conference on Computer and Communications Security (AsiaCCS 2026)

R2 v1 2026-07-01T04:14:00.267Z