Context: Deep learning, and in particular graph-based models, has advanced software vulnerability detection by effectively capturing structural code features. Nonetheless, most existing approaches treat source code as independent components, overlooking inter-function relationships and thereby missing potential vulnerability propagation across function boundaries. Objective: To address this limitation, we propose SCVdet , a Graph Attention Network (GAT) based method that integrates inter-function dependencies into the vulnerability detection process. Method: These dependencies are approximated by using a clustering technique over learned code functions’ embeddings. This enables scalable and dynamic modeling of function relationships without incurring the high computational cost of the static code analysis required to recover the full set of real and complete inter-function dependencies. We enhance representation learning by complementing the analysis of the functions’ code, local code semantics, with the inter-function dependency analysis, global project-level analysis. We then adopt two strategies: concatenation and attention, to fuse such local and global types of information. Results: Extensive experiments on multi-language datasets ( FFmpeg+QEMU , ProjectKB , Big-Vul , and CVEFixes ) demonstrate that SCVdet consistently outperforms both sequence-based and graph-based baselines, achieving up to a 16% improvement in F1-score at the function level and 7% at the statement level. Conclusion: The results indicate that SCVdet improves vulnerability detection by combining both local and global information. This approach increases detection accuracy and outperforms the capabilities of state-of-the-art tools while maintaining scalability.
Modeling function-level relationships for vulnerability detection in graph neural networks / Lekeufack Foulefack, R.Z., Provvedini, E., Marchetto, A.. - In: ENGINEERING APPLICATIONS OF ARTIFICIAL INTELLIGENCE. - ISSN 0952-1976. - 177:(2026), pp. 1-17. [10.1016/j.engappai.2026.114866]
Modeling function-level relationships for vulnerability detection in graph neural networks
Lekeufack Foulefack R. Z.;Marchetto A.
2026-01-01
Abstract
Context: Deep learning, and in particular graph-based models, has advanced software vulnerability detection by effectively capturing structural code features. Nonetheless, most existing approaches treat source code as independent components, overlooking inter-function relationships and thereby missing potential vulnerability propagation across function boundaries. Objective: To address this limitation, we propose SCVdet , a Graph Attention Network (GAT) based method that integrates inter-function dependencies into the vulnerability detection process. Method: These dependencies are approximated by using a clustering technique over learned code functions’ embeddings. This enables scalable and dynamic modeling of function relationships without incurring the high computational cost of the static code analysis required to recover the full set of real and complete inter-function dependencies. We enhance representation learning by complementing the analysis of the functions’ code, local code semantics, with the inter-function dependency analysis, global project-level analysis. We then adopt two strategies: concatenation and attention, to fuse such local and global types of information. Results: Extensive experiments on multi-language datasets ( FFmpeg+QEMU , ProjectKB , Big-Vul , and CVEFixes ) demonstrate that SCVdet consistently outperforms both sequence-based and graph-based baselines, achieving up to a 16% improvement in F1-score at the function level and 7% at the statement level. Conclusion: The results indicate that SCVdet improves vulnerability detection by combining both local and global information. This approach increases detection accuracy and outperforms the capabilities of state-of-the-art tools while maintaining scalability.I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione
