SCEVD: Semantic-enhanced Code Embedding for Vulnerability Discovery.

Source code vulnerability detection is a major goal in security research. In recent years, deep learning methods have been applied to this end, however the task of embedding code into vector representations as input for deep learning models has yet to be definitively solved. The use of graphs, specifically Abstract Syntax Trees and Code Property Graphs, is a promising research direction for this task, however learning from graphs grows prohibitively computationally expensive for large graphs. No close examination of intelligent ways to prune this input to only vulnerability-relevant information has yet been performed. Additionally, most existing works focus largely on structural information from graphs, often neglecting information contained within the nodes themselves. We address these gaps in the prior research by proposing SCEVD: a deep learning model for vulnerability discovery which utilises semantic information to intelligently select features in source code graphs for learning. It uses information contained within code graph nodes, as well as information about their relationships with one another to select the code graph features which are most relevant to code vulnerability. We implement SCEVD and conduct experiments using the SARD Juliet test suite, finding that we are able to improve vulnerability discovery results using this process of semantic-enhanced code graph feature selection.