From 121011c565eba962195a33055b1027b84bc5ac30 Mon Sep 17 00:00:00 2001
From: Adrien Linares <76013394+adlina1@users.noreply.github.com>
Date: Fri, 12 Jul 2024 16:10:33 +0200
Subject: [PATCH 1/8] Added a toc

---
 README.md | 41 ++++++++++++++++++++++++++++-------------
 1 file changed, 28 insertions(+), 13 deletions(-)

diff --git a/README.md b/README.md
index 0bfb210ba..530469d66 100644
--- a/README.md
+++ b/README.md
@@ -9,7 +9,22 @@
 [![REUSE status](https://api.reuse.software/badge/github.com/sap/project-kb)](https://api.reuse.software/info/github.com/sap/project-kb)
 [![Pytest](https://github.com/SAP/project-kb/actions/workflows/python.yml/badge.svg)](https://github.com/SAP/project-kb/actions/workflows/python.yml)
 
-## Description
+# Table of contents 
+1. [Description](#desc)
+2. [Motivations](#motiv)
+3. [Kaybee](#kaybee)
+4. [Prospector](#prosp)
+5. [Vulnerability data](#vuldata)
+6. [Publications](#publi)
+7. [Star history](#starhist)
+8. [Credits](#credit)
+9. [EU funded research projects](#eu_funded)
+10. [Vulnerability data sources](#vul_data)
+11. [Limitations and known issues](#limit)
+12. [Support](#support)
+13. [Contributing](#contrib)
+
+## Description <a name="desc"></a>
 
 The goal of `Project KB` is to enable the creation, management and aggregation of a
 distributed, collaborative knowledge base of vulnerabilities affecting
@@ -19,7 +34,7 @@ open-source software.
 as well as set of tools to support the mining, curation and management of such data.
 
 
-### Motivations
+### Motivations <a name="motiv"></a>
 
 In order to feed [Eclipse Steady](https://github.com/eclipse/steady/) with fresh
 data, we have spent a considerable amount of time, in the past few years, mining
@@ -45,7 +60,7 @@ of the data they produce and of how they aggregate and consume data from the
 other sources.
 
 
-## Kaybee
+## Kaybee <a name="kaybee"></a>
 
 Kaybee is a vulnerability data management tool, it makes possible to fetch the vulnerability statements from this
 repository (or from any other repository) and export them to a number of
@@ -54,18 +69,18 @@ backend](https://github.com/eclipse/steady).
 
 For details and usage instructions check out the [kaybee README](https://github.com/SAP/project-kb/tree/main/kaybee).
 
-## Prospector
+## Prospector <a name="prosp"></a>
 
 Prospector is a vulnerability data mining tool that aims at reducing the effort needed to find security fixes for known vulnerabilities in open source software repositories.
 The tool takes a vulnerability description (in natural language) as input and produces a ranked list of commits, in decreasing order of relevance.
 
 For details and usage instructions check out the [prospector README](https://github.com/SAP/project-kb/tree/main/prospector).
 
-## Vulnerability data
+## Vulnerability data <a name="vuldata"></a>
 
 The vulnerability data of Project KB are stored in textual form as a set of YAML files, in the [vulnerability-data branch](https://github.com/SAP/project-kb/tree/vulnerability-data).
 
-## Publications
+## Publications <a name="publi"></a>
 
 In early 2019, a snapshot of the knowlege base from project "KB" was described in:
 
@@ -91,13 +106,13 @@ scripts described in that paper](MSR2019)
 
 > If you wrote a paper that uses the data or the tools from this repository, please let us know (through an issue) and we'll add it to this list.
 
-## Star History
+## Star History <a name="starhist"></a>
 
 [![Star History Chart](https://api.star-history.com/svg?repos=sap/project-kb&type=Date)](https://star-history.com/#sap/project-kb&Date)
 
-## Credits
+## Credits <a name="credit"></a>
 
-### EU-funded research projects
+### EU-funded research projects <a name="eu_funded"></a>
 
 The development of Project KB is partially supported by the following projects:
 
@@ -105,22 +120,22 @@ The development of Project KB is partially supported by the following projects:
 * [AssureMOSS](https://assuremoss.eu) (Grant No. 952647).
 * [Sparta](https://www.sparta.eu/) (Grant No. 830892).
 
-### Vulnerability data sources
+### Vulnerability data sources <a name="vul_data"></a>
 
 Vulnerability information from NVD and MITRE might have been used as input
 for building parts of this knowledge base. See MITRE's [CVE Usage license](http://cve.mitre.org/about/termsofuse.html) for more information.
 
-## Limitations and Known Issues
+## Limitations and Known Issues <a name="limit"></a>
 
 This project is **work-in-progress**, you can find the list of known issues [here](https://github.com/SAP/project-kb/issues). 
 
 Currently the vulnerability knowledge base only contains information about vulnerabilities in Java and Python open source components.
 
-## Support
+## Support <a name="support"></a>
 
 For the time being, please use [GitHub
 issues](https://github.com/SAP/project-kb/issues) to report bugs, request new features and ask for support. 
 
-## Contributing
+## Contributing  <a name="contrib"></a>
 
 See [How to contribute](CONTRIBUTING.md).

From a3f5375db66ecd38b6783dab385ffcdb5f737a1f Mon Sep 17 00:00:00 2001
From: Adrien Linares <76013394+adlina1@users.noreply.github.com>
Date: Wed, 17 Jul 2024 15:26:49 +0200
Subject: [PATCH 2/8] Added papers citing our work and our own related papers

---
 README.md | 105 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 105 insertions(+)

diff --git a/README.md b/README.md
index 530469d66..33abef135 100644
--- a/README.md
+++ b/README.md
@@ -106,6 +106,111 @@ scripts described in that paper](MSR2019)
 
 > If you wrote a paper that uses the data or the tools from this repository, please let us know (through an issue) and we'll add it to this list.
 
+___
+
+<!-- format :                    Author last name, Initials. (Month Year). [Article title](URL)             -->
+
+**Papers citing our work**
+* Bui, Q-C. et al. (May 2022). [Vul4J: a dataset of reproducible Java vulnerabilities geared towards the study of program repair techniques](https://dl.acm.org/doi/abs/10.1145/3524842.3528482)  
+* Galvão, P.L. (October 2022). [Analysis and Aggregation of Vulnerability Databases with Code-Level Data](https://repositorio-aberto.up.pt/bitstream/10216/144796/2/588886.pdf)
+* Aladics, T. et al.  (2022). [A Vulnerability Introducing Commit Dataset for Java: an Improved SZZ Based Approach](https://real.mtak.hu/149061/1/ICSOFT_2022_41_CR-1.pdf)
+* Sharma, T. et al. (October 2021). [A Survey on Machine Learning Techniques for Source Code Analysis](https://arxiv.org/abs/2110.09610)
+* Hommersom, D. et al. (June 2024). [Automated Mapping of Vulnerability Advisories onto their Fix Commits in Open Source Repositories](https://dl.acm.org/doi/abs/10.1145/3649590)
+* Marchand-Melsom, A. et al. (June 2020). [Automatic repair of OWASP Top 10 security vulnerabilities: A survey](https://dl.acm.org/doi/abs/10.1145/3387940.3392200)
+* Sawadogo, A. D. et al. (Dec 2021). [Early Detection of Security-Relevant Bug Reports using Machine Learning: How Far Are We?](https://arxiv.org/abs/2112.10123)
+* Sun, S. et al. (Jul 2023). [Exploring Security Commits in Python](https://arxiv.org/abs/2307.11853)
+* Reis, S. et al. (June 2021). [Fixing Vulnerabilities Potentially Hinders Maintainability](https://arxiv.org/abs/2106.03271)
+* Andrade, R., & Santos, V. (September 2021). [Investigating vulnerability datasets](https://sol.sbc.org.br/index.php/vem/article/view/17213)
+* Nguyen, T. G. et al. (May 2023). [Multi-Granularity Detector for Vulnerability Fixesv](https://arxiv.org/abs/2305.13884)
+* Siddiq, M. L., & Santos, J. C. S. (November 2022). [SecurityEval dataset: mining vulnerability examples to evaluate machine learning-based code generation techniques](https://dl.acm.org/doi/abs/10.1145/3549035.3561184)
+* Sawadogo, A. D. et al. (August 2022). [SSPCatcher: Learning to catch security patches](https://link.springer.com/article/10.1007/s10664-022-10168-9)
+* Dunlap, T. et al. (July 2024). [VFCFinder: Pairing Security Advisories and Patches](http://enck.org/pubs/dunlap-asiaccs24.pdf)
+* Dunlap, T. et al. (November 2023). [VFCFinder: Seamlessly Pairing Security Advisories and Patches](https://arxiv.org/abs/2311.01532)
+* Bao, L. et al. (July 2022). [V-SZZ: automatic identification of version ranges affected by CVE vulnerabilities](https://dl.acm.org/doi/abs/10.1145/3510003.3510113)
+* Fan, J. et al. (September 2020). [A C/C++ Code Vulnerability Dataset with Code Changes and CVE Summaries](https://dl.acm.org/doi/abs/10.1145/3379597.3387501)
+* Zhang, J. et al. (January 2023). [A Survey of Learning-based Automated Program Repair](https://arxiv.org/abs/2301.03270)
+* Alzubaidi, L. et al. (April 2023). [A survey on deep learning tools dealing with data scarcity: definitions, challenges, solutions, tips, and applications](https://link.springer.com/article/10.1186/s40537-023-00727-2)
+* Sharma, T. et al. (December 2023). [A survey on machine learning techniques applied to source code](https://www.sciencedirect.com/science/article/pii/S0164121223003291)
+* Elder, S. et al. (April 2024). [A Survey on Software Vulnerability Exploitability Assessment](https://dl.acm.org/doi/abs/10.1145/3648610)
+* Aladics, T. et al. (March 2023). [An AST-based Code Change Representation and its Performance in Just-in-time Vulnerability Prediction](https://arxiv.org/abs/2303.16591)
+* Singhal, A., & Goel, P.K. (2023). [Analysis and Identification of Malicious Mobile Applications](https://ieeexplore.ieee.org/abstract/document/10428519)
+* Senanayake, J. et al. (July 2021). [Android Mobile Malware Detection Using Machine Learning: A Systematic Review](https://www.mdpi.com/2079-9292/10/13/1606)
+* Bui, Q-C. et al. (December 2023). [APR4Vul: an empirical study of automatic program repair techniques on real-world Java vulnerabilities](https://link.springer.com/article/10.1007/s10664-023-10415-7)
+* Senanayake, J. et al. (January 2023). [Android Source Code Vulnerability Detection: A Systematic Literature Review](https://dl.acm.org/doi/full/10.1145/3556974)
+* Reis, S. et al. (June 2023). [Are security commit messages informative? Not enough!](https://dl.acm.org/doi/abs/10.1145/3593434.3593481)
+* Anonymous authors. (2022). [Beyond syntax trees: learning embeddings of code edits by combining multiple source representations](https://openreview.net/pdf?id=H8qETo_W1-9)
+* Challande, A. et al. (April 2022). [Building a Commit-level Dataset of Real-world Vulnerabilities](https://dl.acm.org/doi/abs/10.1145/3508398.3511495)
+* Wang, S., & Nagappan, N. (July 2019). [Characterizing and Understanding Software Developer Networks in Security Development](https://arxiv.org/abs/1907.12141)
+* Harzevili, N. S. et al. (March 2022). [Characterizing and Understanding Software Security Vulnerabilities in Machine Learning Libraries](https://arxiv.org/abs/2203.06502)
+* Tate, S. R. et al. (2020). [Characterizing Vulnerabilities in a Major Linux Distribution](https://home.uncg.edu/cmp/faculty/srtate/pubs/vulnerabilities/Vulnerabilities-SEKE2020.pdf)
+* Zhang, L. et al. (January 2023). [Compatible Remediation on Vulnerabilities from Third-Party Libraries for Java Projects](https://arxiv.org/abs/2301.08434)
+* Lee, J.Y.D., & Chieu, H.L. (November 2021). [Co-training for Commit Classification](https://aclanthology.org/2021.wnut-1.43/)
+* Nikitopoulos, G. et al. (August 2021). [CrossVul: a cross-language vulnerability dataset with commit data](https://dl.acm.org/doi/10.1145/3468264.3473122)
+* Bhandari, G.P. (July 2021). [CVEfixes: Automated Collection of Vulnerabilities and Their Fixes from Open-Source Software](https://arxiv.org/abs/2107.08760)
+* Sonnekalb, T. et al. (October 2021). [Deep security analysis of program code](https://link.springer.com/article/10.1007/s10664-021-10029-x)
+* Triet, H.M. et al. (August 2021). [DeepCVA: Automated Commit-level Vulnerability Assessment with Deep Multi-task Learning](https://arxiv.org/abs/2108.08041)
+* Senanayake, J. et al. (May 2024). [Defendroid: Real-time Android code vulnerability detection via blockchain federated neural network with XAI](https://www.sciencedirect.com/science/article/pii/S2214212624000449)
+* Stefanoni, A. et al. (2022). [Detecting Security Patches in Java Projects Using NLP Technology](https://aclanthology.org/2022.icnlsp-1.6.pdf)
+* Okutan, A. et al. (May 2023). [Empirical Validation of Automated Vulnerability Curation and Characterization](https://s2e-lab.github.io/preprints/tse23-preprint.pdf)
+* Wang, J. et al. (October 2023). [Enhancing Large Language Models for Secure Code Generation: A Dataset-driven Study on Vulnerability Mitigation](https://arxiv.org/abs/2310.16263)
+* Bottner, L. et al. (December 2023). [Evaluation of Free and Open Source Tools for Automated Software Composition Analysis](https://dl.acm.org/doi/abs/10.1145/3631204.3631862)
+* Ganz, T. et al. (November 2021). [Explaining Graph Neural Networks for Vulnerability Discovery](https://dl.acm.org/doi/abs/10.1145/3474369.3486866)
+* Ram, A. et al. (November 2019). [Exploiting Token and Path-based Representations of Code for Identifying Security-Relevant Commits](https://arxiv.org/abs/1911.07620)
+* Md. Mostafizer Rahman, et al. (July 2023). [Exploring Automated Code Evaluation Systems and Resources for Code Analysis: A Comprehensive Survey](https://arxiv.org/abs/2307.08705)
+* Zhang, Y. et al. (October 2023). [How well does LLM generate security tests?](https://arxiv.org/abs/2310.00710)
+* Jing, D. (2022). [Improvement of Vulnerable Code Dataset Based on Program Equivalence Transformation](https://iopscience.iop.org/article/10.1088/1742-6596/2363/1/012010)
+* Wu, Y. et al. (May 2023). [How Effective Are Neural Networks for Fixing Security Vulnerabilities](https://arxiv.org/abs/2305.18607)
+* Yang, G. et al. (August 2021). [Few-Sample Named Entity Recognition for Security Vulnerability Reports by Fine-Tuning Pre-Trained Language Models](https://arxiv.org/abs/2108.06590)
+* Zhou, J. et al. (2021). [Finding A Needle in a Haystack: Automated Mining of Silent Vulnerability Fixes](https://ieeexplore.ieee.org/abstract/document/9678720)
+* Dunlap, T. et al. (2023). [Finding Fixed Vulnerabilities with Off-the-Shelf Static Analysis](https://ieeexplore.ieee.org/document/10190493)
+* Shestov, A. et al. (January 2024). [Finetuning Large Language Models for Vulnerability Detection](https://arxiv.org/abs/2401.17010)
+* Scalco, S. et al. (July 2024). [Hash4Patch: A Lightweight Low False Positive Tool for Finding Vulnerability Patch Commits](https://dl.acm.org/doi/10.1145/3643991.3644871)
+* Nguyen-Truong, G. et al. (July 2022). [HERMES: Using Commit-Issue Linking to Detect Vulnerability-Fixing Commits](https://ieeexplore.ieee.org/abstract/document/9825835)
+* Wang, J. et al. (July 2024). [Is Your AI-Generated Code Really Safe? Evaluating Large Language Models on Secure Code Generation with CodeSecEval](https://arxiv.org/abs/2407.02395)
+* Sawadogo, A.D. et al. (January 2020). [Learning to Catch Security Patches](https://arxiv.org/abs/2001.09148)
+* Tony, C. et al. (March 2023). [LLMSecEval: A Dataset of Natural Language Prompts for Security Evaluations](https://arxiv.org/abs/2303.09384)
+* Wang, S., & Naggapan, N. (July 2019). [Characterizing and Understanding Software Developer Networks in Security Development](https://www.researchgate.net/publication/334760102_Characterizing_and_Understanding_Software_Developer_Networks_in_Security_Development)
+* Chen, Z. et al. (April 2021). [Neural Transfer Learning for Repairing Security Vulnerabilities in C Code](https://arxiv.org/abs/2104.08308)
+* Papotti, A. et al. (September 2022). [On the acceptance by code reviewers of candidate security patches suggested by Automated Program Repair tools](https://arxiv.org/abs/2209.07211)
+* Mir, A.M. et al. (February 2024). [On the Effectiveness of Machine Learning-based Call Graph Pruning: An Empirical Study](https://arxiv.org/abs/2402.07294)
+* Dietrich, J. et al. (June 2023). [On the Security Blind Spots of Software Composition Analysis](https://arxiv.org/abs/2306.05534)
+* Triet H. M. Le., & Babar, A.M. (March 2022). [On the Use of Fine-grained Vulnerable Code Statements for Software Vulnerability Assessment Models](https://arxiv.org/abs/2203.08417)
+* Chapman, J., & Venugopalan, H. (January 2023). [Open Source Software Computed Risk Framework](https://ieeexplore.ieee.org/abstract/document/10000561)
+* Canfora, G. et al. (February 2022). [Patchworking: Exploring the code changes induced by vulnerability fixing activities](https://www.researchgate.net/publication/355561561_Patchworking_Exploring_the_code_changes_induced_by_vulnerability_fixing_activities)
+* Garg, S. et al. (June 2021). [PerfLens: a data-driven performance bug detection and fix platform](https://dl.acm.org/doi/abs/10.1145/3460946.3464318)
+* Coskun, T. et al. (November 2022). [Profiling developers to predict vulnerable code changes](https://dl.acm.org/doi/abs/10.1145/3558489.3559069)
+* Bhuiyan, M.H.M. et al. (July 2023). [SecBench.js: An Executable Security Benchmark Suite for Server-Side JavaScript](https://ieeexplore.ieee.org/abstract/document/10172577)
+* Reis, S. et al. (October 2022). [SECOM: towards a convention for security commit messages](https://dl.acm.org/doi/abs/10.1145/3524842.3528513)
+* Bennett, G. et al. (June 2024). [Semgrep*: Improving the Limited Performance of Static Application Security Testing (SAST) Tools](https://dl.acm.org/doi/abs/10.1145/3661167.3661262)
+* Chi, J. et al. (October 2020). [SeqTrans: Automatic Vulnerability Fix via Sequence to Sequence Learning](https://arxiv.org/abs/2010.10805)
+* Ahmed, A. et al. (May 2023). [Sequential Graph Neural Networks for Source Code Vulnerability Identification](https://arxiv.org/abs/2306.05375)
+* Sun, J. et al. (February 2023). [Silent Vulnerable Dependency Alert Prediction with Vulnerability Key Aspect Explanation](https://arxiv.org/abs/2302.07445)
+* Zhao, L. et al. (November 2023). [Software Composition Analysis for Vulnerability Detection: An Empirical Study on Java Projects](https://dl.acm.org/doi/10.1145/3611643.3616299)
+* Zhan, Q. et al. (January 2024). [Survey on Vulnerability Awareness of Open Source Software](https://www.jos.org.cn/josen/article/abstract/6935)
+* Li, X. et al. (March 2023). [The anatomy of a vulnerability database: A systematic mapping study](https://www.sciencedirect.com/science/article/pii/S0164121223000742)
+* Al Debeyan, F. et al. (February 2024). [The impact of hard and easy negative training data on vulnerability prediction performance☆](https://www.sciencedirect.com/science/article/pii/S0164121224000463)
+* Xu, C. et al. (December 2021). [Tracking Patches for Open Source Software Vulnerabilities](https://arxiv.org/abs/2112.02240)
+* Risse, N., & Böhme, M. (June 2023). [Uncovering the Limits of Machine Learning for Automatic Vulnerability Detection](https://arxiv.org/abs/2306.17193)
+* Xu, N. et al. (July 2023). [Understanding and Tackling Label Errors in Deep Learning-Based Vulnerability Detection (Experience Paper)](https://dl.acm.org/doi/abs/10.1145/3597926.3598037)
+* Wu, Y. et al. (July 2023). [Understanding the Threats of Upstream Vulnerabilities to Downstream Projects in the Maven Ecosystem](https://ieeexplore.ieee.org/abstract/document/10172868)
+* Esposito, M., & Falessi, D. (March 2024). [VALIDATE: A deep dive into vulnerability prediction datasets](https://www.sciencedirect.com/science/article/pii/S0950584924000533)
+* Wang, S. et al. (July 2022). [VCMatch: A Ranking-based Approach for Automatic Security Patches Localization for OSS Vulnerabilities](https://ieeexplore.ieee.org/abstract/document/9825908)
+* Sun, Q. et al. (December 2022). [VERJava: Vulnerable Version Identification for Java OSS with a Two-Stage Analysis](https://ieeexplore.ieee.org/abstract/document/9978189)
+* Nguyen, S. et al. (September 2023). [VFFINDER: A Graph-based Approach for Automated Silent Vulnerability-Fix Identification](https://arxiv.org/abs/2309.01971)
+* Piran, A. et al. (March 2022). [Vulnerability Analysis of Similar Code](https://ieeexplore.ieee.org/abstract/document/9724745)
+* Keller, P. et al. (February 2020). [What You See is What it Means! Semantic Representation Learning of Code based on Visualization and Transfer Learning](https://arxiv.org/abs/2002.02650)
+
+___
+
+**Our related papers**
+* Cabrera Lozoya, R. et al. (March 2021). [Commit2Vec: Learning Distributed Representations of Code Changes](https://link.springer.com/article/10.1007/s42979-021-00566-z)
+* Fehrer, T. et al. (May 2021). [Detecting Security Fixes in Open-Source Repositories using Static Code Analyzers](https://dl.acm.org/doi/pdf/10.1145/3661167.3661217)
+* Ponta, S.E. et al. (June 2020). [Detection, assessment and mitigation of vulnerabilities in open source dependencies](https://www.semanticscholar.org/paper/Detection%2C-assessment-and-mitigation-of-in-open-Ponta-Plate/728eab7ac5ae7dd624d306ae5e1887f7b10447cc)
+* Dann, A. et al. (September 2022). [Identifying Challenges for OSS Vulnerability Scanners - A Study & Test Suite](https://www.computer.org/csdl/journal/ts/2022/09/09506931/1vNfNyyKDOo)
+* Ponta, S.E. et al. (August 2021). [The Used, the Bloated, and the Vulnerable: Reducing the Attack Surface of an Industrial Application](https://arxiv.org/abs/2108.05115)
+* Iannone, E. et al. (June 2021). [Toward Automated Exploit Generation for Known Vulnerabilities in Open-Source Libraries](https://ieeexplore.ieee.org/abstract/document/9462983)
+
+  
 ## Star History <a name="starhist"></a>
 
 [![Star History Chart](https://api.star-history.com/svg?repos=sap/project-kb&type=Date)](https://star-history.com/#sap/project-kb&Date)

From ff81c61708f3ae9775da4f0b750f9f657703627d Mon Sep 17 00:00:00 2001
From: Antonino Sabetta <antonino.sabetta@gmail.com>
Date: Fri, 19 Jul 2024 13:56:28 +0200
Subject: [PATCH 3/8] Changed order (our papers first, the others')

---
 README.md | 21 ++++++++++-----------
 1 file changed, 10 insertions(+), 11 deletions(-)

diff --git a/README.md b/README.md
index 33abef135..abac3a20b 100644
--- a/README.md
+++ b/README.md
@@ -108,6 +108,16 @@ scripts described in that paper](MSR2019)
 
 ___
 
+**Our papers related to Project KB**
+* Cabrera Lozoya, R. et al. (March 2021). [Commit2Vec: Learning Distributed Representations of Code Changes](https://link.springer.com/article/10.1007/s42979-021-00566-z)
+* Fehrer, T. et al. (May 2021). [Detecting Security Fixes in Open-Source Repositories using Static Code Analyzers](https://dl.acm.org/doi/pdf/10.1145/3661167.3661217)
+* Ponta, S.E. et al. (June 2020). [Detection, assessment and mitigation of vulnerabilities in open source dependencies](https://www.semanticscholar.org/paper/Detection%2C-assessment-and-mitigation-of-in-open-Ponta-Plate/728eab7ac5ae7dd624d306ae5e1887f7b10447cc)
+* Dann, A. et al. (September 2022). [Identifying Challenges for OSS Vulnerability Scanners - A Study & Test Suite](https://www.computer.org/csdl/journal/ts/2022/09/09506931/1vNfNyyKDOo)
+* Ponta, S.E. et al. (August 2021). [The Used, the Bloated, and the Vulnerable: Reducing the Attack Surface of an Industrial Application](https://arxiv.org/abs/2108.05115)
+* Iannone, E. et al. (June 2021). [Toward Automated Exploit Generation for Known Vulnerabilities in Open-Source Libraries](https://ieeexplore.ieee.org/abstract/document/9462983)
+
+___
+
 <!-- format :                    Author last name, Initials. (Month Year). [Article title](URL)             -->
 
 **Papers citing our work**
@@ -200,17 +210,6 @@ ___
 * Piran, A. et al. (March 2022). [Vulnerability Analysis of Similar Code](https://ieeexplore.ieee.org/abstract/document/9724745)
 * Keller, P. et al. (February 2020). [What You See is What it Means! Semantic Representation Learning of Code based on Visualization and Transfer Learning](https://arxiv.org/abs/2002.02650)
 
-___
-
-**Our related papers**
-* Cabrera Lozoya, R. et al. (March 2021). [Commit2Vec: Learning Distributed Representations of Code Changes](https://link.springer.com/article/10.1007/s42979-021-00566-z)
-* Fehrer, T. et al. (May 2021). [Detecting Security Fixes in Open-Source Repositories using Static Code Analyzers](https://dl.acm.org/doi/pdf/10.1145/3661167.3661217)
-* Ponta, S.E. et al. (June 2020). [Detection, assessment and mitigation of vulnerabilities in open source dependencies](https://www.semanticscholar.org/paper/Detection%2C-assessment-and-mitigation-of-in-open-Ponta-Plate/728eab7ac5ae7dd624d306ae5e1887f7b10447cc)
-* Dann, A. et al. (September 2022). [Identifying Challenges for OSS Vulnerability Scanners - A Study & Test Suite](https://www.computer.org/csdl/journal/ts/2022/09/09506931/1vNfNyyKDOo)
-* Ponta, S.E. et al. (August 2021). [The Used, the Bloated, and the Vulnerable: Reducing the Attack Surface of an Industrial Application](https://arxiv.org/abs/2108.05115)
-* Iannone, E. et al. (June 2021). [Toward Automated Exploit Generation for Known Vulnerabilities in Open-Source Libraries](https://ieeexplore.ieee.org/abstract/document/9462983)
-
-  
 ## Star History <a name="starhist"></a>
 
 [![Star History Chart](https://api.star-history.com/svg?repos=sap/project-kb&type=Date)](https://star-history.com/#sap/project-kb&Date)

From a3d7a7f85f0a17862f51f174517f36c656d7de33 Mon Sep 17 00:00:00 2001
From: Adrien Linares <76013394+adlina1@users.noreply.github.com>
Date: Fri, 19 Jul 2024 14:28:39 +0200
Subject: [PATCH 4/8] Changed format for references of papers

APA one
---
 README.md | 187 +++++++++++++++++++++++++++---------------------------
 1 file changed, 92 insertions(+), 95 deletions(-)

diff --git a/README.md b/README.md
index abac3a20b..19f491e20 100644
--- a/README.md
+++ b/README.md
@@ -109,106 +109,103 @@ scripts described in that paper](MSR2019)
 ___
 
 **Our papers related to Project KB**
-* Cabrera Lozoya, R. et al. (March 2021). [Commit2Vec: Learning Distributed Representations of Code Changes](https://link.springer.com/article/10.1007/s42979-021-00566-z)
-* Fehrer, T. et al. (May 2021). [Detecting Security Fixes in Open-Source Repositories using Static Code Analyzers](https://dl.acm.org/doi/pdf/10.1145/3661167.3661217)
-* Ponta, S.E. et al. (June 2020). [Detection, assessment and mitigation of vulnerabilities in open source dependencies](https://www.semanticscholar.org/paper/Detection%2C-assessment-and-mitigation-of-in-open-Ponta-Plate/728eab7ac5ae7dd624d306ae5e1887f7b10447cc)
-* Dann, A. et al. (September 2022). [Identifying Challenges for OSS Vulnerability Scanners - A Study & Test Suite](https://www.computer.org/csdl/journal/ts/2022/09/09506931/1vNfNyyKDOo)
-* Ponta, S.E. et al. (August 2021). [The Used, the Bloated, and the Vulnerable: Reducing the Attack Surface of an Industrial Application](https://arxiv.org/abs/2108.05115)
-* Iannone, E. et al. (June 2021). [Toward Automated Exploit Generation for Known Vulnerabilities in Open-Source Libraries](https://ieeexplore.ieee.org/abstract/document/9462983)
+* Dann, A., Plate, H., Hermann, B., Ponta, S., & Bodden, E. (2022). [Identifying Challenges for OSS Vulnerability Scanners - A Study & Test Suite.](https://ris.uni-paderborn.de/record/31132) IEEE Transactions on Software Engineering, 48(09), 3613–3625. 
+* Cabrera Lozoya, R., Baumann, A., Sabetta, A., & Bezzi, M. (2021). [Commit2Vec: Learning Distributed Representations of Code Changes.](https://link.springer.com/article/10.1007/s42979-021-00566-z) SN Computer Science, 2(3).
+* Fehrer, T., Lozoya, R. C., Sabetta, A., Nucci, D. D., & Tamburri, D. A. (2021). [Detecting Security Fixes in Open-Source Repositories using Static Code Analyzers.](http://arxiv.org/abs/2105.03346) EASE '24: Proceedings of the 28th International Conference on Evaluation and Assessment in Software Engineering
+* Ponta, S. E., Fischer, W., Plate, H., & Sabetta, A. (2021). [The Used, the Bloated, and the Vulnerable: Reducing the Attack Surface of an Industrial Application.](https://www.computer.org/csdl/proceedings-article/icsme/2021/288200a555/1yNhfKb2TBe) 2021 IEEE International Conference on Software Maintenance and Evolution (ICSME)
+* Iannone, E., Nucci, D. D., Sabetta, A., & De Lucia, A. (2021). [Toward Automated Exploit Generation for Known Vulnerabilities in Open-Source Libraries.](https://ieeexplore.ieee.org/document/9462983) 2021 IEEE/ACM 29th International Conference on Program Comprehension (ICPC), 396–400.
+* Ponta, S. E., Plate, H., & Sabetta, A. (2020). [Detection, assessment and mitigation of vulnerabilities in open source dependencies.](https://api.semanticscholar.org/CorpusID:220259876) Empirical Software Engineering, 25, 3175–3215. 
 
 ___
 
-<!-- format :                    Author last name, Initials. (Month Year). [Article title](URL)             -->
+<!-- format used : APA -->
 
 **Papers citing our work**
-* Bui, Q-C. et al. (May 2022). [Vul4J: a dataset of reproducible Java vulnerabilities geared towards the study of program repair techniques](https://dl.acm.org/doi/abs/10.1145/3524842.3528482)  
-* Galvão, P.L. (October 2022). [Analysis and Aggregation of Vulnerability Databases with Code-Level Data](https://repositorio-aberto.up.pt/bitstream/10216/144796/2/588886.pdf)
-* Aladics, T. et al.  (2022). [A Vulnerability Introducing Commit Dataset for Java: an Improved SZZ Based Approach](https://real.mtak.hu/149061/1/ICSOFT_2022_41_CR-1.pdf)
-* Sharma, T. et al. (October 2021). [A Survey on Machine Learning Techniques for Source Code Analysis](https://arxiv.org/abs/2110.09610)
-* Hommersom, D. et al. (June 2024). [Automated Mapping of Vulnerability Advisories onto their Fix Commits in Open Source Repositories](https://dl.acm.org/doi/abs/10.1145/3649590)
-* Marchand-Melsom, A. et al. (June 2020). [Automatic repair of OWASP Top 10 security vulnerabilities: A survey](https://dl.acm.org/doi/abs/10.1145/3387940.3392200)
-* Sawadogo, A. D. et al. (Dec 2021). [Early Detection of Security-Relevant Bug Reports using Machine Learning: How Far Are We?](https://arxiv.org/abs/2112.10123)
-* Sun, S. et al. (Jul 2023). [Exploring Security Commits in Python](https://arxiv.org/abs/2307.11853)
-* Reis, S. et al. (June 2021). [Fixing Vulnerabilities Potentially Hinders Maintainability](https://arxiv.org/abs/2106.03271)
-* Andrade, R., & Santos, V. (September 2021). [Investigating vulnerability datasets](https://sol.sbc.org.br/index.php/vem/article/view/17213)
-* Nguyen, T. G. et al. (May 2023). [Multi-Granularity Detector for Vulnerability Fixesv](https://arxiv.org/abs/2305.13884)
-* Siddiq, M. L., & Santos, J. C. S. (November 2022). [SecurityEval dataset: mining vulnerability examples to evaluate machine learning-based code generation techniques](https://dl.acm.org/doi/abs/10.1145/3549035.3561184)
-* Sawadogo, A. D. et al. (August 2022). [SSPCatcher: Learning to catch security patches](https://link.springer.com/article/10.1007/s10664-022-10168-9)
-* Dunlap, T. et al. (July 2024). [VFCFinder: Pairing Security Advisories and Patches](http://enck.org/pubs/dunlap-asiaccs24.pdf)
-* Dunlap, T. et al. (November 2023). [VFCFinder: Seamlessly Pairing Security Advisories and Patches](https://arxiv.org/abs/2311.01532)
-* Bao, L. et al. (July 2022). [V-SZZ: automatic identification of version ranges affected by CVE vulnerabilities](https://dl.acm.org/doi/abs/10.1145/3510003.3510113)
-* Fan, J. et al. (September 2020). [A C/C++ Code Vulnerability Dataset with Code Changes and CVE Summaries](https://dl.acm.org/doi/abs/10.1145/3379597.3387501)
-* Zhang, J. et al. (January 2023). [A Survey of Learning-based Automated Program Repair](https://arxiv.org/abs/2301.03270)
-* Alzubaidi, L. et al. (April 2023). [A survey on deep learning tools dealing with data scarcity: definitions, challenges, solutions, tips, and applications](https://link.springer.com/article/10.1186/s40537-023-00727-2)
-* Sharma, T. et al. (December 2023). [A survey on machine learning techniques applied to source code](https://www.sciencedirect.com/science/article/pii/S0164121223003291)
-* Elder, S. et al. (April 2024). [A Survey on Software Vulnerability Exploitability Assessment](https://dl.acm.org/doi/abs/10.1145/3648610)
-* Aladics, T. et al. (March 2023). [An AST-based Code Change Representation and its Performance in Just-in-time Vulnerability Prediction](https://arxiv.org/abs/2303.16591)
-* Singhal, A., & Goel, P.K. (2023). [Analysis and Identification of Malicious Mobile Applications](https://ieeexplore.ieee.org/abstract/document/10428519)
-* Senanayake, J. et al. (July 2021). [Android Mobile Malware Detection Using Machine Learning: A Systematic Review](https://www.mdpi.com/2079-9292/10/13/1606)
-* Bui, Q-C. et al. (December 2023). [APR4Vul: an empirical study of automatic program repair techniques on real-world Java vulnerabilities](https://link.springer.com/article/10.1007/s10664-023-10415-7)
-* Senanayake, J. et al. (January 2023). [Android Source Code Vulnerability Detection: A Systematic Literature Review](https://dl.acm.org/doi/full/10.1145/3556974)
-* Reis, S. et al. (June 2023). [Are security commit messages informative? Not enough!](https://dl.acm.org/doi/abs/10.1145/3593434.3593481)
-* Anonymous authors. (2022). [Beyond syntax trees: learning embeddings of code edits by combining multiple source representations](https://openreview.net/pdf?id=H8qETo_W1-9)
-* Challande, A. et al. (April 2022). [Building a Commit-level Dataset of Real-world Vulnerabilities](https://dl.acm.org/doi/abs/10.1145/3508398.3511495)
-* Wang, S., & Nagappan, N. (July 2019). [Characterizing and Understanding Software Developer Networks in Security Development](https://arxiv.org/abs/1907.12141)
-* Harzevili, N. S. et al. (March 2022). [Characterizing and Understanding Software Security Vulnerabilities in Machine Learning Libraries](https://arxiv.org/abs/2203.06502)
-* Tate, S. R. et al. (2020). [Characterizing Vulnerabilities in a Major Linux Distribution](https://home.uncg.edu/cmp/faculty/srtate/pubs/vulnerabilities/Vulnerabilities-SEKE2020.pdf)
-* Zhang, L. et al. (January 2023). [Compatible Remediation on Vulnerabilities from Third-Party Libraries for Java Projects](https://arxiv.org/abs/2301.08434)
-* Lee, J.Y.D., & Chieu, H.L. (November 2021). [Co-training for Commit Classification](https://aclanthology.org/2021.wnut-1.43/)
-* Nikitopoulos, G. et al. (August 2021). [CrossVul: a cross-language vulnerability dataset with commit data](https://dl.acm.org/doi/10.1145/3468264.3473122)
-* Bhandari, G.P. (July 2021). [CVEfixes: Automated Collection of Vulnerabilities and Their Fixes from Open-Source Software](https://arxiv.org/abs/2107.08760)
-* Sonnekalb, T. et al. (October 2021). [Deep security analysis of program code](https://link.springer.com/article/10.1007/s10664-021-10029-x)
-* Triet, H.M. et al. (August 2021). [DeepCVA: Automated Commit-level Vulnerability Assessment with Deep Multi-task Learning](https://arxiv.org/abs/2108.08041)
-* Senanayake, J. et al. (May 2024). [Defendroid: Real-time Android code vulnerability detection via blockchain federated neural network with XAI](https://www.sciencedirect.com/science/article/pii/S2214212624000449)
-* Stefanoni, A. et al. (2022). [Detecting Security Patches in Java Projects Using NLP Technology](https://aclanthology.org/2022.icnlsp-1.6.pdf)
-* Okutan, A. et al. (May 2023). [Empirical Validation of Automated Vulnerability Curation and Characterization](https://s2e-lab.github.io/preprints/tse23-preprint.pdf)
-* Wang, J. et al. (October 2023). [Enhancing Large Language Models for Secure Code Generation: A Dataset-driven Study on Vulnerability Mitigation](https://arxiv.org/abs/2310.16263)
-* Bottner, L. et al. (December 2023). [Evaluation of Free and Open Source Tools for Automated Software Composition Analysis](https://dl.acm.org/doi/abs/10.1145/3631204.3631862)
-* Ganz, T. et al. (November 2021). [Explaining Graph Neural Networks for Vulnerability Discovery](https://dl.acm.org/doi/abs/10.1145/3474369.3486866)
-* Ram, A. et al. (November 2019). [Exploiting Token and Path-based Representations of Code for Identifying Security-Relevant Commits](https://arxiv.org/abs/1911.07620)
-* Md. Mostafizer Rahman, et al. (July 2023). [Exploring Automated Code Evaluation Systems and Resources for Code Analysis: A Comprehensive Survey](https://arxiv.org/abs/2307.08705)
-* Zhang, Y. et al. (October 2023). [How well does LLM generate security tests?](https://arxiv.org/abs/2310.00710)
-* Jing, D. (2022). [Improvement of Vulnerable Code Dataset Based on Program Equivalence Transformation](https://iopscience.iop.org/article/10.1088/1742-6596/2363/1/012010)
-* Wu, Y. et al. (May 2023). [How Effective Are Neural Networks for Fixing Security Vulnerabilities](https://arxiv.org/abs/2305.18607)
-* Yang, G. et al. (August 2021). [Few-Sample Named Entity Recognition for Security Vulnerability Reports by Fine-Tuning Pre-Trained Language Models](https://arxiv.org/abs/2108.06590)
-* Zhou, J. et al. (2021). [Finding A Needle in a Haystack: Automated Mining of Silent Vulnerability Fixes](https://ieeexplore.ieee.org/abstract/document/9678720)
-* Dunlap, T. et al. (2023). [Finding Fixed Vulnerabilities with Off-the-Shelf Static Analysis](https://ieeexplore.ieee.org/document/10190493)
-* Shestov, A. et al. (January 2024). [Finetuning Large Language Models for Vulnerability Detection](https://arxiv.org/abs/2401.17010)
-* Scalco, S. et al. (July 2024). [Hash4Patch: A Lightweight Low False Positive Tool for Finding Vulnerability Patch Commits](https://dl.acm.org/doi/10.1145/3643991.3644871)
-* Nguyen-Truong, G. et al. (July 2022). [HERMES: Using Commit-Issue Linking to Detect Vulnerability-Fixing Commits](https://ieeexplore.ieee.org/abstract/document/9825835)
-* Wang, J. et al. (July 2024). [Is Your AI-Generated Code Really Safe? Evaluating Large Language Models on Secure Code Generation with CodeSecEval](https://arxiv.org/abs/2407.02395)
-* Sawadogo, A.D. et al. (January 2020). [Learning to Catch Security Patches](https://arxiv.org/abs/2001.09148)
-* Tony, C. et al. (March 2023). [LLMSecEval: A Dataset of Natural Language Prompts for Security Evaluations](https://arxiv.org/abs/2303.09384)
-* Wang, S., & Naggapan, N. (July 2019). [Characterizing and Understanding Software Developer Networks in Security Development](https://www.researchgate.net/publication/334760102_Characterizing_and_Understanding_Software_Developer_Networks_in_Security_Development)
-* Chen, Z. et al. (April 2021). [Neural Transfer Learning for Repairing Security Vulnerabilities in C Code](https://arxiv.org/abs/2104.08308)
-* Papotti, A. et al. (September 2022). [On the acceptance by code reviewers of candidate security patches suggested by Automated Program Repair tools](https://arxiv.org/abs/2209.07211)
-* Mir, A.M. et al. (February 2024). [On the Effectiveness of Machine Learning-based Call Graph Pruning: An Empirical Study](https://arxiv.org/abs/2402.07294)
-* Dietrich, J. et al. (June 2023). [On the Security Blind Spots of Software Composition Analysis](https://arxiv.org/abs/2306.05534)
-* Triet H. M. Le., & Babar, A.M. (March 2022). [On the Use of Fine-grained Vulnerable Code Statements for Software Vulnerability Assessment Models](https://arxiv.org/abs/2203.08417)
-* Chapman, J., & Venugopalan, H. (January 2023). [Open Source Software Computed Risk Framework](https://ieeexplore.ieee.org/abstract/document/10000561)
-* Canfora, G. et al. (February 2022). [Patchworking: Exploring the code changes induced by vulnerability fixing activities](https://www.researchgate.net/publication/355561561_Patchworking_Exploring_the_code_changes_induced_by_vulnerability_fixing_activities)
-* Garg, S. et al. (June 2021). [PerfLens: a data-driven performance bug detection and fix platform](https://dl.acm.org/doi/abs/10.1145/3460946.3464318)
-* Coskun, T. et al. (November 2022). [Profiling developers to predict vulnerable code changes](https://dl.acm.org/doi/abs/10.1145/3558489.3559069)
-* Bhuiyan, M.H.M. et al. (July 2023). [SecBench.js: An Executable Security Benchmark Suite for Server-Side JavaScript](https://ieeexplore.ieee.org/abstract/document/10172577)
-* Reis, S. et al. (October 2022). [SECOM: towards a convention for security commit messages](https://dl.acm.org/doi/abs/10.1145/3524842.3528513)
-* Bennett, G. et al. (June 2024). [Semgrep*: Improving the Limited Performance of Static Application Security Testing (SAST) Tools](https://dl.acm.org/doi/abs/10.1145/3661167.3661262)
-* Chi, J. et al. (October 2020). [SeqTrans: Automatic Vulnerability Fix via Sequence to Sequence Learning](https://arxiv.org/abs/2010.10805)
-* Ahmed, A. et al. (May 2023). [Sequential Graph Neural Networks for Source Code Vulnerability Identification](https://arxiv.org/abs/2306.05375)
-* Sun, J. et al. (February 2023). [Silent Vulnerable Dependency Alert Prediction with Vulnerability Key Aspect Explanation](https://arxiv.org/abs/2302.07445)
-* Zhao, L. et al. (November 2023). [Software Composition Analysis for Vulnerability Detection: An Empirical Study on Java Projects](https://dl.acm.org/doi/10.1145/3611643.3616299)
-* Zhan, Q. et al. (January 2024). [Survey on Vulnerability Awareness of Open Source Software](https://www.jos.org.cn/josen/article/abstract/6935)
-* Li, X. et al. (March 2023). [The anatomy of a vulnerability database: A systematic mapping study](https://www.sciencedirect.com/science/article/pii/S0164121223000742)
-* Al Debeyan, F. et al. (February 2024). [The impact of hard and easy negative training data on vulnerability prediction performance☆](https://www.sciencedirect.com/science/article/pii/S0164121224000463)
-* Xu, C. et al. (December 2021). [Tracking Patches for Open Source Software Vulnerabilities](https://arxiv.org/abs/2112.02240)
-* Risse, N., & Böhme, M. (June 2023). [Uncovering the Limits of Machine Learning for Automatic Vulnerability Detection](https://arxiv.org/abs/2306.17193)
-* Xu, N. et al. (July 2023). [Understanding and Tackling Label Errors in Deep Learning-Based Vulnerability Detection (Experience Paper)](https://dl.acm.org/doi/abs/10.1145/3597926.3598037)
-* Wu, Y. et al. (July 2023). [Understanding the Threats of Upstream Vulnerabilities to Downstream Projects in the Maven Ecosystem](https://ieeexplore.ieee.org/abstract/document/10172868)
-* Esposito, M., & Falessi, D. (March 2024). [VALIDATE: A deep dive into vulnerability prediction datasets](https://www.sciencedirect.com/science/article/pii/S0950584924000533)
-* Wang, S. et al. (July 2022). [VCMatch: A Ranking-based Approach for Automatic Security Patches Localization for OSS Vulnerabilities](https://ieeexplore.ieee.org/abstract/document/9825908)
-* Sun, Q. et al. (December 2022). [VERJava: Vulnerable Version Identification for Java OSS with a Two-Stage Analysis](https://ieeexplore.ieee.org/abstract/document/9978189)
-* Nguyen, S. et al. (September 2023). [VFFINDER: A Graph-based Approach for Automated Silent Vulnerability-Fix Identification](https://arxiv.org/abs/2309.01971)
-* Piran, A. et al. (March 2022). [Vulnerability Analysis of Similar Code](https://ieeexplore.ieee.org/abstract/document/9724745)
-* Keller, P. et al. (February 2020). [What You See is What it Means! Semantic Representation Learning of Code based on Visualization and Transfer Learning](https://arxiv.org/abs/2002.02650)
+* Aladics, T., Hegedüs, P., & Ferenc, R. (2022). [A Vulnerability Introducing Commit Dataset for Java: An Improved SZZ based Approach.](https://api.semanticscholar.org/CorpusID:250566828) International Conference on Software and Data Technologies
+* Bui, Q.-C., Scandariato, R., & Ferreyra, N. E. D. (2022). [Vul4J: a dataset of reproducible Java vulnerabilities geared towards the study of program repair techniques.](https://dl.acm.org/doi/abs/10.1145/3524842.3528482) Proceedings of the 19th International Conference on Mining Software Repositories, 464–468.
+* Sharma, T., Kechagia, M., Georgiou, S., Tiwari, R., Vats, I., Moazen, H., & Sarro, F. (2022). [A Survey on Machine Learning Techniques for Source Code Analysis.](http://arxiv.org/abs/2110.09610)
+* Hommersom, D., Sabetta, A., Coppola, B., Nucci, D. D., & Tamburri, D. A. (2024). [Automated Mapping of Vulnerability Advisories onto their Fix Commits in Open Source Repositories.](https://dl.acm.org/doi/10.1145/3649590) ACM Trans. Softw. Eng. Methodol., 33(5).
+* Marchand-Melsom, A., & Nguyen Mai, D. B. (2020). [Automatic repair of OWASP Top 10 security vulnerabilities: A survey.](https://dl.acm.org/doi/10.1145/3387940.3392200) Proceedings of the IEEE/ACM 42nd International Conference on Software Engineering Workshops, 23–30. Presented at the Seoul, Republic of Korea. 
+* Sawadogo, A. D., Guimard, Q., Bissyandé, T. F., Kaboré, A. K., Klein, J., & Moha, N. (2021). [Early Detection of Security-Relevant Bug Reports using Machine Learning: How Far Are We?](http://arxiv.org/abs/2112.10123)
+* Sun, S., Wang, S., Wang, X., Xing, Y., Zhang, E., & Sun, K. (2023). [Exploring Security Commits in Python.](http://arxiv.org/abs/2307.11853)
+* Reis, S., Abreu, R., & Cruz, L. (2021). [Fixing Vulnerabilities Potentially Hinders Maintainability.](http://arxiv.org/abs/2106.03271)
+* Andrade, R., & Santos, V. (2021). [Investigating vulnerability datasets.](https://sol.sbc.org.br/index.php/vem/article/view/17213) Anais Do IX Workshop de Visualização, Evolução e Manutenção de Software, 26–30. Presented at the Joinville. 
+* Nguyen, T. G., Le-Cong, T., Kang, H. J., Widyasari, R., Yang, C., Zhao, Z., … Lo, D. (2023). [Multi-Granularity Detector for Vulnerability Fixes.](https://arxiv.org/abs/2305.13884) 
+* Siddiq, M. L., & Santos, J. C. S. (2022). [SecurityEval dataset: mining vulnerability examples to evaluate machine learning-based code generation techniques.](https://dl.acm.org/doi/abs/10.1145/3549035.3561184) Proceedings of the 1st International Workshop on Mining Software Repositories Applications for Privacy and Security, 29–33. Presented at the Singapore, Singapore.]
+* Sawadogo, A. D., Bissyandé, T. F., Moha, N., Allix, K., Klein, J., Li, L., & Traon, Y. L. (2020). [Learning to Catch Security Patches.](https://arxiv.org/abs/2001.09148)
+* Dunlap, T., Lin, E., Enck, W., & Reaves, B. (2023). [VFCFinder: Seamlessly Pairing Security Advisories and Patches.](http://arxiv.org/abs/2311.01532)
+* Bao, L., Xia, X., Hassan, A. E., & Yang, X. (2022). [V-SZZ: automatic identification of version ranges affected by CVE vulnerabilities.](https://dl.acm.org/doi/10.1145/3510003.3510113) Proceedings of the 44th International Conference on Software Engineering, 2352–2364. Presented at the Pittsburgh, Pennsylvania.
+* Fan, J., Li, Y., Wang, S., & Nguyen, T. N. (2020). [A C/C++ Code Vulnerability Dataset with Code Changes and CVE Summaries.](https://dl.acm.org/doi/10.1145/3379597.3387501) Proceedings of the 17th International Conference on Mining Software Repositories, 508–512. Presented at the Seoul, Republic of Korea. 
+* Zhang, Q., Fang, C., Ma, Y., Sun, W., & Chen, Z. (2023). [A Survey of Learning-based Automated Program Repair.](http://arxiv.org/abs/2301.03270)
+* Alzubaidi, L., Bai, J., Al-Sabaawi, A., Santamaría, J. I., Albahri, A. S., Al-dabbagh, B. S. N., … Gu, Y. (2023). [A survey on deep learning tools dealing with data scarcity: definitions, challenges, solutions, tips, and applications.](https://www.semanticscholar.org/paper/A-survey-on-deep-learning-tools-dealing-with-data-Alzubaidi-Bai/4a07ded5f56aa76c75e844f353e046414b427cc2) Journal of Big Data, 10, 1–82. 
+* Sharma, T., Kechagia, M., Georgiou, S., Tiwari, R., Vats, I., Moazen, H., & Sarro, F. (2024). [A survey on machine learning techniques applied to source code.](https://discovery.ucl.ac.uk/id/eprint/10184342/) Journal of Systems and Software, 209, 111934. 
+* Elder, S., Rahman, M. R., Fringer, G., Kapoor, K., & Williams, L. (2024). [A Survey on Software Vulnerability Exploitability Assessment.](https://dl.acm.org/doi/10.1145/3648610) ACM Comput. Surv., 56(8). 
+* Aladics, T., Hegedűs, P., & Ferenc, R. (2023). [An AST-based Code Change Representation and its Performance in Just-in-time Vulnerability Prediction.](https://arxiv.org/abs/2303.16591)
+* Singhal, A., & Goel, P. K. (2023). [Analysis and Identification of Malicious Mobile Applications.](https://www.researchgate.net/publication/378257226_Analysis_and_Identification_of_Malicious_Mobile_Applications) 2023 3rd International Conference on Advancement in Electronics & Communication Engineering (AECE), 1045–1050. 
+* Senanayake, J., Kalutarage, H., & Al-Kadri, M. O. (2021). [Android Mobile Malware Detection Using Machine Learning: A Systematic Review.](https://www.mdpi.com/2079-9292/10/13/1606) Electronics, 10(13). 
+* Bui, Q.-C., Paramitha, R., Vu, D.-L., Massacci, F., & Scandariato, R. (12 2023). [APR4Vul: an empirical study of automatic program repair techniques on real-world Java vulnerabilities.](https://link.springer.com/article/10.1007/s10664-023-10415-7) Empirical Software Engineering, 29. 
+* Senanayake, J., Kalutarage, H., Al-Kadri, M. O., Petrovski, A., & Piras, L. (2023). [Android Source Code Vulnerability Detection: A Systematic Literature Review.](https://dl.acm.org/doi/10.1145/3556974) ACM Comput. Surv., 55(9). 
+* Reis, S., Abreu, R., & Pasareanu, C. (2023). [Are security commit messages informative? Not enough!](https://dl.acm.org/doi/10.1145/3593434.3593481) Proceedings of the 27th International Conference on Evaluation and Assessment in Software Engineering, 196–199. Presented at the Oulu, Finland. 
+* [B EYOND SYNTAX TREES : LEARNING EMBEDDINGS OF CODE EDITS BY COMBINING MULTIPLE SOURCE REP - RESENTATIONS.](https://api.semanticscholar.org/CorpusID:249038879) (2022).
+* Challande, A., David, R., & Renault, G. (2022). [Building a Commit-level Dataset of Real-world Vulnerabilities.](https://dl.acm.org/doi/10.1145/3508398.3511495) Proceedings of the Twelfth ACM Conference on Data and Application Security and Privacy, 101–106. Presented at the Baltimore, MD, USA. 
+* Wang, Song, & Nagappan, N. (2019). [Characterizing and Understanding Software Developer Networks in Security Development.](http://arxiv.org/abs/1907.12141) 
+* Harzevili, N. S., Shin, J., Wang, J., & Wang, S. (2022). [Characterizing and Understanding Software Security Vulnerabilities in Machine Learning Libraries.](http://arxiv.org/abs/2203.06502)
+* Zhang, L., Liu, C., Xu, Z., Chen, S., Fan, L., Zhao, L., … Liu, Y. (2023). [Compatible Remediation on Vulnerabilities from Third-Party Libraries for Java Projects.](http://arxiv.org/abs/2301.08434)
+* Lee, J. Y. D., & Chieu, H. L. (2021, November). [Co-training for Commit Classification.](https://aclanthology.org/2021.wnut-1.43/)
+* In W. Xu, A. Ritter, T. Baldwin, & A. Rahimi (Eds.), [Proceedings of the Seventh Workshop on Noisy User-generated Text (W-NUT 2021)](https://aclanthology.org/volumes/2021.wnut-1/)
+* Nikitopoulos, G., Dritsa, K., Louridas, P., & Mitropoulos, D. (2021).[CrossVul: a cross-language vulnerability dataset with commit data.](https://dl.acm.org/doi/10.1145/3468264.3473122) Proceedings of the 29th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering, 1565–1569. Presented at the Athens, Greece. 
+* Bhandari, G., Naseer, A., & Moonen, L. (2021, August). [CVEfixes: automated collection of vulnerabilities and their fixes from open-source software.](https://arxiv.org/abs/2107.08760) Proceedings of the 17th International Conference on Predictive Models and Data Analytics in Software Engineering. 
+* Sonnekalb, T., Heinze, T. S., & Mäder, P. (2022). [Deep security analysis of program code: A systematic literature review.](https://link.springer.com/article/10.1007/s10664-021-10029-x) Empirical Softw. Engg., 27(1).
+* Le, T. H. M., Hin, D., Croft, R., & Babar, M. A. (2021). [DeepCVA: Automated Commit-level Vulnerability Assessment with Deep Multi-task Learning.](http://arxiv.org/abs/2108.08041)
+* Senanayake, J., Kalutarage, H., Petrovski, A., Piras, L., & Al-Kadri, M. O. (2024). [Defendroid: Real-time Android code vulnerability detection via blockchain federated neural network with XAI.](https://www.sciencedirect.com/science/article/pii/S2214212624000449) Journal of Information Security and Applications, 82, 103741. 
+* Stefanoni, A., Girdzijauskas, S., Jenkins, C., Kefato, Z. T., Sbattella, L., Scotti, V., & Wåreus, E. (2022). [Detecting Security Patches in Java Projects Using NLP Technology.](https://api.semanticscholar.org/CorpusID:256739262) International Conference on Natural Language and Speech Processing. 
+* Okutan, A., Mell, P., Mirakhorli, M., Khokhlov, I., Santos, J. C. S., Gonzalez, D., & Simmons, S. (2023). [Empirical Validation of Automated Vulnerability Curation and Characterization.](https://ieeexplore.ieee.org/document/10056768) IEEE Transactions on Software Engineering, 49(5), 3241–3260. 
+* Wang, J., Cao, L., Luo, X., Zhou, Z., Xie, J., Jatowt, A., & Cai, Y. (2023). [Enhancing Large Language Models for Secure Code Generation: A Dataset-driven Study on Vulnerability Mitigation.](http://arxiv.org/abs/2310.16263)
+* Bottner, L., Hermann, A., Eppler, J., Thüm, T., & Kargl, F. (2023). [Evaluation of Free and Open Source Tools for Automated Software Composition Analysis.](https://dl.acm.org/doi/abs/10.1145/3631204.3631862) Proceedings of the 7th ACM Computer Science in Cars Symposium. Presented at the Darmstadt, Germany.
+* Ganz, T., Härterich, M., Warnecke, A., & Rieck, K. (2021). [Explaining Graph Neural Networks for Vulnerability Discovery.](doi:10.1145/3474369.3486866) Proceedings of the 14th ACM Workshop on Artificial Intelligence and Security, 145–156. Presented at the Virtual Event, Republic of Korea. 
+* Ram, A., Xin, J., Nagappan, M., Yu, Y., Lozoya, R. C., Sabetta, A., & Lin, J. (2019). [Exploiting Token and Path-based Representations of Code for Identifying Security-Relevant Commits.](http://arxiv.org/abs/1911.07620)
+* Rahman, M. M., Watanobe, Y., Shirafuji, A., & Hamada, M. (2023). [Exploring Automated Code Evaluation Systems and Resources for Code Analysis: A Comprehensive Survey.](http://arxiv.org/abs/2307.08705)
+* Zhang, Y., Song, W., Ji, Z., Danfeng, Yao, & Meng, N. (2023). [How well does LLM generate security tests?](http://arxiv.org/abs/2310.00710)
+* Jing, D. (2022). [Improvement of Vulnerable Code Dataset Based on Program Equivalence Transformation.](https://iopscience.iop.org/article/10.1088/1742-6596/2363/1/012010/pdf) Journal of Physics: Conference Series, 2363(1), 012010. 
+* Wu, Yi, Jiang, N., Pham, H. V., Lutellier, T., Davis, J., Tan, L., … Shah, S. (2023, July). [How Effective Are Neural Networks for Fixing Security Vulnerabilities.](https://arxiv.org/abs/2305.18607) Proceedings of the 32nd ACM SIGSOFT International Symposium on Software Testing and Analysis. 
+* Yang, G., Dineen, S., Lin, Z., & Liu, X. (2021). [Few-Sample Named Entity Recognition for Security Vulnerability Reports by Fine-Tuning Pre-Trained Language Models.](http://arxiv.org/abs/2108.06590)
+* Zhou, J., Pacheco, M., Wan, Z., Xia, X., Lo, D., Wang, Y., & Hassan, A. E. (2021). [Finding A Needle in a Haystack: Automated Mining of Silent Vulnerability Fixes.](https://ieeexplore.ieee.org/document/9678720) 2021 36th IEEE/ACM International Conference on Automated Software Engineering (ASE), 705–716. 
+* Dunlap, T., Thorn, S., Enck, W., & Reaves, B. (2023). [Finding Fixed Vulnerabilities with Off-the-Shelf Static Analysis.](https://ieeexplore.ieee.org/document/10190493) 2023 IEEE 8th European Symposium on Security and Privacy (EuroS&P), 489–505. 
+* Shestov, A., Levichev, R., Mussabayev, R., Maslov, E., Cheshkov, A., & Zadorozhny, P. (2024). [Finetuning Large Language Models for Vulnerability Detection.](http://arxiv.org/abs/2401.17010)
+* Scalco, S., & Paramitha, R. (2024). [Hash4Patch: A Lightweight Low False Positive Tool for Finding Vulnerability Patch Commits.](https://dl.acm.org/doi/10.1145/3643991.3644871) Proceedings of the 21st International Conference on Mining Software Repositories, 733–737. Presented at the Lisbon, Portugal. 
+* Nguyen-Truong, G., Kang, H. J., Lo, D., Sharma, A., Santosa, A. E., Sharma, A., & Ang, M. Y. (2022). [HERMES: Using Commit-Issue Linking to Detect Vulnerability-Fixing Commits.](https://ieeexplore.ieee.org/document/9825835) 2022 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER), 51–62. 
+* Wang, J., Luo, X., Cao, L., He, H., Huang, H., Xie, J., … Cai, Y. (2024). [Is Your AI-Generated Code Really Safe? Evaluating Large Language Models on Secure Code Generation with CodeSecEval.](http://arxiv.org/abs/2407.02395)
+* Tony, C., Mutas, M., Ferreyra, N. E. D., & Scandariato, R. (2023). [LLMSecEval: A Dataset of Natural Language Prompts for Security Evaluations.](http://arxiv.org/abs/2303.09384)
+* Chen, Z., Kommrusch, S., & Monperrus, M. (2023). [Neural Transfer Learning for Repairing Security Vulnerabilities in C Code.](https://ieeexplore.ieee.org/document/9699412) IEEE Transactions on Software Engineering, 49(1), 147–165. 
+* Papotti, A., Paramitha, R., & Massacci, F. (2022). [On the acceptance by code reviewers of candidate security patches suggested by Automated Program Repair tools.](http://arxiv.org/abs/2209.07211)
+* Mir, A. M., Keshani, M., & Proksch, S. (2024). [On the Effectiveness of Machine Learning-based Call Graph Pruning: An Empirical Study.](http://arxiv.org/abs/2402.07294)
+* Dietrich, J., Rasheed, S., Jordan, A., & White, T. (2023). [On the Security Blind Spots of Software Composition Analysis.](http://arxiv.org/abs/2306.05534)
+* Le, T. H. M., & Babar, M. A. (2022). [On the Use of Fine-grained Vulnerable Code Statements for Software Vulnerability Assessment Models.](http://arxiv.org/abs/2203.08417)
+* Chapman, J., & Venugopalan, H. (2022). [Open Source Software Computed Risk Framework.](https://www.bibsonomy.org/bibtex/1c114d6756c609391db2f66919f237261) 2022 IEEE 17th International Conference on Computer Sciences and Information Technologies (CSIT), 172–175. 
+* Canfora, G., Di Sorbo, A., Forootani, S., Martinez, M., & Visaggio, C. A. (2022). [Patchworking: Exploring the code changes induced by vulnerability fixing activities.](https://www.sciencedirect.com/science/article/abs/pii/S0950584921001932) Information and Software Technology, 142, 106745. 
+* Garg, S., Moghaddam, R. Z., Sundaresan, N., & Wu, C. (2021). [PerfLens: a data-driven performance bug detection and fix platform.](https://dl.acm.org/doi/10.1145/3460946.3464318) Proceedings of the 10th ACM SIGPLAN International Workshop on the State Of the Art in Program Analysis, 19–24. Presented at the Virtual, Canada. 
+* Coskun, T., Halepmollasi, R., Hanifi, K., Fouladi, R. F., De Cnudde, P. C., & Tosun, A. (2022). [Profiling developers to predict vulnerable code changes.](https://dl.acm.org/doi/10.1145/3558489.3559069) Proceedings of the 18th International Conference on Predictive Models and Data Analytics in Software Engineering, 32–41. Presented at the Singapore, Singapore. 
+* Bhuiyan, M. H. M., Parthasarathy, A. S., Vasilakis, N., Pradel, M., & Staicu, C.-A. (2023). [SecBench.js: An Executable Security Benchmark Suite for Server-Side JavaScript.](https://ieeexplore.ieee.org/document/10172577) 2023 IEEE/ACM 45th International Conference on Software Engineering (ICSE), 1059–1070. 
+* Reis, S., Abreu, R., Erdogmus, H., & Păsăreanu, C. (2022). [SECOM: towards a convention for security commit messages.](https://dl.acm.org/doi/abs/10.1145/3524842.3528513) Proceedings of the 19th International Conference on Mining Software Repositories, 764–765. Presented at the Pittsburgh, Pennsylvania. 
+* Bennett, G., Hall, T., Winter, E., & Counsell, S. (2024). [Semgrep*: Improving the Limited Performance of Static Application Security Testing (SAST) Tools.](https://dl.acm.org/doi/10.1145/3661167.3661262) Proceedings of the 28th International Conference on Evaluation and Assessment in Software Engineering, 614–623. Presented at the Salerno, Italy. 
+* Chi, J., Qu, Y., Liu, T., Zheng, Q., & Yin, H. (2022). [SeqTrans: Automatic Vulnerability Fix via Sequence to Sequence Learning.](http://arxiv.org/abs/2010.10805)
+* Ahmed, A., Said, A., Shabbir, M., & Koutsoukos, X. (2023). [Sequential Graph Neural Networks for Source Code Vulnerability Identification.](http://arxiv.org/abs/2306.05375)
+* Sun, J., Xing, Z., Lu, Q., Xu, X., Zhu, L., Hoang, T., & Zhao, D. (2023). [Silent Vulnerable Dependency Alert Prediction with Vulnerability Key Aspect Explanation.](http://arxiv.org/abs/2302.07445)
+* Zhao, L., Chen, S., Xu, Z., Liu, C., Zhang, L., Wu, J., … Liu, Y. (2023). [Software Composition Analysis for Vulnerability Detection: An Empirical Study on Java Projects.](https://dl.acm.org/doi/10.1145/3611643.3616299) Proceedings of the 31st ACM Joint European Software Engineering Conference and * Symposium on the Foundations of Software Engineering, 960–972. Presented at the San Francisco, CA, USA. 
+* ZHAN, Q., PAN S-Y., HU X., BAO L-F., XIA, X. (2024). [Survey on Vulnerability Awareness of Open Source Software.](https://www.jos.org.cn/josen/article/abstract/6935) Journal of Software, 35(1), 19. 
+* Li, X., Moreschini, S., Zhang, Z., Palomba, F., & Taibi, D. (2023). [The anatomy of a vulnerability database: A systematic mapping study.](https://www.sciencedirect.com/science/article/pii/S0164121223000742) Journal of Systems and Software, 201, 111679. 
+* Al Debeyan, F., Madeyski, L., Hall, T., & Bowes, D. (2024). [The impact of hard and easy negative training data on vulnerability prediction performance.](https://www.sciencedirect.com/science/article/pii/S0164121224000463) Journal of Systems and Software, 211, 112003. 
+* Xu, C., Chen, B., Lu, C., Huang, K., Peng, X., & Liu, Y. (2023). [Tracking Patches for Open Source Software Vulnerabilities.](http://arxiv.org/abs/2112.02240)
+* Risse, N., & Böhme, M. (2024). [Uncovering the Limits of Machine Learning for Automatic Vulnerability Detection.](http://arxiv.org/abs/2306.17193)
+* Nie, X., Li, N., Wang, K., Wang, S., Luo, X., & Wang, H. (2023). [Understanding and Tackling Label Errors in Deep Learning-Based Vulnerability Detection (Experience Paper).](https://dl.acm.org/doi/10.1145/3597926.3598037) Proceedings of the 32nd ACM SIGSOFT International Symposium on Software Testing and Analysis, 52–63. Presented at the Seattle, WA, USA. 
+* Wu, Yulun, Yu, Z., Wen, M., Li, Q., Zou, D., & Jin, H. (2023). [Understanding the Threats of Upstream Vulnerabilities to Downstream Projects in the Maven Ecosystem.](https://dl.acm.org/doi/10.1109/ICSE48619.2023.00095) 2023 IEEE/ACM 45th International Conference on Software Engineering (ICSE), 1046–1058. 
+* Esposito, M., & Falessi, D. (2024). [VALIDATE: A deep dive into vulnerability prediction datasets.](https://dl.acm.org/doi/abs/10.1016/j.infsof.2024.107448) Information and Software Technology, 170, 107448. 
+* Wang, Shichao, Zhang, Y., Bao, L., Xia, X., & Wu, M. (2022). [VCMatch: A Ranking-based Approach for Automatic Security Patches Localization for OSS Vulnerabilities.](https://ieeexplore.ieee.org/document/9825908) 2022 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER), 589–600. 
+* Sun, Q., Xu, L., Xiao, Y., Li, F., Su, H., Liu, Y., … Huo, W. (2022). [VERJava: Vulnerable Version Identification for Java OSS with a Two-Stage Analysis.](https://ieeexplore.ieee.org/document/9978189) 2022 IEEE International Conference on Software Maintenance and Evolution (ICSME), 329–339. 
+* Nguyen, S., Vu, T. T., & Vo, H. D. (2023). [VFFINDER: A Graph-based Approach for Automated Silent Vulnerability-Fix Identification.](http://arxiv.org/abs/2309.01971)
+* Piran, A., Chang, C.-P., & Fard, A. M. (2021). [Vulnerability Analysis of Similar Code.](https://ieeexplore.ieee.org/document/9724745) 2021 IEEE 21st International Conference on Software Quality, Reliability and Security (QRS), 664–671. 
+* Keller, P., Plein, L., Bissyandé, T. F., Klein, J., & Traon, Y. L. (2020). [What You See is What it Means! Semantic Representation Learning of Code based on Visualization and Transfer Learning.](http://arxiv.org/abs/2002.02650)
+* Akhoundali, J., Nouri, S. R., Rietveld, K., & Gadyatskaya, O. (2024). [MoreFixes: A Large-Scale Dataset of CVE Fix Commits Mined through Enhanced Repository Discovery.](https://dl.acm.org/doi/10.1145/3663533.3664036) Proceedings of the 20th International Conference on Predictive Models and Data Analytics in Software Engineering, 42–51. Presented at the Porto de Galinhas, Brazil.
 
 ## Star History <a name="starhist"></a>
 

From 648800aaaca55d22cbaf6742440a54b0fec189fd Mon Sep 17 00:00:00 2001
From: Adrien Linares <76013394+adlina1@users.noreply.github.com>
Date: Fri, 19 Jul 2024 15:08:16 +0200
Subject: [PATCH 5/8] ToC: removed level 3 heading, excluded Description

as description is already on top of the md file
---
 README.md | 31 +++++++++++++------------------
 1 file changed, 13 insertions(+), 18 deletions(-)

diff --git a/README.md b/README.md
index 19f491e20..9dc272c85 100644
--- a/README.md
+++ b/README.md
@@ -10,21 +10,16 @@
 [![Pytest](https://github.com/SAP/project-kb/actions/workflows/python.yml/badge.svg)](https://github.com/SAP/project-kb/actions/workflows/python.yml)
 
 # Table of contents 
-1. [Description](#desc)
-2. [Motivations](#motiv)
-3. [Kaybee](#kaybee)
-4. [Prospector](#prosp)
-5. [Vulnerability data](#vuldata)
-6. [Publications](#publi)
-7. [Star history](#starhist)
-8. [Credits](#credit)
-9. [EU funded research projects](#eu_funded)
-10. [Vulnerability data sources](#vul_data)
-11. [Limitations and known issues](#limit)
-12. [Support](#support)
-13. [Contributing](#contrib)
-
-## Description <a name="desc"></a>
+1. [Kaybee](#kaybee)
+2. [Prospector](#prosp)
+3. [Vulnerability data](#vuldata)
+4. [Publications](#publi)
+5. [Star history](#starhist)
+6. [Limitations and known issues](#limit)
+7. [Support](#support)
+8. [Contributing](#contrib)
+
+## Description 
 
 The goal of `Project KB` is to enable the creation, management and aggregation of a
 distributed, collaborative knowledge base of vulnerabilities affecting
@@ -34,7 +29,7 @@ open-source software.
 as well as set of tools to support the mining, curation and management of such data.
 
 
-### Motivations <a name="motiv"></a>
+### Motivations 
 
 In order to feed [Eclipse Steady](https://github.com/eclipse/steady/) with fresh
 data, we have spent a considerable amount of time, in the past few years, mining
@@ -213,7 +208,7 @@ ___
 
 ## Credits <a name="credit"></a>
 
-### EU-funded research projects <a name="eu_funded"></a>
+### EU-funded research projects 
 
 The development of Project KB is partially supported by the following projects:
 
@@ -221,7 +216,7 @@ The development of Project KB is partially supported by the following projects:
 * [AssureMOSS](https://assuremoss.eu) (Grant No. 952647).
 * [Sparta](https://www.sparta.eu/) (Grant No. 830892).
 
-### Vulnerability data sources <a name="vul_data"></a>
+### Vulnerability data sources 
 
 Vulnerability information from NVD and MITRE might have been used as input
 for building parts of this knowledge base. See MITRE's [CVE Usage license](http://cve.mitre.org/about/termsofuse.html) for more information.

From e34ac297f1973060f11f27dfb7725f4c9a7395eb Mon Sep 17 00:00:00 2001
From: Adrien Linares <76013394+adlina1@users.noreply.github.com>
Date: Fri, 19 Jul 2024 15:53:12 +0200
Subject: [PATCH 6/8] Added two more papers

---
 README.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/README.md b/README.md
index 9dc272c85..fa76ff963 100644
--- a/README.md
+++ b/README.md
@@ -118,6 +118,8 @@ ___
 **Papers citing our work**
 * Aladics, T., Hegedüs, P., & Ferenc, R. (2022). [A Vulnerability Introducing Commit Dataset for Java: An Improved SZZ based Approach.](https://api.semanticscholar.org/CorpusID:250566828) International Conference on Software and Data Technologies
 * Bui, Q.-C., Scandariato, R., & Ferreyra, N. E. D. (2022). [Vul4J: a dataset of reproducible Java vulnerabilities geared towards the study of program repair techniques.](https://dl.acm.org/doi/abs/10.1145/3524842.3528482) Proceedings of the 19th International Conference on Mining Software Repositories, 464–468.
+* S. R. Tate, M. Bollinadi, and J. Moore. (2020). [Characterizing Vulnerabilities in a Major Linux Distribution](https://home.uncg.edu/cmp/faculty/srtate/pubs/vulnerabilities/Vulnerabilities-SEKE2020.pdf) 32nd International Conference on Software Engineering \& Knowledge Engineering (SEKE), pp. 538-543.
+* Galvão, P. (2022). [Analysis and Aggregation of Vulnerability Databases with Code-Level Data. Dissertation de Master's Degree.](https://repositorio-aberto.up.pt/bitstream/10216/144796/2/588886.pdf) Faculdade de Engenharia da Universidade do Porto.
 * Sharma, T., Kechagia, M., Georgiou, S., Tiwari, R., Vats, I., Moazen, H., & Sarro, F. (2022). [A Survey on Machine Learning Techniques for Source Code Analysis.](http://arxiv.org/abs/2110.09610)
 * Hommersom, D., Sabetta, A., Coppola, B., Nucci, D. D., & Tamburri, D. A. (2024). [Automated Mapping of Vulnerability Advisories onto their Fix Commits in Open Source Repositories.](https://dl.acm.org/doi/10.1145/3649590) ACM Trans. Softw. Eng. Methodol., 33(5).
 * Marchand-Melsom, A., & Nguyen Mai, D. B. (2020). [Automatic repair of OWASP Top 10 security vulnerabilities: A survey.](https://dl.acm.org/doi/10.1145/3387940.3392200) Proceedings of the IEEE/ACM 42nd International Conference on Software Engineering Workshops, 23–30. Presented at the Seoul, Republic of Korea. 

From 00f2c982953086ae26fa09d48156bfd5a7a547bc Mon Sep 17 00:00:00 2001
From: Adrien Linares <76013394+adlina1@users.noreply.github.com>
Date: Fri, 19 Jul 2024 16:36:10 +0200
Subject: [PATCH 7/8] One paper added

---
 README.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/README.md b/README.md
index fa76ff963..df8d946ca 100644
--- a/README.md
+++ b/README.md
@@ -104,6 +104,7 @@ scripts described in that paper](MSR2019)
 ___
 
 **Our papers related to Project KB**
+* Sabetta, A., Ponta, S. E., Cabrera Lozoya, R., Bezzi, M., Sacchetti, T., Greco, M., … Massacci, F. (2024). [Known Vulnerabilities of Open Source Projects: Where Are the Fixes?](https://ieeexplore.ieee.org/document/10381645) IEEE Security & Privacy, 22(2), 49–59. 
 * Dann, A., Plate, H., Hermann, B., Ponta, S., & Bodden, E. (2022). [Identifying Challenges for OSS Vulnerability Scanners - A Study & Test Suite.](https://ris.uni-paderborn.de/record/31132) IEEE Transactions on Software Engineering, 48(09), 3613–3625. 
 * Cabrera Lozoya, R., Baumann, A., Sabetta, A., & Bezzi, M. (2021). [Commit2Vec: Learning Distributed Representations of Code Changes.](https://link.springer.com/article/10.1007/s42979-021-00566-z) SN Computer Science, 2(3).
 * Fehrer, T., Lozoya, R. C., Sabetta, A., Nucci, D. D., & Tamburri, D. A. (2021). [Detecting Security Fixes in Open-Source Repositories using Static Code Analyzers.](http://arxiv.org/abs/2105.03346) EASE '24: Proceedings of the 28th International Conference on Evaluation and Assessment in Software Engineering

From 67004b5fde221f8b564499a2747a549ebad320c6 Mon Sep 17 00:00:00 2001
From: Adrien Linares <76013394+adlina1@users.noreply.github.com>
Date: Fri, 19 Jul 2024 22:36:59 +0200
Subject: [PATCH 8/8] Corrected reference date of a paper

---
 README.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index df8d946ca..340f59104 100644
--- a/README.md
+++ b/README.md
@@ -104,10 +104,10 @@ scripts described in that paper](MSR2019)
 ___
 
 **Our papers related to Project KB**
-* Sabetta, A., Ponta, S. E., Cabrera Lozoya, R., Bezzi, M., Sacchetti, T., Greco, M., … Massacci, F. (2024). [Known Vulnerabilities of Open Source Projects: Where Are the Fixes?](https://ieeexplore.ieee.org/document/10381645) IEEE Security & Privacy, 22(2), 49–59. 
+* Sabetta, A., Ponta, S. E., Cabrera Lozoya, R., Bezzi, M., Sacchetti, T., Greco, M., … Massacci, F. (2024). [Known Vulnerabilities of Open Source Projects: Where Are the Fixes?](https://ieeexplore.ieee.org/document/10381645) IEEE Security & Privacy, 22(2), 49–59.
+* Fehrer, T., Lozoya, R. C., Sabetta, A., Nucci, D. D., & Tamburri, D. A. (2024). [Detecting Security Fixes in Open-Source Repositories using Static Code Analyzers.](http://arxiv.org/abs/2105.03346) EASE '24: Proceedings of the 28th International Conference on Evaluation and Assessment in Software Engineering
 * Dann, A., Plate, H., Hermann, B., Ponta, S., & Bodden, E. (2022). [Identifying Challenges for OSS Vulnerability Scanners - A Study & Test Suite.](https://ris.uni-paderborn.de/record/31132) IEEE Transactions on Software Engineering, 48(09), 3613–3625. 
 * Cabrera Lozoya, R., Baumann, A., Sabetta, A., & Bezzi, M. (2021). [Commit2Vec: Learning Distributed Representations of Code Changes.](https://link.springer.com/article/10.1007/s42979-021-00566-z) SN Computer Science, 2(3).
-* Fehrer, T., Lozoya, R. C., Sabetta, A., Nucci, D. D., & Tamburri, D. A. (2021). [Detecting Security Fixes in Open-Source Repositories using Static Code Analyzers.](http://arxiv.org/abs/2105.03346) EASE '24: Proceedings of the 28th International Conference on Evaluation and Assessment in Software Engineering
 * Ponta, S. E., Fischer, W., Plate, H., & Sabetta, A. (2021). [The Used, the Bloated, and the Vulnerable: Reducing the Attack Surface of an Industrial Application.](https://www.computer.org/csdl/proceedings-article/icsme/2021/288200a555/1yNhfKb2TBe) 2021 IEEE International Conference on Software Maintenance and Evolution (ICSME)
 * Iannone, E., Nucci, D. D., Sabetta, A., & De Lucia, A. (2021). [Toward Automated Exploit Generation for Known Vulnerabilities in Open-Source Libraries.](https://ieeexplore.ieee.org/document/9462983) 2021 IEEE/ACM 29th International Conference on Program Comprehension (ICPC), 396–400.
 * Ponta, S. E., Plate, H., & Sabetta, A. (2020). [Detection, assessment and mitigation of vulnerabilities in open source dependencies.](https://api.semanticscholar.org/CorpusID:220259876) Empirical Software Engineering, 25, 3175–3215.