publications

2025

1. Interpretable Vulnerability Reports

   Claudia Mamede, José Campos, Claire Le Goues, and 1 more author

   Nov 2025

   ✅ Accepted at ASE’25 🇰🇷

   Abs PDF

   Software security faces a persistent gap: static analysis tools detect vulnerabilities effectively, but their technical outputs remain inaccessible to most developers. This leads to mounting security debt, as organizations must rely on security specialists for remediation, creating bottlenecks that delay fixes. This paper proposes an interpretability convention and a modular workflow that transforms raw static analyzer outputs into clear, actionable vulnerability reports for all developers, not just security experts. Our tool, secgen, automates the workflow by parsing static analyzer outputs and restructuring them into clear, developer-friendly reports based on our convention, and enforcing compliance through automated validation. We validated our approach through a user study with 25 developers, comparing our interpretable reports to other state-of-the-art static analyzer outputs. The results suggest that developers using interpretable reports detect, understand and fix vulnerabilities more effectively, requiring only 67% of the time typically spent with traditional reports while writing more correct fixes. Key reasons for this include participants’ preference for structured reports, with clear vulnerability descriptions and actionable fix suggestions.

2024

1. Are Large Language Models Memorizing Bug Benchmarks?

   Daniel Ramos, Claudia Mamede, Kush Jain, and 3 more authors

   Jul 2024

   ✅ Accepted 🏆 Won Best Paper Award at LLM4Code (co-located with ICSE25) 🇨🇦

   PDF

2023

1. Interpreting Deep Learning Models Fine-tuned For Detecting Vulnerabilities Related To Missing Code

   Cláudia Mamede, Claire Le Goues, José Campos, and 1 more author

   Dec 2023

   PDF
2. An Empirical Evaluation of Explainable AI For Vulnerability Detection and Localization

   Cláudia Mamede, Claire Le Goues, José Campos, and 1 more author

   Dec 2023

   🏆 Best Poster Award

   PDF

2022

1. A Transformer-Based IDE Plugin for Vulnerability Detection

   Cláudia Mamede, Eduard Pinconschi, and Rui Abreu

   In Proceedings of the 37th IEEE/ACM International Conference on Automated Software Engineering, Dec 2022

   Abs PDF

   Automatic vulnerability detection is of paramount importance to promote the security of an application and should be exercised at the earliest stages within the software development life cycle (SDLC) to reduce the risk of exposure. Despite the advancements with state-of-the-art deep learning techniques in software vulnerability detection, the development environments are not yet leveraging their performance. In this work, we integrate the Transformers architecture, one of the main highlights of advances in deep learning for Natural Language Processing, within a developer-friendly tool for code security. We introduce VDet for Java, a transformer-based VS Code extension that enables one to discover vulnerabilities in Java files. Our preliminary model evaluation presents an accuracy of 98.9% for multi-label classification and can detect up to 21 vulnerability types. The demonstration of our tool can be found at https://youtu.be/OjiUBQ6TdqE, and source code and datasets are available at https://github.com/TQRG/VDET-for-Java.

2. Exploring Transformers for Multi-Label Classification of Java Vulnerabilities

   Cláudia Mamede, Eduard Pinconschi, Rui Abreu, and 1 more author

   In 2022 IEEE 22nd International Conference on Software Quality, Reliability and Security (QRS), Dec 2022