VulSD: Cross-domain Vulnerability Detection Using Static code Metrics and Dependency Analysis for C, C#, and Java

Vulnerability detection is a preventive approach for performing rigorous maintenance on software projects. In cross-domain settings, in-domain methods cannot achieve high VD performance due to differences in data distribution and labeling. Existing cross-domain VD methods suffer from the following limitations: 1) They require matrix trans-formation to meet sequence embedding criteria, 2) Feature matching relies on effort-intensive graph-based analysis that results in high computational cost, 3) Each cross-domain solver is generally designed for a specific programming lan-guage, preventing a global domain adapter. To address these problems, we present VulSD (Vulnerability detector using Static and Dynamic analysis), a cross-domain approach based on static code metrics and dependency analysis. Unlike existing methods, VulSD combines an embedding matrix produced by Word2Vec with static and dynamic code features. Additionally, VulSD employs Spearman analysis to convert constant features for compatibility with the training process. Finally, a deep learning model is established using the R deepnet library. VulSD achieves an average accuracy of 84.2% on large benchmark datasets (DiverseVul, Devign) and 70-77% on real-world project datasets. Performance varies across targets, with best results on C/C++ benchmarks and more modest gains on mixed-language and smaller project datasets.