Vulnerability detection is a critical problem in software security and attracts growing attention both from academia and industry. Traditionally, software security is safeguarded by designated rule-based detectors that heavily rely on empirical expertise, requiring tremendous effort from software experts to generate rule repositories for large code corpus. Recent advances in deep learning, especially Graph Neural Networks (GNN), have uncovered the feasibility of automatic detection of a wide range of software vulnerabilities. However, prior learning-based works only break programs down into a sequence of word tokens for extracting contextual features of codes, or apply GNN largely on homogeneous graph representation (e.g., AST) without discerning complex types of underlying program entities (e.g., methods, variables). In this work, we are one of the first to explore heterogeneous graph representation in the form of Code Property Graph and adapt a well-known heterogeneous graph network with a dual-supervisor structure for the corresponding graph learning task. Using the prototype built, we have conducted extensive experiments on both synthetic datasets and real-world projects. Compared with the state-of-the-art baselines, the results demonstrate promising effectiveness in this research direction in terms of vulnerability detection performance (average F1 improvements over 10\% in real-world projects) and transferability from C/C++ to other programming languages (average F1 improvements over 11%).

翻译：漏洞检测是软件安全领域的关键问题，日益受到学术界和工业界的关注。传统上，软件安全由基于规则的检测器维护，这些检测器高度依赖经验性专业知识，需要软件专家投入大量精力为庞大的代码库生成规则库。深度学习的最新进展，尤其是图神经网络（GNN），已揭示自动检测多种软件漏洞的可行性。然而，以往基于学习的方法要么仅将程序拆解为词元序列以提取代码上下文特征，要么主要在同质图表示（如AST）上应用GNN，未区分底层程序实体的复杂类型（如方法、变量）。在本工作中，我们率先探索以代码属性图形式表示的异构图，并适配一种具有双监督结构的知名异构图网络以完成相应图学习任务。基于所构建的原型系统，我们在合成数据集和真实世界项目上开展了广泛实验。与最先进的基线方法相比，实验结果在漏洞检测性能（真实世界项目中平均F1提升超10%）和从C/C++到其他编程语言的迁移能力（平均F1提升超11%）方面，均显示出该研究方向具有显著有效性。