Vulnerability detection is a critical problem in software security and attracts growing attention both from academia and industry. Traditionally, software security is safeguarded by designated rule-based detectors that heavily rely on empirical expertise, requiring tremendous effort from software experts to generate rule repositories for large code corpus. Recent advances in deep learning, especially Graph Neural Networks (GNN), have uncovered the feasibility of automatic detection of a wide range of software vulnerabilities. However, prior learning-based works only break programs down into a sequence of word tokens for extracting contextual features of codes, or apply GNN largely on homogeneous graph representation (e.g., AST) without discerning complex types of underlying program entities (e.g., methods, variables). In this work, we are one of the first to explore heterogeneous graph representation in the form of Code Property Graph and adapt a well-known heterogeneous graph network with a dual-supervisor structure for the corresponding graph learning task. Using the prototype built, we have conducted extensive experiments on both synthetic datasets and real-world projects. Compared with the state-of-the-art baselines, the results demonstrate promising effectiveness in this research direction in terms of vulnerability detection performance (average F1 improvements over 10\% in real-world projects) and transferability from C/C++ to other programming languages (average F1 improvements over 11%).

翻译：漏洞检测是软件安全中的关键问题，正日益受到学术界和工业界的关注。传统上，软件安全依赖于基于规则的检测器来保障，这些检测器高度依赖经验知识，需要软件专家投入巨大精力为大规模代码库生成规则库。深度学习（尤其是图神经网络）的最新进展，揭示了自动检测多种软件漏洞的可行性。然而，以往基于学习的方法要么将程序分解为单词标记序列以提取代码的上下文特征，要么主要在同质图表示（如抽象语法树）上应用图神经网络，而未区分底层程序实体（如方法、变量）的复杂类型。在本工作中，我们率先探索了以代码属性图形式存在的异构图表征，并适配了一种具有双监督器结构的著名异构图网络来完成相应的图学习任务。利用所构建的原型系统，我们在合成数据集和真实项目上进行了广泛实验。与现有最先进的基线方法相比，实验结果表明该研究方向在漏洞检测性能（真实项目中平均F1提升超过10%）以及从C/C++到其他编程语言的迁移能力（平均F1提升超过11%）方面具有显著的有效性。