Comprehensive Resource Repository for Large Language Models in Software Vulnerability Detection: A Systematic Review from Theory to Practice

This article introduces the Awesome-LLMs-for-Vulnerability-Detection project, a resource repository systematically organizing the applications of large language models (LLMs) in software vulnerability detection. It covers relevant papers, datasets, tools, and benchmark tests, providing a one-stop reference for security researchers and developers. The project aims to address the limitations of traditional vulnerability detection methods and become a knowledge hub in this field by integrating LLM-related resources.

Traditional vulnerability detection relies on expert rules and pattern matching, which struggle to handle complex code and new attack vectors. LLMs, through pre-training, master code syntax and semantics and can detect vulnerabilities that traditional methods find hard to capture. The project's core positioning is to be a knowledge hub in the field of LLM-based vulnerability detection, organizing resources by technical routes, application scenarios, and evaluation dimensions to help users quickly locate information.

Foundation of Pre-trained Models: Covers code pre-trained models such as CodeBERT, GraphCodeBERT, CodeT5, and UniXcoder, as well as general-purpose large language models like the GPT series, LLaMA, and CodeLLaMA. Specialized Models and Methods: Includes fine-tuning-based vulnerability identification methods, prompt engineering-guided analysis, hybrid methods combining program structures (AST/CFG), and technical directions for fusing GNNs with LLMs.

Datasets: Organizes multilingual, multi-vulnerability-type datasets such as CVE-fix, Devign, Draper VDISC, and Big-Vul. Evaluation Benchmarks: Includes metrics like accuracy, recall, F1 score, as well as security scenario-specific metrics such as false positive rate and missed detection rate. Open-Source Tools: Collects end-to-end detection systems, training pipelines, data preprocessing tools, and pre-trained model weights.

Code Auditing: Improves enterprise-level code auditing efficiency and reduces labor costs. Open-Source Supply Chain Security: Monitors vulnerabilities in open-source projects and integrates with CI/CD processes to achieve automated scanning. Security Research: Provides materials and tools for researchers and learning paths for beginners.

Challenges: False positive issues (misclassifying normal code as vulnerable), insufficient interpretability (difficulty verifying decisions due to black-box characteristics). Trends: Multimodal fusion (combining multi-source information such as code and documents), incremental learning (adapting to new vulnerability types), human-machine collaboration (combining LLM automation with expert knowledge).

The Awesome-LLMs-for-Vulnerability-Detection project provides a valuable resource summary for LLM-driven vulnerability detection. As LLM technology evolves and security demands grow, this field will see more innovations. Mastering these resources will help practitioners and researchers build a safer digital world in the AI era.