“…Metric-based techniques, inspired by bug prediction [16,28,30,38,46,49,78], leverage supervised or unsupervised machine learning to predict vulnerable code mostly at the granularity level of a source file. Following security experts' belief that complexity is the enemy of software security [40], they use complexity metrics [21,44,45,55,56] as features, or combine them with code churn metrics [26,54,58], token frequency metrics [31,52,65,79], dependency metrics [43,47,48,81], developer activity metrics [54,58] and execution complexity metrics [57]. On the other hand, pattern-based techniques leverage patterns of known vulnerabilities to identify potentially vulnerable code through static analysis.…”