Abstract: Mainstream techniques for Automated Vulnerability Repair (AVR) lean heavily on Large Language Models (LLMs) and treat the vulnerability repair as a code translation task. Yet, their effectiveness is limited due to the complex nature of vulnerability fixes and, possibly, the lack of training datasets in the Java programming language. On the other hand, template-based Automated Program Repair (APR) remains a popular way to fix general However, only a few approaches have ever employed vulnerability-specific fix templates. This paper introduces VulTerminator, a novel repair approach for Java vulnerabilities that leverages both heuristic-based and data-driven fix templates. The former are specialized for certain vulnerability types, such as XML External Entity (XXE) injection that can more easily be patched with predefined heuristics. The latter aim to repair broader classes of vulnerabilities by generating common patch templates with masks, which are later filled by a fine-tuned Masked Language Model (MLM). In this paper, we introduce a total of eleven fix templates distilled from real-world Java patches and evaluate VulTerminator on 106 vulnerabilities with test cases from Vul4J+, as well as on 169 unseen vulnerabilities from a newly curated dataset called Vul4JL. VulTerminator achieves the best overall repair performance, outperforming the state-of-the-art approaches by 7% on Vul4J+ and 27% on Vul4JL, as confirmed by manual inspection. VulTerminator managed to fix 10 vulnerabilities in Vul4J+ and 16 in Vul4JL that no other approach could do, mainly due to the contribution of heuristic-based templates.
If you use VulTerminator in academic context, please cite:
@inproceedings{bui2026vulterminator,
title={VulTerminator: Bringing Back Template-Based Automated Repair for Fixing Java Vulnerabilities},
author={Bui, Quang-Cuong and Iannone, Emanuele and Scandariato, Riccardo},
booktitle={2026 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER)},
pages={TBA},
year={2026},
organization={IEEE}
}- Java 17
- Maven 3
- Python 3.10+
VulTerminator is implemented on top of the TBar codebase.
- Download and set up the vulnerability dataset, which is based on Vul4J.
- Download the already trained model (
model.bin) for Data-driven Fix Templates intoVulTerminator_Training/saved_models. - Install dependencies for Python scripts:
cd VulTerminator_Training && pip install -r requirements.txt - Configure your own paths in
DataStore.java - Test VulTerminator CLI:
mvn compile exec:java@repair
usage: VulTerminator [-h] -i VUL_ID [-c {true,false}] [-s {true,false}]
VulTerminator: error: argument -i/--vul-id is required
-
First, update
training.shwith your HuggingFace access token. -
Below is the sample commands for submitting the training job with Slurm.
cd VulTerminator_Training
sbatch slurm/training.sh
mvn compile exec:java@repair -Dexec.args="--vul-id VUL4J-6"