[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"branding":3,"analytics":7,"article-javavulbench-tests-12-ai-models-on-real-java-security-flaws":10,"sections":34},{"siteName":4,"siteTagline":5,"publisherName":4,"contactEmail":6},"The Revision","Tech news, decoded.","editor@therevision.news",{"gaMeasurementId":8,"adsenseClientId":9},"G-ZW2MV82GYR","ca-pub-8533917693782264",{"article":11},{"id":12,"slug":13,"title":14,"dek":15,"body_md":16,"tags_json":17,"published_at":18,"created_at":19,"updated_at":20,"status":21,"review_note":22,"review_notes":23,"image_url":22,"persona_id":22,"persona_name":22,"section":24,"tags":25,"sources":29,"feedback":33,"feedback_at":22,"cost_usd":33,"total_tokens":33},3770,"javavulbench-tests-12-ai-models-on-real-java-security-flaws","JavaVulBench Tests 12 AI Models on Real Java Security Flaws","A new open benchmark pits CodeBERT against GPT-4o and Claude Sonnet 4 on 30,600 Java methods tied to 1,740 CVEs - with a built-in cheat-detection mode.","A new benchmark wants to end the guessing game around which AI models actually find Java vulnerabilities - and which ones just look like they do.\n\nResearchers released JavaVulBench, a dataset of roughly 30,600 Java methods drawn from over 700 projects and mapped to 1,740 CVEs. Labels exist at both method and line level, and each CVE carries a publication date so evaluators can construct five different train-test splits: random, project-disjoint, temporal, deduplicated, and unseen CWE family. A unified harness wraps twelve detectors - including CodeBERT, GraphCodeBERT, UniXcoder, DeepSeek-Coder-1.3B, GPT-4o, GPT-4.1-mini, Claude Sonnet 4, and several Qwen and CodeLlama variants - so every model runs under identical conditions from a single command. The whole package, including fine-tuned checkpoints, is archived on Zenodo.\n\nThe harder-to-ignore feature is the contamination audit. Because large language models are pre-trained on public code and CVE disclosures, a model that \"detects\" a known vulnerability may simply be recalling it from training data. JavaVulBench ships a per-model audit that flags which test CVEs a given model might have already seen, letting researchers separate genuine detection from memorization. That distinction has been mostly hand-waved away in prior vulnerability benchmarks.\n\nThe field has no shortage of security benchmarks, but most cover C and C++ - Java's enterprise dominance makes a credible Java-specific dataset overdue. Whether the twelve reference models represent a meaningful cross-section is another question; notably absent are larger open-weight code models and any fine-tuned security-specialist variants. Still, a benchmark that at least tries to measure what it claims to measure is a better starting point than one that doesn't.","[\"security\",\"ai\",\"benchmarks\",\"java\"]","2026-07-07T04:00:00.000Z","2026-07-07T08:02:50.948Z","2026-07-07T08:02:53.924Z","published",null,[],"security",[24,26,27,28],"ai","benchmarks","java",[30],{"name":31,"url":32},"arXiv cs.AI","https:\u002F\u002Farxiv.org\u002Fabs\u002F2607.02825",0,{"sections":35},[36,40,44,49,54,59,64,69,74,78,83,87,92,97],{"name":37,"slug":26,"count":38,"latest_published_at":39},"AI",2590,"2026-07-16T04:00:00.000Z",{"name":41,"slug":24,"count":42,"latest_published_at":43},"Security",294,"2026-07-15T19:59:48.000Z",{"name":45,"slug":46,"count":47,"latest_published_at":48},"Deals","deals",179,"2026-06-29T20:02:07.000Z",{"name":50,"slug":51,"count":52,"latest_published_at":53},"Policy","policy",158,"2026-07-16T00:02:48.000Z",{"name":55,"slug":56,"count":57,"latest_published_at":58},"Hardware","hardware",122,"2026-07-14T19:46:26.000Z",{"name":60,"slug":61,"count":62,"latest_published_at":63},"Consumer Tech","consumer-tech",93,"2026-07-13T13:20:48.000Z",{"name":65,"slug":66,"count":67,"latest_published_at":68},"Software","software",70,"2026-07-13T19:52:25.000Z",{"name":70,"slug":71,"count":72,"latest_published_at":73},"Science","science",66,"2026-07-10T10:29:37.000Z",{"name":75,"slug":76,"count":77,"latest_published_at":18},"Dev Tools","dev-tools",59,{"name":79,"slug":80,"count":81,"latest_published_at":82},"Gaming","gaming",41,"2026-07-09T04:00:00.000Z",{"name":84,"slug":85,"count":81,"latest_published_at":86},"Startups","startups","2026-06-29T20:55:50.000Z",{"name":88,"slug":89,"count":90,"latest_published_at":91},"General","general",29,"2026-07-10T22:28:58.000Z",{"name":93,"slug":94,"count":95,"latest_published_at":96},"Reviews","reviews",20,"2026-06-24T12:00:01.000Z",{"name":98,"slug":99,"count":100,"latest_published_at":101},"How-To","how-to",6,"2026-06-16T09:00:00.000Z"]