Data-Driven Transferable Modeling for Cross-Project Software Vulnerability Detection via Dual-Feature Stacking Ensemble

In recent years, deep learning-based vulnerability detection has drawn wide attention for its data-driven ability to analyze code semantics and learn vulnerability patterns without predefined models. However, data distribution differences across projects limit model generalization. Transfer learning provides a solution, yet most studies ignore expert-designed metrics. This paper proposes Decpvd, a data-driven cross-project software vulnerability detection method based on a dual-feature stacking ensemble. It builds an adaptive and transferable model using only code and vulnerability label data from source and target projects. It extracts code semantic features via Gated Graph Neural Networks, incorporates expert metrics from tools, performs cross-domain data-driven modeling with TrAdaBoost, and adaptively fuses the two features through stacking, overcoming fixed-weight fusion limitations. Experiments on six cross-project groups from three real datasets (FFmpeg, LibTIFF, LibPNG) show that Decpvd achieves an average AUC of 0.814, significantly outperforming mainstream baselines.