This paper addresses the challenges of automatically identifying vulnerability-triggering test cases (VTCs) and matching them to corresponding vulnerabilities in Java open-source projects. We propose VUTECO, a dual-task deep learning framework that decouples “security-sensitivity identification” from “fine-grained test–vulnerability matching.” VUTECO introduces the first data-driven paradigm for VTC mining, jointly modeling code context, assertion patterns, and vulnerability description semantics via fine-tuned BERT for both classification and matching. Evaluated on the VUL4J dataset, VUTECO achieves 100% precision and an F₀.₅ score of 0.83 for VTC identification, covering 70% of ground-truth VTCs across 244 projects; for test–vulnerability matching, it attains 0.86 precision, though practical effectiveness remains limited in real-world settings. Key contributions include: (1) a novel task-decoupled architecture, (2) the first dedicated data-driven VTC mining paradigm, and (3) an end-to-end semantic modeling approach integrating heterogeneous program and vulnerability signals.

Software vulnerabilities are commonly detected via static analysis, penetration testing, and fuzzing. They can also be found by running unit tests - so-called vulnerability-witnessing tests - that stimulate the security-sensitive behavior with crafted inputs. Developing such tests is difficult and time-consuming; thus, automated data-driven approaches could help developers intercept vulnerabilities earlier. However, training and validating such approaches require a lot of data, which is currently scarce. This paper introduces VUTECO, a deep learning-based approach for collecting instances of vulnerability-witnessing tests from Java repositories. VUTECO carries out two tasks: (1) the"Finding"task to determine whether a test case is security-related, and (2) the"Matching"task to relate a test case to the exact vulnerability it is witnessing. VUTECO successfully addresses the Finding task, achieving perfect precision and 0.83 F0.5 score on validated test cases in VUL4J and returning 102 out of 145 (70%) correct security-related test cases from 244 open-source Java projects. Despite showing sufficiently good performance for the Matching task - i.e., 0.86 precision and 0.68 F0.5 score - VUTECO failed to retrieve any valid match in the wild. Nevertheless, we observed that in almost all of the matches, the test case was still security-related despite being matched to the wrong vulnerability. In the end, VUTECO can help find vulnerability-witnessing tests, though the matching with the right vulnerability is yet to be solved; the findings obtained lay the stepping stone for future research on the matter.