Papers
Topics
Authors
Recent
Search
2000 character limit reached

The Code Whisperer: LLM and Graph-Based AI for Smell and Vulnerability Resolution

Published 12 Apr 2026 in cs.SE and cs.AI | (2604.13114v1)

Abstract: Code smells and software vulnerabilities both increase maintenance cost, yet they are often handled by separate tools that miss structural context and produce noisy warnings. This paper presents The Code Whisperer, a hybrid framework that combines graph-based program analysis with LLMs to detect, explain, and repair maintainability and security issues within a unified workflow. The method aligns Abstract Syntax Trees (ASTs), Control Flow Graphs (CFGs), Program Dependency Graphs (PDGs), and token-level code embeddings so that structural and semantic signals can be learned jointly. We evaluate the framework on multi-language datasets and compare it with rule-based analyzers and single-model baselines. The results indicate that the hybrid design improves detection performance and produces more useful repair suggestions than either graph-only or language-model-only approaches. We also examine explainability and CI/CD integration as practical requirements for adopting AI-assisted code review in everyday software engineering workflows.

Summary

  • The paper introduces a unified hybrid framework merging graph-based analysis and fine-tuned LLMs to accurately detect and repair code smells and vulnerabilities.
  • It leverages multi-representational code artifacts including ASTs, CFGs, and PDGs, achieving high detection F1-scores and precise automated repairs.
  • The approach enhances developer productivity with explainable outputs and CI/CD integration, reducing bug density and technical debt.

Hybrid Graph-Based and LLM-Assisted Approaches to Code Smell and Vulnerability Resolution

Introduction

The manuscript "The Code Whisperer: LLM and Graph-Based AI for Smell and Vulnerability Resolution" (2604.13114) introduces a unified framework that merges graph-based program analysis and fine-tuned LLMs to address code maintainability and software vulnerability issues. Traditional static analysis tools are limited by rigid rule sets and inability to leverage contextual and structural information, resulting in false positives and negatives that hinder effective software quality assurance. This research departs from single-modal and piecemeal approaches by exploiting the synergies between structural information (ASTs, CFGs, PDGs) and semantic patterns (LLMs), aligning these representations for precise detection and automated repair of both code smells and vulnerabilities.

Problem and Motivation

Software code quality is a primary contributor to lifecycle maintenance cost, defect proneness, and security risk. Code smells—such as excessive method length, class bloat, coupling, or hardcoded secrets—correlate with technical debt and frequently manifest as vulnerabilities exploitable in adversarial scenarios. Existing detection frameworks—encompassing rule-based linters and static analyzers—lack the expressive power to handle context-rich or cross-cutting defect classes. Moreover, these tools typically segregate maintainability and security analysis, missing structural contexts where bad design and insecure implementation reinforce each other.

Recent advances in GNNs and code-oriented LLMs provide potential to learn multi-granular code properties beyond lexical or syntactic tokens. However, when used in isolation, each modality is deficient: GNNs capture control and dependency structures well but lack fluency in local semantics and patch generation, while LLMs excel at context-aware reasoning but may hallucinate repairs or overlook deep dependencies. The paper's core hypothesis is that a hybrid, aligned representation enables more robust detection and actionable repair, outperforming either model alone.

Methodology

The proposed framework processes and analyzes source code leveraging a layered pipeline:

  • Representation: Source code artifacts from Java, Python, and JavaScript are normalized and annotated for both code smells and vulnerabilities using a blend of existing analysis tools and dual-annotator review. Multiple representations are extracted per artifact: token-level sequences, ASTs, CFGs, and PDGs, augmented by transformer-based embeddings.
  • Detection Models: Structural features are processed via a GNN, operating over AST, CFG, and PDG nodes/edges with associated syntactic and metric features. In parallel, an LLM is fine-tuned for detection and repair tasks, learning patterns from code examples annotated with smells/vulnerabilities and their repairs. A multi-task alignment layer share gradients to bridge model-level representations, facilitating transfer of contextual and structural signals.
  • Automated Repair: Upon detecting defective code, the framework synthesizes ranked repair suggestions. LLM generation is constrained to preserve original intent, and produced edits (e.g., for Long Methods, SQL injection, or secret leakage) are routed through downstream validation layers.
  • Explainability: Both detection and repair suggestions are surfaced with attention maps and graph-level attributions, yielding developer-inspectable outputs essential for production deployment and professional trust.
  • CI/CD Integration: The system is implemented to operate in pre-commit hooks, pull request pipelines, and auto-fix branches, logging developer interactions for continual retraining and model refinement.

Experimental Results

Experiments encompass 120k smell-labeled and 15k vulnerability-labeled samples across three languages, compared to classical tools (SonarQube, PMD, Bandit, ESLint), semantic analyzers (CodeQL, Semgrep), and unimodal learning components.

Key results:

  • Detection Accuracy: The hybrid GNN + LLM consistently outperforms all baselines, yielding F1-scores of 0.92 (smells) and 0.89 (vulnerabilities), compared with 0.86 (GNN-only) and 0.84 (LLM-only). Precision for large-scale smells such as Long Method and God Class is notably higher than PMD and SonarQube (+10-12 points).
  • Repair Efficacy: Automated repair yields candidate fixes for 72% of smells and 68% of vulnerabilities, with ~61% of recommendations deemed merge-ready by human reviewers. Maintainability metrics post-repair show a 23% reduction in cyclomatic complexity and 18% reduction in CBO. For security, average CWE risk scores drop from 7.2 to 3.9.
  • Explainability: Attention and attribution methods contribute to interpretability, as validated in developer studies, though the paper notes that these explanations are suggestive rather than machine-verifiable.
  • Efficiency: The hybrid model incurs a moderate 15% runtime overhead versus LLM-only, but remains suitable for practical CI/CD workflows. PR scan latency remains within acceptable bounds for enterprise-scale repositories.
  • Impact on Developer Productivity: Empirical evidence demonstrates a 37% drop in post-release bug density and a 28% improvement in review turnaround time, reinforcing utility in realistic development contexts.

Ablation studies directly confirm the necessity of both modalities and the multi-task alignment for achieving observed accuracy and interpretability.

Implications and Limitations

The integration of graph-structural and LLM-semantic reasoning substantiates the argument that code properties crucial for maintainability and security manifest across both control/data flow structures and local context. This approach not only mitigates the detection/repair limitations of prior tools but also fosters improved developer adoption via explainable outputs and CI/CD compatibility. Practically, this can reduce technical debt and preempt costly post-deployment vulnerabilities in large, heterogeneous codebases.

Nevertheless, the authors transparently discuss limitations: dataset diversity could be broadened, annotation leakage remains a concern, and repair generation for architectural smells (e.g., God Class, Feature Envy) is still challenging. While explanation methods support developer trust, they require further validation for actionable causality. Integration with richer artifact sources (e.g., test failures, runtime traces) and longitudinal studies of deployment impact are future directions noted to mature the framework.

Conclusion

This work offers a rigorous demonstration that hybrid, multi-representational models enable superior, explainable, and practically deployable detection and repair of both maintainability issues and security vulnerabilities in software systems. The approach bridges the gap between rigid static analyzers and purely learned models, showing measurable productivity and code-quality improvements. Continued research in scaling annotation, deepening semantic-verification, and enhancing deployment adaptivity will dictate the evolution of such frameworks from research systems to standard components in automated software engineering and secure development pipelines.

Paper to Video (Beta)

No one has generated a video about this paper yet.

Whiteboard

No one has generated a whiteboard explanation for this paper yet.

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Collections

Sign up for free to add this paper to one or more collections.