The sources of reliable, code-level information about vulnerabilities that affect open-source software (OSS) are scarce, which hinders a broad adoption of advanced tools that provide code-level detection and assessment of vulnerable OSS dependencies. In this paper, we report our findings from using features ex- tracted from four (PMD, Checkstyle, CK, Progex) off-the-shelf static code analyzers relying on pattern matching, software met- rics or program analysis in a machine-learning pipeline to identify source code commits that contain vulnerability fixes. We show that successful machine learning models based on base classifiers and ensemble techniques can be trained on the combination of the features.