Several studies have highlighted the ability of software metrics to predict vulnerabilities. However, limited attention has been given on the capacity of software metrics to discriminate between different types of vulnerabilities, while the existence of potential interdependencies among different vulnerability types has not been studied yet. For this purpose, an empirical study was conducted based on 100 widely-used Java libraries. A wide range of software metrics were calculated for each project of the code base, along with the densities of a carefully selected set of vulnerability categories, which were quantified through static analysis. Correlation analysis was employed in order to find statistically significant relationships. The preliminary results suggest that: (i) software metrics may not be sufficient indicators of specific vulnerability types, (ii) software metrics are more capable of discriminating between security-specific and quality-specific weaknesses, than between specific vulnerability types, (iii) previously uninvestigated metrics may be good indicators of security issues, and (iv) important interdependencies may exist among security-specific issues. To the best of our knowledge, this is the largest study in terms of code base size, while it is the first attempt for finding interdependencies among different vulnerability types.