The Design And Implementation Of Human-machine Collaboration-Based System For Java Vulnerability Scanner

With the continuous increase in the scale and complexity of software systems,software security issues are emerging.The main cause of these issues is often errors or defects(called vulnerability)in the code itself,and ordinary software engineers generate generally 50-250 defects per KLOC.Vulnerability scanning and security auditing at the source level can reduce security vulnerabilities by 10% to 50% and save 5% to 20% of maintenance costs.However,most existing static vulnerability scanners,which are based on lexical analysis,ignore the context of vulnerability,which cannot accurately identify the inherent characteristics of false-positive vulnerability code.There is usually a large number of false-positive cases,such that developers need to manually check the results,and even abandon scanners,which increases maintenance costs.In order to reduce the false positive ratio of current vulnerability scanners and save maintenance costs for developers,this thesis design and implement a human-computer collaborative Java bytecode vulnerability scanning system.It analyzes static vulnerability scanners and common false positive vulnerabilities.This thesis also studies bytecode context extraction,code feature extraction,and related machine learning classification models.It also integrates crowdsourcing auditing and combines the vulnerability scanning requirements in actual scenarios to implement the system.First,the system scans submitted projects based on static vulnerability scanners and ensures the completeness of vulnerabilities.Secondly,the vulnerability-related code is extracted by Joana(Java Object-sensitive ANAlysis)slicing tool,and the relevant features are extracted from the context.Then,multi-layer classification models based on algorithms such as similarity,random forest are used to filter the scan vulnerability results.Finally,the vulnerability results are sent to the crowdsourcing auditors for manually false positive filtering,and the results are stored for iterative training of subsequent filtering models.So far,it is used to provide two complete vulnerability report with low false positive ratio,which are after-filtering report and after-auditing report.This system is mainly divided into interactive display module,vulnerability scanning core module and iterative learning module,and uses Spring Boot framework,Pug template engine,microservice and other technologies and architecture to implement the system.The human-machine collaborative Java bytecode vulnerability scanning system implemented in this thesis can provide better vulnerability scanning service.Experiments on the OWASP dataset show that the precision of this system can reach 89.71%when the recall rate is 95.39%.Compared with the original scanner,this system reduces the false positive ratio by nearly 22%.The system can effectively reduce the false positive ratio of traditional static vulnerability scanners while ensuring a low false negative ratio.Thereby the system can save maintenance costs and help developers improve code quality.At present,this system has been launched on the company's platform to support the development of the company's static vulnerability scanning service.