| C++ source code vulnerability static scanning is digging the potential vulnerability of C++ source code using taint analysis and data flow analysis without running the program.C++ is one of the most popular languages,but its memory model determines that C++ has more memory vulnerabilities than other languages,such as Java.Because static scanning technology has low resource cost and high efficiency,it has been widely used by developers.As the size and complexity of the software become larger,the static scanning system will ignore control flow and context to improve the scanning efficiency.However,the number of vulnerabilities and false positives has increased along with it.In order to improve the developer vulnerability review process and reduce the difficulty of vulnerability review,the C++ source code vulnerability static scanning system urgently needs to reduce the false positive ratio of false negatives to assist developers in delivering more robust code.This system innovatively introduces an iterative false alarm filtering mechanism based on machine learning to reduce false positive ratio in vulnerability scanning.First,the system integrates multiple open source vulnerability scanning tools to scan the program to obtain the richer original vulnerability reports.Second,the vulnerability scanning tool set is used to scan the source data set with vulnerability tags to obtain false positive data,and the data is used in machine learning processes to train false positive filters and get the filtered vulnerability report.Then,the vulnerability expert conducted a manual review on the filtered vulnerability list to obtain the false positive.Finally,the similarity algorithm is used to find the vulnerable code similar to the code with false positive label vulnerability,and the false positive filter is trained again with this data to form a closed loop.By filtering out the false positive items in the vulnerability list,the validity and usability of the vulnerability report has been improved.Developers refer to the vulnerability report to fix the vulnerability and produce higher quality code.The system is divided into four modules,including vulnerability static scanning module,C++ source code feature extraction module,false positive filtering module,and false positive feedback module.In order to achieve loose coupling between services,this system uses Docker container technology to encapsulate scanning services.In order to ensure the high performance of the scanning service,the system uses Rabbit MQ,an asynchronous queue middleware,for message transferring between services.To ensure the continuous optimization of scanning services,the system uses Jenkins continuous integration tools to automatically update the false positive filtering model.The F1 value of the system is increased by 30% and 22% compared with TscanCode and Cppcheck,and it can effectively reduces false positive in the C++ source code vulnerability static scanning.This system improves the availability of static scanners for C++ source code vulnerabilities,reduces the number of false positive vulnerabilities,reduces the burden on developers to review vulnerabilities,and provides guarantees for delivering highly reliable code. |
PDF Full Text Request