Comprehensive Evaluation of Static Analysis Tools for Their Performance in Finding Vulnerabilities in Java Code

Alqaradaghi, Midya; Kozsik, Tamás

doi:10.1109/access.2024.3389955

IEEE Access

2024

DOI: 10.1109/access.2024.3389955

|View full text |Cite

Comprehensive Evaluation of Static Analysis Tools for Their Performance in Finding Vulnerabilities in Java Code

Midya Alqaradaghi,

Tamás Kozsik

Abstract: Various static code analysis tools have been designed with the aim of detecting software faults and security vulnerabilities automatically. This paper aims to 1) Conduct an empirical evaluation to assess the performance of five free and state-of-the-art static analysis tools in detecting Java security vulnerabilities using a well-defined and repeatable approach. 2) Report on the vulnerabilities that are best and worst detected by static Java analyzers. We used the Juliet benchmark test suite in a controlled ex… Show more

Help me understand this report

Search citation statements

Order By: Relevance

Paper Sections

Select...

Citation Types

Supporting

Mentioning

Contrasting

Year Published

2024

Publication Types

Select...

Article2

Relationship

Self Cite0

Independent2

Authors

Journals

Cited by 2 publications

References 29 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

Improving VulRepair’s Perfect Prediction by Leveraging the LION Optimizer

Kishiyama,

Lee,

Yang

2024

Applied Sciences

View full text Add to dashboard Cite

In current software applications, numerous vulnerabilities may be present. Attackers attempt to exploit these vulnerabilities, leading to security breaches, unauthorized entry, data theft, or the incapacitation of computer systems. Instead of addressing software or hardware vulnerabilities at a later stage, it is better to address them immediately or during the development phase. Tools such as AIBugHunter provide solutions designed to tackle software issues by predicting, categorizing, and fixing coding vulnerabilities. Essentially, developers can see where their code is susceptible to attacks and obtain details about the nature and severity of these vulnerabilities. AIBugHunter incorporates VulRepair to detect and repair vulnerabilities. VulRepair currently predicts patches for vulnerable functions at 44%. To be truly effective, this number needs to be increased. This study examines VulRepair to see whether the 44% perfect prediction can be increased. VulRepair is based on T5 and uses both natural language and programming languages during its pretraining phase, along with byte pair encoding. T5 is a text-to-text transfer transformer model with an encoder and decoder as part of its neural network. It outperforms other models such as VRepair and CodeBERT. However, the hyperparameters may not be optimized due to the development of new optimizers. We reviewed a deep neural network (DNN) optimizer developed by Google in 2023. This optimizer, the Evolved Sign Momentum (LION), is available in PyTorch. We applied LION to VulRepair and tested its influence on the hyperparameters. After adjusting the hyperparameters, we obtained a 56% perfect prediction, which exceeds the value of the VulRepair report of 44%. This means that VulRepair can repair more vulnerabilities and avoid more attacks. As far as we know, our approach utilizing an alternative to AdamW, the standard optimizer, has not been previously applied to enhance VulRepair and similar models.

show abstract

Improving VulRepair’s Perfect Prediction by Leveraging the LION Optimizer

Kishiyama,

Lee,

Yang

2024

Applied Sciences

View full text Add to dashboard Cite

show abstract

Tổng quan về phân tích tĩnh và phân tích động trong kiểm tra bảo mật ứng dụng

Nguyen Thanh Cong,

Le Huy Toan,

Ta Minh

2024

JMST

View full text Add to dashboard Cite

Trong bối cảnh các hệ thống thông tin ngày càng trở nên phức tạp và đối mặt với nhiều mối đe dọa an ninh mạng, việc đánh giá an toàn thông tin (ATTT) trở nên vô cùng quan trọng. Bài báo này tập trung vào hai phương pháp đánh giá ATTT phổ biến là đánh giá tĩnh và đánh giá động. Đánh giá tĩnh phân tích mã nguồn hoặc mã nhị phân để phát hiện lỗ hổng bảo mật từ giai đoạn phát triển phần mềm. Đánh giá động kiểm tra bảo mật của hệ thống trong quá trình hoạt động, giúp phát hiện lỗ hổng trong thời gian chạy. Bài báo trình bày tổng quan các kỹ thuật và công cụ của cả hai phương pháp, đồng thời so sánh ưu nhược điểm của chúng. Đánh giá tĩnh giúp phát hiện lỗi sớm nhưng có thể bỏ sót các lỗi thời gian chạy, trong khi đánh giá động kiểm tra thực tế nhưng có thể gây gián đoạn hệ thống. Sự kết hợp của cả hai phương pháp mang lại hiệu quả tốt nhất trong việc đảm bảo ATTT.

show abstract

scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.

Contact Info

customersupport@researchsolutions.com

10624 S. Eastern Ave., Ste. A-614

Henderson, NV 89052, USA

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Blog Terms and Conditions API Terms Privacy Policy Contact Cookie Preferences Do Not Sell or Share My Personal Information

Made with 💙 for researchers

Part of the Research Solutions Family.

Comprehensive Evaluation of Static Analysis Tools for Their Performance in Finding Vulnerabilities in Java Code

Cited by 2 publications

References 29 publications

Improving VulRepair’s Perfect Prediction by Leveraging the LION Optimizer

Improving VulRepair’s Perfect Prediction by Leveraging the LION Optimizer

Tổng quan về phân tích tĩnh và phân tích động trong kiểm tra bảo mật ứng dụng

Contact Info

Product

Resources

About