Static analysis based on abstract program representations

摘要

An application analysis platform enables automatic generation of abstract program representations (APRs) that are amenable to static analyses for finding security vulnerabilities. The APR is generated automatically, preferably from an existing build system or a source repository, and then encapsulated into a binary archival format for consumption by a static analysis tool, which operates on-premises or in the cloud. The abstract program representation is a highly compact version of the actual source code it represents. The archival format obfuscates the source code that is subjected to the analysis, thus protecting it from being reverse-engineered when moved off-premises or otherwise shared with other users, teams and even organizations. Binary archive files generated separately from different source code components may be readily merged and analyzed together to provide more effective static data-flow analysis, even with respect to components that are built on different machines by different teams and at different times.

主权项

1. A method of static security analysis, comprising:
receiving a set of build information associated with a source code component; using the set of build information to generate application metadata defining an abstract program representation of the source code; transforming the application metadata into a container that obfuscates the source code; and performing a static security analysis on the container; wherein the receiving, using and transforming operations occur in an automated manner in software executing in a hardware element.