Techniques for correlating vulnerabilities across an evolving codebase

摘要

Methods, apparatus, and systems for characterizing vulnerabilities of an application source code are disclosed. Steps for characterizing vulnerabilities include traversing a representation of the application source code, generating a signature of a potential vulnerability of the application source code, and determining characteristics of the potential vulnerability based on a correlation between the generated signature of the potential vulnerability and previously stored signatures of potential vulnerabilities.

主权项

1. A method of characterizing vulnerabilities of application source code, comprising one or more computer processors performing steps comprising:
traversing a representation of the application source code, the representation of the application source code comprising an abstract syntax tree of the application source code; identifying a potentially vulnerable node during traversal of the representation of the application source code; collecting metadata of the potentially vulnerable node, the metadata comprising one or more parent or child nodes associated with the potentially vulnerable node; generating a signature of the potentially vulnerable node, the signature comprising a value of a hash function on the metadata of the potentially vulnerable node; and determining characteristics of a potential vulnerability associated with the potentially vulnerable node, based on a correlation between the generated signature of the potentially vulnerable node and previously stored signatures of potentially vulnerable nodes.