| 主权项 |
1. An apparatus, comprising:
one or more memories comprising computer-readable code; one or more hardware processors, wherein the one or more hardware processors are configured, in response to execution of the computer-readable code, to cause the apparatus to perform the following: mapping, based on a first mapping from possible security findings for possible security vulnerabilities in a static analysis of a program to possible configuration-related sources of imprecision, actual security findings in security analysis results from the static analysis of the program to corresponding configuration-related sources of imprecision, the mapping of the actual security findings creating a second mapping; selecting configuration-related sources of imprecision, wherein selecting further comprises converging on a subset of the configuration-related sources of imprecision that optimizes the following two constraints: minimum number of configuration-related sources of imprecision; and maximal precision, and wherein selecting further comprises setting the subset of the configuration-related sources of imprecision as the selected configuration-related sources of imprecision; requesting a user configure the selected ones of the configuration-related sources of imprecision from the second mapping; responsive to a user updating configuration corresponding to the selected ones of the configuration-related sources of imprecision, updating security analysis results for the static analysis of the program at least by determining whether one or more security findings from the security analysis results are no longer considered to be vulnerable based on the updated configuration by the user and by removing from the security analysis results any of the one or more security findings that are no longer considered to be vulnerable based on the updated configuration by the user; and outputting the updated security analysis results. |
