Scalable Defect Detection via Traversal on Code Graph

Detecting defects and vulnerabilities in the early stage has long been a challenge in software engineering. Static analysis, a technique that inspects code without execution, has emerged as a key strategy to address this challenge. Among recent advancements, the use of graph-based representations, p...

Ausführliche Beschreibung

Gespeichert in:

Bibliographische Detailangaben
Veröffentlicht in:	arXiv.org 2024-06
Hauptverfasser:	Liu, Zhengyao, Zhong, Xitong, Deng, Xingjing, Hong, Shuo, Gao, Xiang, Sun, Hailong
Format:	Artikel
Sprache:	eng
Schlagworte:	Defects Graphical representations Machine learning Queries Query languages Semantics Software engineering
Online-Zugang:	Volltext
Tags:	Tag hinzufügen Keine Tags, Fügen Sie den ersten Tag hinzu!

container_end_page
container_issue
container_start_page
container_title	arXiv.org
container_volume
creator	Liu, Zhengyao Zhong, Xitong Deng, Xingjing Hong, Shuo Gao, Xiang Sun, Hailong
description	Detecting defects and vulnerabilities in the early stage has long been a challenge in software engineering. Static analysis, a technique that inspects code without execution, has emerged as a key strategy to address this challenge. Among recent advancements, the use of graph-based representations, particularly Code Property Graph (CPG), has gained traction due to its comprehensive depiction of code structure and semantics. Despite the progress, existing graph-based analysis tools still face performance and scalability issues. The main bottleneck lies in the size and complexity of CPG, which makes analyzing large codebases inefficient and memory-consuming. Also, query rules used by the current tools can be over-specific. Hence, we introduce QVoG, a graph-based static analysis platform for detecting defects and vulnerabilities. It employs a compressed CPG representation to maintain a reasonable graph size, thereby enhancing the overall query efficiency. Based on the CPG, it also offers a declarative query language to simplify the queries. Furthermore, it takes a step forward to integrate machine learning to enhance the generality of vulnerability detection. For projects consisting of 1,000,000+ lines of code, QVoG can complete analysis in approximately 15 minutes, as opposed to 19 minutes with CodeQL.
format	Article
fullrecord	<record><control><sourceid>proquest</sourceid><recordid>TN_cdi_proquest_journals_3067542268</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><sourcerecordid>3067542268</sourcerecordid><originalsourceid>FETCH-proquest_journals_30675422683</originalsourceid><addsrcrecordid>eNpjYuA0MjY21LUwMTLiYOAtLs4yMDAwMjM3MjU15mQwDU5OzElMyklVcElNS00uAVIlQCozP0-hLDNRIaQosSy1qDgxRwEo4JyfkqrgXpRYkMHDwJqWmFOcyguluRmU3VxDnD10C4ryC0tTi0vis_JLi_KAUvHGBmbmpkCrzSyMiVMFADabNC8</addsrcrecordid><sourcetype>Aggregation Database</sourcetype><iscdi>true</iscdi><recordtype>article</recordtype><pqid>3067542268</pqid></control><display><type>article</type><title>Scalable Defect Detection via Traversal on Code Graph</title><source>Free E- Journals</source><creator>Liu, Zhengyao ; Zhong, Xitong ; Deng, Xingjing ; Hong, Shuo ; Gao, Xiang ; Sun, Hailong</creator><creatorcontrib>Liu, Zhengyao ; Zhong, Xitong ; Deng, Xingjing ; Hong, Shuo ; Gao, Xiang ; Sun, Hailong</creatorcontrib><description>Detecting defects and vulnerabilities in the early stage has long been a challenge in software engineering. Static analysis, a technique that inspects code without execution, has emerged as a key strategy to address this challenge. Among recent advancements, the use of graph-based representations, particularly Code Property Graph (CPG), has gained traction due to its comprehensive depiction of code structure and semantics. Despite the progress, existing graph-based analysis tools still face performance and scalability issues. The main bottleneck lies in the size and complexity of CPG, which makes analyzing large codebases inefficient and memory-consuming. Also, query rules used by the current tools can be over-specific. Hence, we introduce QVoG, a graph-based static analysis platform for detecting defects and vulnerabilities. It employs a compressed CPG representation to maintain a reasonable graph size, thereby enhancing the overall query efficiency. Based on the CPG, it also offers a declarative query language to simplify the queries. Furthermore, it takes a step forward to integrate machine learning to enhance the generality of vulnerability detection. For projects consisting of 1,000,000+ lines of code, QVoG can complete analysis in approximately 15 minutes, as opposed to 19 minutes with CodeQL.</description><identifier>EISSN: 2331-8422</identifier><language>eng</language><publisher>Ithaca: Cornell University Library, arXiv.org</publisher><subject>Defects ; Graphical representations ; Machine learning ; Queries ; Query languages ; Semantics ; Software engineering</subject><ispartof>arXiv.org, 2024-06</ispartof><rights>2024. This work is published under http://creativecommons.org/licenses/by/4.0/ (the “License”). Notwithstanding the ProQuest Terms and Conditions, you may use this content in accordance with the terms of the License.</rights><oa>free_for_read</oa><woscitedreferencessubscribed>false</woscitedreferencessubscribed></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><link.rule.ids>776,780</link.rule.ids></links><search><creatorcontrib>Liu, Zhengyao</creatorcontrib><creatorcontrib>Zhong, Xitong</creatorcontrib><creatorcontrib>Deng, Xingjing</creatorcontrib><creatorcontrib>Hong, Shuo</creatorcontrib><creatorcontrib>Gao, Xiang</creatorcontrib><creatorcontrib>Sun, Hailong</creatorcontrib><title>Scalable Defect Detection via Traversal on Code Graph</title><title>arXiv.org</title><description>Detecting defects and vulnerabilities in the early stage has long been a challenge in software engineering. Static analysis, a technique that inspects code without execution, has emerged as a key strategy to address this challenge. Among recent advancements, the use of graph-based representations, particularly Code Property Graph (CPG), has gained traction due to its comprehensive depiction of code structure and semantics. Despite the progress, existing graph-based analysis tools still face performance and scalability issues. The main bottleneck lies in the size and complexity of CPG, which makes analyzing large codebases inefficient and memory-consuming. Also, query rules used by the current tools can be over-specific. Hence, we introduce QVoG, a graph-based static analysis platform for detecting defects and vulnerabilities. It employs a compressed CPG representation to maintain a reasonable graph size, thereby enhancing the overall query efficiency. Based on the CPG, it also offers a declarative query language to simplify the queries. Furthermore, it takes a step forward to integrate machine learning to enhance the generality of vulnerability detection. For projects consisting of 1,000,000+ lines of code, QVoG can complete analysis in approximately 15 minutes, as opposed to 19 minutes with CodeQL.</description><subject>Defects</subject><subject>Graphical representations</subject><subject>Machine learning</subject><subject>Queries</subject><subject>Query languages</subject><subject>Semantics</subject><subject>Software engineering</subject><issn>2331-8422</issn><fulltext>true</fulltext><rsrctype>article</rsrctype><creationdate>2024</creationdate><recordtype>article</recordtype><sourceid>BENPR</sourceid><recordid>eNpjYuA0MjY21LUwMTLiYOAtLs4yMDAwMjM3MjU15mQwDU5OzElMyklVcElNS00uAVIlQCozP0-hLDNRIaQosSy1qDgxRwEo4JyfkqrgXpRYkMHDwJqWmFOcyguluRmU3VxDnD10C4ryC0tTi0vis_JLi_KAUvHGBmbmpkCrzSyMiVMFADabNC8</recordid><startdate>20240612</startdate><enddate>20240612</enddate><creator>Liu, Zhengyao</creator><creator>Zhong, Xitong</creator><creator>Deng, Xingjing</creator><creator>Hong, Shuo</creator><creator>Gao, Xiang</creator><creator>Sun, Hailong</creator><general>Cornell University Library, arXiv.org</general><scope>8FE</scope><scope>8FG</scope><scope>ABJCF</scope><scope>ABUWG</scope><scope>AFKRA</scope><scope>AZQEC</scope><scope>BENPR</scope><scope>BGLVJ</scope><scope>CCPQU</scope><scope>DWQXO</scope><scope>HCIFZ</scope><scope>L6V</scope><scope>M7S</scope><scope>PIMPY</scope><scope>PQEST</scope><scope>PQQKQ</scope><scope>PQUKI</scope><scope>PRINS</scope><scope>PTHSS</scope></search><sort><creationdate>20240612</creationdate><title>Scalable Defect Detection via Traversal on Code Graph</title><author>Liu, Zhengyao ; Zhong, Xitong ; Deng, Xingjing ; Hong, Shuo ; Gao, Xiang ; Sun, Hailong</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-proquest_journals_30675422683</frbrgroupid><rsrctype>articles</rsrctype><prefilter>articles</prefilter><language>eng</language><creationdate>2024</creationdate><topic>Defects</topic><topic>Graphical representations</topic><topic>Machine learning</topic><topic>Queries</topic><topic>Query languages</topic><topic>Semantics</topic><topic>Software engineering</topic><toplevel>online_resources</toplevel><creatorcontrib>Liu, Zhengyao</creatorcontrib><creatorcontrib>Zhong, Xitong</creatorcontrib><creatorcontrib>Deng, Xingjing</creatorcontrib><creatorcontrib>Hong, Shuo</creatorcontrib><creatorcontrib>Gao, Xiang</creatorcontrib><creatorcontrib>Sun, Hailong</creatorcontrib><collection>ProQuest SciTech Collection</collection><collection>ProQuest Technology Collection</collection><collection>Materials Science & Engineering Collection</collection><collection>ProQuest Central (Alumni Edition)</collection><collection>ProQuest Central UK/Ireland</collection><collection>ProQuest Central Essentials</collection><collection>ProQuest Central</collection><collection>Technology Collection</collection><collection>ProQuest One Community College</collection><collection>ProQuest Central Korea</collection><collection>SciTech Premium Collection</collection><collection>ProQuest Engineering Collection</collection><collection>Engineering Database</collection><collection>Publicly Available Content Database</collection><collection>ProQuest One Academic Eastern Edition (DO NOT USE)</collection><collection>ProQuest One Academic</collection><collection>ProQuest One Academic UKI Edition</collection><collection>ProQuest Central China</collection><collection>Engineering Collection</collection></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext</fulltext></delivery><addata><au>Liu, Zhengyao</au><au>Zhong, Xitong</au><au>Deng, Xingjing</au><au>Hong, Shuo</au><au>Gao, Xiang</au><au>Sun, Hailong</au><format>book</format><genre>document</genre><ristype>GEN</ristype><atitle>Scalable Defect Detection via Traversal on Code Graph</atitle><jtitle>arXiv.org</jtitle><date>2024-06-12</date><risdate>2024</risdate><eissn>2331-8422</eissn><abstract>Detecting defects and vulnerabilities in the early stage has long been a challenge in software engineering. Static analysis, a technique that inspects code without execution, has emerged as a key strategy to address this challenge. Among recent advancements, the use of graph-based representations, particularly Code Property Graph (CPG), has gained traction due to its comprehensive depiction of code structure and semantics. Despite the progress, existing graph-based analysis tools still face performance and scalability issues. The main bottleneck lies in the size and complexity of CPG, which makes analyzing large codebases inefficient and memory-consuming. Also, query rules used by the current tools can be over-specific. Hence, we introduce QVoG, a graph-based static analysis platform for detecting defects and vulnerabilities. It employs a compressed CPG representation to maintain a reasonable graph size, thereby enhancing the overall query efficiency. Based on the CPG, it also offers a declarative query language to simplify the queries. Furthermore, it takes a step forward to integrate machine learning to enhance the generality of vulnerability detection. For projects consisting of 1,000,000+ lines of code, QVoG can complete analysis in approximately 15 minutes, as opposed to 19 minutes with CodeQL.</abstract><cop>Ithaca</cop><pub>Cornell University Library, arXiv.org</pub><oa>free_for_read</oa></addata></record>
fulltext	fulltext
identifier	EISSN: 2331-8422
ispartof	arXiv.org, 2024-06
issn	2331-8422
language	eng
recordid	cdi_proquest_journals_3067542268
source	Free E- Journals
subjects	Defects Graphical representations Machine learning Queries Query languages Semantics Software engineering
title	Scalable Defect Detection via Traversal on Code Graph
url	https://sfx.bib-bvb.de/sfx_tum?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2025-02-11T01%3A26%3A14IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-proquest&rft_val_fmt=info:ofi/fmt:kev:mtx:book&rft.genre=document&rft.atitle=Scalable%20Defect%20Detection%20via%20Traversal%20on%20Code%20Graph&rft.jtitle=arXiv.org&rft.au=Liu,%20Zhengyao&rft.date=2024-06-12&rft.eissn=2331-8422&rft_id=info:doi/&rft_dat=%3Cproquest%3E3067542268%3C/proquest%3E%3Curl%3E%3C/url%3E&disable_directlink=true&sfx.directlink=off&sfx.report_link=0&rft_id=info:oai/&rft_pqid=3067542268&rft_id=info:pmid/&rfr_iscdi=true