GitHub’s CodeQL-based code analysis technology has been overhauled and now uses machine learning (ML) to find potential security vulnerabilities in code.
GitHub acquired the technology for CodeQL as part of its acquisition of Semmie. CodeQL is used by security research teams to perform semantic analysis of code and has been made open source by GitHub.
CodeQL builds a database containing a relational representation of the code, and then queries are run against the database to check for specific security issues. The queries are based on patterns from known security issues, and creating the patterns takes time.
GitHub’s Tiferet Gazit said:
“Manual modeling can be time-consuming, and there will always be a long line of lesser-known libraries and private code that we can’t model manually. This is where machine learning comes in.”
The CodeQL team uses samples discovered using the manual models to train deep learning neural networks that can determine if a code snippet contains a potentially risky sink.
This means CodeQL can uncover vulnerabilities even if they arise from using a library the team has never seen before. For example, CodeQL can detect SQL injection vulnerabilities related to lesser-known or closed-source database abstraction libraries.
In terms of accuracy, the team says their tests of CodeQL on repositories that weren’t in the training set and comparing the warnings detected by machine learning and a manual query created by a security researcher averaged a recall of have measured about 80% with an accuracy of about 60%.
The team is currently extending ML-generated alerts to more JavaScript and Typescript security queries and is working to improve both their performance and runtime. Future plans include expansion to other programming languages.
More information
On the subject of matching items
GitHub code scanning generally available
GitHub empowers teamwork
GitHub starts actions
Microsoft Buys GitHub – Get Ready for a Bigger Devil
To be notified of new articles on I Programmer, sign up for our weekly newsletter, Subscribe to the RSS feed and follow us Twitter, Facebook or linkedin.
Remarks
or email your comment to: [email protected]
