Skip to content

A transformer-based VS Code extension that enables one to discover vulnerabilities in Java files.

Notifications You must be signed in to change notification settings

TQRG/VDET-for-Java

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

12 Commits
 
 
 
 
 
 
 
 
 
 

Repository files navigation

VDET for Java

VDET in action

Automatic vulnerability detection is of paramount importance to promote the security of an application and should be exercised at the earliest stages within the software development life cycle (SDLC) to reduce the risk of exposure. Despite the advancements with state-of-the-art deep learning techniques in software vulnerability detection, the development environments are not yet leveraging their performance. In this work, we integrate the Transformers architecture, one of the main highlights of advances in deep learning for Natural Language Processing, within a developer-friendly tool for code security. We introduce VDet for Java, a transformer-based VS Code extension that enables one to discover vulnerabilities in Java files. Our preliminary model evaluation presents an accuracy of 98.9% for multi-label classification and can detect up to 21 vulnerability types.

Check our Youtube 📺 video to see how VDET works.

Features 🔎

  • Scan a complete file (recommended)
  • Scan a specific code piece highlighted by the user (useful when there are syntax errors)

List of CWEs: 113, 129, 134, 15, 190, 191, 197, 23, 319, 26, 269, 400, 470, 606, 643, 690, 78, 789, 80, 89, 90

Setup

Tested with Windows VSCode version Python version NodeJS version Git version

1. Start plugin-backend

To run plugin-backend server (from dir: plugin-backend/):

  1. Install required packages (listed at requirements.txt):

    pip install -r requirements.txt
    
  2. Make sure you have a serialized pretrained model and multi-label binarizer (ours are available here). Then, create your .env file (from the provided template, in the same location) and add the paths to the serialized objects.

  3. Start the server (it runs on port 5000 by default):

    python server.py 
    
  4. Check the available routes (they can be used without the extension):

    1. Analyse code section (with line interval): POST /predict/section

    2. Analyse complete file: POST /predict/file

2. Start VS Code extension 💻

To run the extension (from dir: plugin/vdet-java/)

  1. Make sure you have Node.js and Git installed
  2. Install yo and generator-code
    npm install -g yo generator-code
    
  3. Install required packages
    npm install
    
  4. Start the extension by pressing F5. A new VS Code window should open ✨

Note: if you have any trouble starting the extension, please check "VS Code: Your First Extension" tutorial.

Datasets

Our datasets are available here. The datasets were built from a single source, the Juliet Test Suite for Java.

There are three datasets available and suitable for machine learning operations. The split follows an 80/10/10 ratio for train, test and validation sets, respectively.



More info about this work here.

About

A transformer-based VS Code extension that enables one to discover vulnerabilities in Java files.

Topics

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published