Skip to content
/ daa Public

Finding Fixed Vulnerabilities with Off-the-Shelf Static Analysis

License

Notifications You must be signed in to change notification settings

s3c2/daa

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

7 Commits
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Differential Alert Analysis

This repository contains the Differential Alert Analysis (DAA) source code. DAA is a Python library developed to find fixed vulnerabilities using the output of SAST tools.

Introduction  •  Installation  •  License  •  Cite

Introduction

DAA is a language-agnostic algorithm that uses the outputs of lightweight and imprecise off-the-shelf static analysis security tools (SAST) to discover resolved vulnerabilities in software projects without relying on an announcement. The key insight driving DAA is that when a fix is introduced, it will eliminate a SAST alert present in the prior version.

Installation

Clone the DAA repository and pip install from the clone. We recommend creating a virtual environment to install DAA.

git clone git@github.com:s3c2/daa.git
cd daa

python3 -m venv .venv
source .venv/bin/activate
pip3 install .

Use DAA as a library:

from daa import daa_hierarchy
import pandas as pd

if __name__ == '__main__':
    
    # SET the alerts generated from your SAST tool
    previous_alerts = pd.read_csv("PATH_TO_PREVIOUS_ALERTS.csv")
    current_alerts = pd.read_csv("PATH_TO_CURRENT_ALERTS.csv")
    
    # Run DAA on the alerts
    daa_results = daa_hierarchy.DAA(previous_alerts, current_alerts)

License

DAA is available under the Apache-2.0 License

  • Apache-2.0 License: See LICENSE file for details.

Cite

@inproceedings{dunlap_finding_2023,
	title = {Finding {Fixed} {Vulnerabilities} with {Off}-the-{Shelf} {Static} {Analysis}},
	isbn = {9781665465120},
	url = {https://ieeexplore.ieee.org/document/10190493/},
	doi = {10.1109/EuroSP57164.2023.00036},
	booktitle = {2023 {IEEE} 8th {European} {Symposium} on {Security} and {Privacy} ({EuroS}\&{P})},
	publisher = {IEEE},
	author = {Dunlap, Trevor and Thorn, Seaver and Enck, William and Reaves, Bradley},
	month = jul,
	year = {2023},
	pages = {489--505},
  	address = {Delft, Netherlands},
}

About

Finding Fixed Vulnerabilities with Off-the-Shelf Static Analysis

Resources

License

Stars

Watchers

Forks

Languages