short-paper

Open access

A transformer-based IDE plugin for vulnerability detection

Authors:

Cláudia Mamede,

Eduard Pinconschi,

Rui AbreuAuthors Info & Claims

ASE '22: Proceedings of the 37th IEEE/ACM International Conference on Automated Software Engineering

Article No.: 149, Pages 1 - 4

https://doi.org/10.1145/3551349.3559534

Published: 05 January 2023 Publication History

All formats PDF

Abstract

Automatic vulnerability detection is of paramount importance to promote the security of an application and should be exercised at the earliest stages within the software development life cycle (SDLC) to reduce the risk of exposure. Despite the advancements with state-of-the-art deep learning techniques in software vulnerability detection, the development environments are not yet leveraging their performance. In this work, we integrate the Transformers architecture, one of the main highlights of advances in deep learning for Natural Language Processing, within a developer-friendly tool for code security. We introduce VDet for Java, a transformer-based VS Code extension that enables one to discover vulnerabilities in Java files. Our preliminary model evaluation presents an accuracy of 98.9% for multi-label classification and can detect up to 21 vulnerability types. The demonstration of our tool can be found at https://youtu.be/OjiUBQ6TdqE, and source code and datasets are available at https://github.com/TQRG/VDET-for-Java.

Supplementary Material

MP4 File (A transformer-based IDE extension for vulnerability detection.mp4)

VDET demonstration video

Download
9.14 MB

References

[1]

Nikolaos Alexopoulos, Manuel Brack, Jan Philipp Wagner, Tim Grube, and Max Mühlhäuser. 2022. How Long Do Vulnerabilities Live in the Code? A Large-Scale Empirical Measurement Study on FOSS Vulnerability Lifetimes. In 31st USENIX Security Symposium (USENIX Security 22). USENIX Association, Boston, MA.

[2]

Leyla Bilge and Tudor Dumitraş. 2012. Before We Knew It: An Empirical Study of Zero-Day Attacks in the Real World. In Proceedings of the 2012 ACM Conference on Computer and Communications Security(CCS ’12). ACM, New York, NY, USA.

Digital Library

[3]

Saikat Chakraborty, Rahul Krishna, Yangruibo Ding, and Baishakhi Ray. 2020. Deep Learning based Vulnerability Detection: Are We There Yet? (9 2020).

[4]

Roland Croft, Yongzhen Xie, and Muhammad Ali Babar. 2021. Data Preparation for Software Vulnerability Prediction: A Systematic Literature Review. ArXiv abs/2109.05740(2021).

[5]

Nelson Tavares de Sousa and Wilhelm Hasselbring. 2021. JavaBERT: Training a transformer-based model for the Java programming language. CoRR abs/2110.10404(2021). arXiv:2110.10404

[6]

Jacob Devlin, Ming-Wei Chang, Kenton Lee, and Kristina Toutanova. 2018. BERT: Pre-training of Deep Bidirectional Transformers for Language Understanding. CoRR abs/1810.04805(2018). arXiv:1810.04805

[7]

Brian Fitzgerald and Klaas-Jan Stol. 2017. Continuous software engineering: A roadmap and agenda. Journal of Systems and Software 123 (2017), 176–189.

[8]

Afshin Gholamy, Vladik Kreinovich, and Olga Kosheleva. 2018. Why 70/30 or 80/20 Relation Between Training and Testing Sets: A Pedagogical Explanation.

[9]

Brittany Johnson, Yoonki Song, Emerson Murphy-Hill, and Robert Bowdidge. 2013. Why Don’t Software Developers Use Static Analysis Tools to Find Bugs?. In Proceedings of the 2013 International Conference on Software Engineering (San Francisco, CA, USA) (ICSE ’13). IEEE Press, 672–681.

[10]

Xin Li, Lu Wang, Yang Xin, Yixian Yang, and Yuling Chen. 2020. Automated Vulnerability Detection in Source Code Using Minimum Intermediate Representation Learning. Applied Sciences 10, 5 (2020).

[11]

Xin Li, Lu Wang, Yang Xin, Yixian Yang, Qifeng Tang, and Yuling Chen. 2021. Automated Software Vulnerability Detection Based on Hybrid Neural Network. Applied Sciences 11 (4 2021), 3201. Issue 7.

[12]

Zhen Li, Deqing Zou, Shouhuai Xu, Hai Jin, Yawei Zhu, and Zhaoxuan Chen. 2021. SySeVR: A Framework for Using Deep Learning to Detect Software Vulnerabilities. IEEE Transactions on Dependable and Secure Computing (2021), 1–1.

[13]

Zhen Li, Deqing Zou, Shouhuai Xu, Xinyu Ou, Hai Jin, Sujuan Wang, Zhijun Deng, and Yuyi Zhong. 2018. VulDeePecker: A Deep Learning-Based System for Vulnerability Detection. Proceedings 2018 Network and Distributed System Security Symposium.

[14]

Stuart Millar. 2017. Vulnerability Detection in Open Source Software: The Cure and the Cause. Queen’s University Belfast.

[15]

Justin Smith, Brittany Johnson, Emerson R. Murphy-Hill, Bill Chu, and Heather Richter Lipford. 2019. How Developers Diagnose Potential Security Vulnerabilities with a Static Analysis Tool. IEEE Transactions on Software Engineering 45 (2019), 877–897.

Digital Library

[16]

Tim Sonnekalb, Thomas S Heinze, and Patrick Mäder. 2022. Deep security analysis of program code. Empirical Software Engineering 27, 1 (2022), 1–39.

Digital Library

[17]

Tyler Thomas, Madiha Tabassum, Bill Chu, and Heather Richter Lipford. 2018. Security During Application Development: an Application Security Expert Perspective. Proceedings of the 2018 CHI Conference on Human Factors in Computing Systems (2018).

Digital Library

[18]

Ashish Vaswani, Noam Shazeer, Niki Parmar, Jakob Uszkoreit, Llion Jones, Aidan N. Gomez, Lukasz Kaiser, and Illia Polosukhin. 2017. Attention Is All You Need. (6 2017).

[19]

Benjamin White. 2016. Secure Coding Assistant: enforcing secure coding practices using the Eclipse Development Environment.

[20]

Michael Whitney, Heather Richter Lipford, Bill Chu, and Jun Zhu. 2015. Embedding Secure Coding Instruction into the IDE: A Field Study in an Advanced CS Course. Proceedings of the 46th ACM Technical Symposium on Computer Science Education (2015).

Digital Library

[21]

Lauren Williams. 2018. Secure Software Lifecycle Knowledge Area. (2018).

[22]

Thomas Wolf, Lysandre Debut, Victor Sanh, Julien Chaumond, Clement Delangue, Anthony Moi, Pierric Cistac, Tim Rault, Rémi Louf, Morgan Funtowicz, and Jamie Brew. 2019. HuggingFace’s Transformers: State-of-the-art Natural Language Processing. ArXiv abs/1910.03771(2019).

[23]

Jing Xie, Bill Chu, Heather Richter Lipford, and John T. Melton. 2011. ASIDE: IDE support for web application security. In ACSAC ’11.

Digital Library

[24]

Noah Ziems and Shaoen Wu. 2021. Security Vulnerability Detection Using Deep Learning Natural Language Processing. (5 2021).

[25]

Deqing Zou, Sujuan Wang, Shouhuai Xu, Zhen Li, and Hai Jin. 2019. μ VulDeePecker: A Deep Learning-Based System for Multiclass Vulnerability Detection. IEEE Transactions on Dependable and Secure Computing (2019), 1–1.

Cited By

Mechri AFerrag MDebbah M(2025)SecureQwen: Leveraging LLMs for vulnerability detection in python codebasesComputers & Security10.1016/j.cose.2024.104151148(104151)Online publication date: Jan-2025
https://doi.org/10.1016/j.cose.2024.104151
Li JZhang MLi NWeyns DJin ZTei K(2024)Generative AI for Self-Adaptive Systems: State of the Art and Research RoadmapACM Transactions on Autonomous and Adaptive Systems10.1145/368680319:3(1-60)Online publication date: 30-Sep-2024
https://dl.acm.org/doi/10.1145/3686803
Cheng JChen YCao YWang H(2024)A vulnerability detection framework by focusing on critical execution pathsInformation and Software Technology10.1016/j.infsof.2024.107517174(107517)Online publication date: Oct-2024
https://doi.org/10.1016/j.infsof.2024.107517
Show More Cited By

Index Terms

A transformer-based IDE plugin for vulnerability detection
1. Computing methodologies
  1. Machine learning
2. Security and privacy
  1. Software and application security
    1. Software security engineering

Recommendations

Evaluation of Open-Source IDE Plugins for Detecting Security Vulnerabilities
EASE '19: Proceedings of the 23rd International Conference on Evaluation and Assessment in Software Engineering

Securing information systems has become a high priority as our reliance on them increases. Global multi-billion dollar companies have their critical information regularly exposed, costing them money and impairing their users' privacy. To defend against ...
IntelliJML: a JML plugin for IntelliJ IDEA
FTfJP '21: Proceedings of the 23rd ACM International Workshop on Formal Techniques for Java-like Programs

Java code can be annotated with formal specifications using the Java Modelling Language (JML). Previous work has provided IDE plugins intended to help write JML, but mostly for the Eclipse IDE. We introduce IntelliJML, a JML plugin for IntelliJ IDEA, ...
Research on Vulnerability Detection Technology for WEB Mail System

Recently, the Email system is seriously threatened by the vulnerability attack, and XSS vulnerability is one of the most serious vulnerability of WEB mail system. In this paper, we proposed a crossing site script injection vulnerability detection method ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

ASE '22: Proceedings of the 37th IEEE/ACM International Conference on Automated Software Engineering

October 2022

2006 pages

ISBN:9781450394758

DOI:10.1145/3551349

Copyright © 2022 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 05 January 2023

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Short-paper
Research
Refereed limited

Conference

ASE '22

ASE '22: 37th IEEE/ACM International Conference on Automated Software Engineering

October 10 - 14, 2022

MI, Rochester, USA

Acceptance Rates

Overall Acceptance Rate 82 of 337 submissions, 24%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

7
Total Citations
View Citations
868
Total Downloads

Downloads (Last 12 months)449
Downloads (Last 6 weeks)57

Reflects downloads up to 09 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Mechri AFerrag MDebbah M(2025)SecureQwen: Leveraging LLMs for vulnerability detection in python codebasesComputers & Security10.1016/j.cose.2024.104151148(104151)Online publication date: Jan-2025
https://doi.org/10.1016/j.cose.2024.104151
Li JZhang MLi NWeyns DJin ZTei K(2024)Generative AI for Self-Adaptive Systems: State of the Art and Research RoadmapACM Transactions on Autonomous and Adaptive Systems10.1145/368680319:3(1-60)Online publication date: 30-Sep-2024
https://dl.acm.org/doi/10.1145/3686803
Cheng JChen YCao YWang H(2024)A vulnerability detection framework by focusing on critical execution pathsInformation and Software Technology10.1016/j.infsof.2024.107517174(107517)Online publication date: Oct-2024
https://doi.org/10.1016/j.infsof.2024.107517
Xing JLuo SPan LHao JGuan YWu Z(2024)HGE-BVHDExpert Systems with Applications: An International Journal10.1016/j.eswa.2023.121835238:PCOnline publication date: 27-Feb-2024
https://dl.acm.org/doi/10.1016/j.eswa.2023.121835
Marchetto ALekeufack Foulefack R(2024)Towards the Use of Domain Knowledge to Enhance Transformer-Based Vulnerability DetectionQuality of Information and Communications Technology10.1007/978-3-031-70245-7_26(373-390)Online publication date: 11-Sep-2024
https://doi.org/10.1007/978-3-031-70245-7_26
Anis Al Hilmi MRaswa Robiyanto ROranova Siahaan DPuspaningrum ASusanti Samosir H(2023)A Static IDE Plugin to Detect Security Hotspot for Laravel Framework Based Web Application2023 IEEE International Conference on Data and Software Engineering (ICoDSE)10.1109/ICoDSE59534.2023.10291941(1-6)Online publication date: 7-Sep-2023
https://doi.org/10.1109/ICoDSE59534.2023.10291941
Mamede CPinconschi EAbreu RCampos J(2022)Exploring Transformers for Multi-Label Classification of Java Vulnerabilities2022 IEEE 22nd International Conference on Software Quality, Reliability and Security (QRS)10.1109/QRS57517.2022.00015(43-52)Online publication date: Dec-2022
https://doi.org/10.1109/QRS57517.2022.00015

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

HTML Format

View this article in HTML Format.

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents