A Static Analysis Platform for Investigating Security Trends in Repositories

Software Vulnerability Management

Authors: Tim Sonnekalb and Christopher-Tobias Knaust and Bernd Gruner and Clemens-Alexander Brust and Lynn von Kurnatowski and Andreas Schreiber and Thomas S. Heinze and Patrick Mäder

Abstract: Static analysis tools come in many forms and configurations, which allow them to address various tasks in a (secure) development process: code style linting, bug/vulnerability detection, verification, etc., and to adapt to the specific requirements of a software project and thus reduce the number of false positives. The wide range of configuration options represent a hurdle in their use for software developers, since the tools cannot be used out-of-the-box. However, static analysis tools only develop their full benefit if they are integrated in the software development workflow and used regularly. Vulnerability management is to be integrated via the version history, e.g. to identify hotspots. We present an analysis platform integrating several SAST tools that allows Git-based repositories to monitor continuously warnings across their version history. The framework is easily extensible with other tools and programming languages. We provide a visualization component in form of a dashboard to display security trends and hotspots. Our tool can also be used to create a database of security alerts at scale that is well suited for machine learning applications such as bug or vulnerability detection.