| CPC G06F 21/577 (2013.01) [G06F 21/54 (2013.01); G06F 2221/033 (2013.01)] | 20 Claims |
|
1. A computer system, comprising:
one or more processors;
one or more machine-readable medium coupled to the one or more processors and storing computer program code comprising sets instructions executable by the one or more processors to:
obtain source code for a software application, the source code including a plurality of functions having one or more inputs and one or more outputs;
inject print statements into the source code for each of the one or more inputs and the one or more outputs to obtain injection-modified source code;
obtain two or more sets of first vulnerability findings from two or more respective static analysis tools run against the injection-modified source code, the static analysis tools including a first static analysis tool and a second static analysis tool;
determine that the first static analysis tool reports that tainted data can flow from an input of a function to a return value of the function based on a first set of the first vulnerability findings from the first static analysis tool;
determine that the second static analysis tool reports that tainted data can flow into the input of the function and that tainted data cannot flow to the return value based on a second set of the first vulnerability findings from the second static analysis tool;
modify the injection-modified source code to include an assignment of the input to the output to obtain stitch-modified source code; and
obtain two or more sets of second vulnerability findings from the two or more respective static analysis tools run against the stitch-modified source code, the two or more sets of second vulnerability findings including new vulnerability findings not in the two or more sets of first vulnerability findings.
|