US 12,462,043 B1
Creating and using call graphs to select an update
Joseph Hejderup, Palo Alto, CA (US); Philip Hamer, Palo Alto, CA (US); Georgios Apostolopoulos, San Jose, CA (US); and Dimitrios Styliadis, San Jose, CA (US)
Assigned to Endor Labs Inc, Palo Alto, CA (US)
Filed by Endor Labs Inc, Palo Alto, CA (US)
Filed on Apr. 28, 2025, as Appl. No. 19/191,857.
Application 19/191,857 is a continuation of application No. 19/020,659, filed on Jan. 14, 2025.
Application 19/191,857 is a continuation of application No. 18/951,189, filed on Nov. 18, 2024.
This patent is subject to a terminal disclaimer.
Int. Cl. G06F 21/57 (2013.01); G06F 21/62 (2013.01); G06F 21/55 (2013.01); G06F 21/56 (2013.01); G06F 21/70 (2013.01)
CPC G06F 21/577 (2013.01) [G06F 21/6218 (2013.01); G06F 21/552 (2013.01); G06F 21/565 (2013.01); G06F 21/70 (2013.01)] 20 Claims
OG exemplary drawing
 
1. A computer-implemented method comprising:
selecting a package in a software project;
determining a set of dependencies in the package based on:
resolving direct dependencies in the package; and
resolving indirect dependencies in the package;
generating a partial call graph for each dependency in the set of dependencies to create a set of partial call graphs;
storing the set of partial call graphs in a partial call graph cache;
based on determining that a particular dependency in the set of dependencies is not included in the partial call graph cache, creating and storing a partial analysis result in the partial call graph cache, the partial analysis result including one or more partial call graphs associated with the particular dependency, including static call sites found in bytecode and a type hierarchy that includes types, parent types, and associated components declared in the particular dependency;
based on determining that the particular dependency in the set of dependencies is included in the partial call graph cache, requesting the partial analysis result from the set of partial call graphs;
merging individual type hierarchies to build a global type hierarchy, wherein the individual type hierarchies are derived from the partial analysis result;
stitching together the set of partial call graphs to create a complete call graph of the package;
determining unreachable code in the package based on the complete call graph of the package;
determining a set of upgrade candidates for the particular dependency in the set of dependencies;
based on determining that a number of upgrade candidates in the set of upgrade candidates is greater than a predetermined threshold, selecting a subset of the upgrade candidates;
selecting an upgrade candidate in the subset of upgrade candidates;
determining issues associated with upgrading the package to use the upgrade candidate, including:
determining security vulnerabilities based on the complete call graph;
determining a number of vulnerabilities addressed by upgrading the package to use the upgrade candidate; and
determining a severity of vulnerabilities addressed by upgrading the package to use the upgrade candidate;
determining a risk-benefit score associated with each upgrade candidate in the subset of the upgrade candidates;
prioritizing each of the upgrade candidates in the subset of the upgrade candidates based on the associated risk-benefit score to create a prioritized subset of the upgrade candidates; and
providing, via a display device, the prioritized subset of the upgrade candidates to a developer associated with the package.