Vulnerable Source Code Detection using SonarCloud Code Analysis

TL;DR

This paper explores using SonarCloud code analysis combined with machine learning to detect security vulnerabilities in software, aiming to improve early detection and reduce false positives, specifically applied to a Point of Sale application for small businesses.

Contribution

It evaluates the effectiveness of machine learning models trained on SonarCloud metrics for vulnerability detection in UMI applications, a novel approach for this context.

Findings

Detected 3,285 vulnerable rules in the analyzed code

Demonstrated the potential of ML models to identify vulnerabilities

Showed the suitability of SonarCloud metrics for vulnerability detection

Abstract

In Software Development Life Cycle (SDLC), security vulnerabilities are one of the points introduced during the construction stage. Failure to detect software defects earlier after releasing the product to the market causes higher repair costs for the company. So, it decreases the company's reputation, violates user privacy, and causes an unrepairable issue for the application. The introduction of vulnerability detection enables reducing the number of false alerts to focus the limited testing efforts on potentially vulnerable files. UMKM Masa Kini (UMI) is a Point of Sales application to sell any Micro, Small, and Medium Enterprises Product (UMKM). Therefore, in the current work, we analyze the suitability of these metrics to create Machine Learning based software vulnerability detectors for UMI applications. Code is generated using a commercial tool, SonarCloud. Experimental result shows that there are 3,285 vulnerable rules detected.