Scalable Defect Detection via Traversal on Code Graph

TL;DR

This paper introduces QVoG, a scalable graph-based static analysis platform that uses compressed code property graphs and machine learning to efficiently detect defects in large codebases, significantly improving analysis speed.

Contribution

The paper presents QVoG, a novel platform that enhances defect detection scalability and efficiency through compressed CPGs and a declarative query language, integrating machine learning for better generality.

Findings

QVoG analyzes 1 million lines of code in ~15 minutes.

QVoG outperforms CodeQL in analysis speed.

Compressed CPGs reduce memory and improve query efficiency.

Abstract

Detecting defects and vulnerabilities in the early stage has long been a challenge in software engineering. Static analysis, a technique that inspects code without execution, has emerged as a key strategy to address this challenge. Among recent advancements, the use of graph-based representations, particularly Code Property Graph (CPG), has gained traction due to its comprehensive depiction of code structure and semantics. Despite the progress, existing graph-based analysis tools still face performance and scalability issues. The main bottleneck lies in the size and complexity of CPG, which makes analyzing large codebases inefficient and memory-consuming. Also, query rules used by the current tools can be over-specific. Hence, we introduce QVoG, a graph-based static analysis platform for detecting defects and vulnerabilities. It employs a compressed CPG representation to maintain a reasonable graph size, thereby enhancing the overall query efficiency. Based on the CPG, it also offers a declarative query language to simplify the queries. Furthermore, it takes a step forward to integrate machine learning to enhance the generality of vulnerability detection. For projects consisting of 1,000,000+ lines of code, QVoG can complete analysis in approximately 15 minutes, as opposed to 19 minutes with CodeQL.