QLPro: Automated Code Vulnerability Discovery via LLM and Static Code Analysis Integration
Junze Hu, Xiangyu Jin, Yizhe Zeng, Yuling Liu, Yunpeng Li, Dan Du, Kaiyu Xie, Hongsong Zhu
TL;DR
QLPro is a novel framework that combines large language models and static analysis to improve vulnerability detection in open-source code, identifying more vulnerabilities including new zero-day exploits.
Contribution
It introduces QLPro, integrating LLMs with static analysis, and provides a new dataset, JavaTest, to evaluate vulnerability detection capabilities.
Findings
QLPro detects more vulnerabilities than CodeQL.
QLPro identified 6 previously unknown vulnerabilities.
2 of the discovered vulnerabilities are confirmed zero-days.
Abstract
We introduce QLPro, a vulnerability detection framework that systematically integrates LLMs and static analysis tools to enable comprehensive vulnerability detection across entire open-source projects.We constructed a new dataset, JavaTest, comprising 10 open-source projects from GitHub with 62 confirmed vulnerabilities. CodeQL, a state-of-the-art static analysis tool, detected only 24 of these vulnerabilities while QLPro detected 41. Furthermore, QLPro discovered 6 previously unknown vulnerabilities, 2 of which have been confirmed as 0-days.
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsWeb Application Security Vulnerabilities · Software Reliability and Analysis Research · Software Engineering Research