Skip to content
GitLab

Vulnerability Prediction (VP) · Changes

Page history
Update Vulnerability Prediction (VP) authored by Ilias's avatar Ilias
Hide whitespace changes
Inline Side-by-side
Vulnerability-Prediction-(VP).md
View page @ 380255ee
......@@ -32,4 +32,108 @@ python vp_service.py
Subsequently, information is provided on how to utilize the VP tool.
# Usage
# Execution of the VP model (as a Microservice)
In this section, we describe how the VP model can be used as an individual Microservice. More specifically, we describe how the analysis service can be invoked, whereas intuitive examples are also provided, in an attempt to facilitate understanding.
## Execution of the Docker Container
Having the VP Container already deployed on your local machine, it can be started, paused, and stopped using common Docker commands. For your convenience, some indicative commands are provided in this section. First of all, in order to start the Vulnerability Prediction docker container, you need to execute the following commands on your terminal:
~~~
sudo docker start vp-tool
sudo docker exec -it vp-tool bash
~~~
and then inside the running Container execute the following command:
~~~
python vp_service.py
~~~
In order to stop the VP container, you need to execute the following command:
~~~
sudo docker stop vp-tool
~~~
## Invocation of the individual service (API)
After starting the Docker Container of the VP back-end, its web services are up and running. The VP is accessible through the following end point:
~~~
<local_IP>:<defined_port>/DependabilityToolbox/VulnerabilityPrediction
~~~
where the <local_IP> is the IP of the local machine on which the Dependability Toolbox Docker Container has been deployed, whereas the <defined_port> is the port of the server that is defined by the user during the installation. In the following, a more detailed description of how the main analysis service can be used is provided.
### Vulnerability Prediction Service
The *Vulnerability Prediction (VP)* web service allows the user to detect vulnerable hot-spots of software applications written in Java, C, and C++ programming languages. This is achieved through a dedicated API exposed by the RESTful web server, which is, in fact, a simple HTTP GET request. Several inputs need to be provided as parameters to this request. These parameters are listed below:
| Parameter | Description | Required | Valid Inputs |
|:------------:|:---------------------------------------------------------------:|:--------:|:-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------:|
| project | The URL of the software project that should be analyzed. | Yes | Any valid URL that points to an existing online Git repository (e.g., GitHub, GitLab, Bitbucket, etc.). |
| language | The programming language of the software project that needs to be analyzed. | Yes | One of the following string values: : <br/>·“java” if the selected software project is written in Java programming language. <br/> ·“cpp” if the selected software project is written in C/C++ programming language. <br/> Default value is "java". |
It should be noted that cases when the selected software project is private (i.e., proprietary), the credentials of the user need to be provided to the submitted request in the form of a Basic Authentication header. In order to ensure confidentiality, HTTPS is used for such private projects.
The output of the *Vulnerability Prediction* web service is a JSON file with the vulnerability report, which actually contains:
- the names of the analyzed source code files of the application
- their vulnerability status as produced by the applied model (i.e., 1 if they are potentially vulnerable and 0 if they are potentially clean/neutral), and
- the probability of containing vulnerabilities
For better understanding, an example is presented in the following demonstrating how the *Vulnerability Prediction* web service can be invoked through a curl command for assessing the security of a software project. In the given example, a simple [HelloWorldCompiled]() Java Project that it is available on GitHub is used.
In brief, we want to analyze the HelloWorldCompiled project, with the purpose to identify potential security hotspots that it may contain. Hence, in the parameters we set the following:
- **project:** https://github.com/siavvasm/HelloWorldJavaCompiled (the GitHub URL of the project)
- **language:** java (because it is a Java project)
Hence, the following HTTP GET Request needs to be submitted:
```
http://160.40.52.130:5002/DependabilityToolbox/VulnerabilityPrediction?project=https://github.com/siavvasm/HelloWorldJavaCompiled&lang=java
```
After submitting the request, the *Vulnerability Prediction* service in invoked and the selected project is analyzed. In brief, the service selects the Deep Learning Model for the specified programming language, and performs text mining in order to produce vectors with sequences of embedded tokens (i.e., words) for each one of the source code files of the project. Subsequently, these vectors are passed as input to the selected Deep Learning Model, which computes the likelihood of vulnerability and classifies the corresponding file as potentially vulnerble or clean/neutral. After the successful execution of the analysis, a JSON report with the results is produced and sent as a response to the user. The produced JSON for the *HelloWorldCompiled* project is presented below:
```
{
"project_name": "HelloWorldJavaCompiled",
"date": "2020-05-07__10:17:31",
"commit": "50ae163281564f0b96325ccc4915e74587cd4dc3",
"results": [
{
"class_name": "AppTest.java",
"path": "/opt/apache-tomcat-8.0.53/bin/gitRepo/HelloWorldJavaCompiled_285206122_1588846649600/src/test/java/miltos/diploma",
"package": "/src/test/java/miltos/diploma",
"is_vulnerable": 0,
"sigmoid": 0.05907478556036949,
"confidence": "92.6157 %"
},
{
"class_name": "App.java",
"path": "/opt/apache-tomcat-8.0.53/bin/gitRepo/HelloWorldJavaCompiled_285206122_1588846649600/src/main/java/miltos/diploma",
"package": "/src/main/java/miltos/diploma",
"is_vulnerable": 0,
"sigmoid": 0.12370146811008453,
"confidence": "84.5373 %"
}
]
}
```
As can be seen from the above fragment, the JSON report comprises an array named “results”, which contains several JSON Objects. Each one of these JSON Objects contains relevant information for each source code file of the analyzed application. More specifically, it contains the following entries:
- **class_name:** The name of the source code file to which this JSON Object refers.
- **path:** The exact path of the source code file to which this JSON Object refers.
- **package:** The package of the source code file to which this JSON Object refers.
- **is_vulnerable:** The vulnerability status of the corresponding source code file. It takes two possible values, i.e., 0 if the model decides that the source code file is potentially clean, and 1 if the model decides that the source code file is potentially vulnerable.
- **sigmoid:** The actual output of the neural network. It corresponds to the probability of the source code file to be vulnerable. This value is actually used by the model in order to define the vulnerability status of the corresponding source code file (i.e., the value of the “is_vulnerable” entry of the corresponding JSON Object).