Abstract: A method may include obtaining, for an application, application dependency specifications, identifying vulnerable components using the application dependency specifications and a list of known vulnerable components, selecting, for a vulnerable component, candidate dependency specifications each specifying a version ID for a component, selecting, for a candidate dependency specification, an upgraded version ID for a component, verifying, using an application dependency graph generated from the application dependency specifications, that upgrading the candidate dependency specification to the upgraded version ID removes a dependency on the vulnerable component, and recommending, for the application, an upgrade solution including upgrading the candidate dependency specification to the upgraded version ID.

Abstract: A method for executing a second-order taint analysis on library code may include generating, by executing a first-order taint analysis on the library code starting at a sink, a first execution path from a load instruction to the sink. The load instruction may perform: reading a first value using a first global identifier. The method may further include determining a store instruction by matching the load instruction and the store instruction. The store instruction may perform: writing a second value using a second global identifier. The method may further include, generating a second execution path from the store instruction to the load instruction, generating, by executing the first-order taint analysis on the library code starting at the store instruction, a third execution path from an entry point to the store instruction, and forming a potential second-order taint flow by joining the first, second, and third execution paths.

Abstract: A method for detecting a defect may include extracting, from application code and using a framework support specification corresponding to a framework, a framework interaction between the application code and the framework. The framework interaction specifies an object used by the application code and managed by the framework. The method may further include performing, using the framework interaction, a dynamic analysis of the application code to obtain a heap snapshot, performing, using the heap snapshot and the framework interaction, a static analysis of the application code, and detecting, by the static analysis, the defect.

Abstract: A method may include extracting, from an instruction of a function in source code, (i) a left-hand side (LHS) access path including a first variable and a first sequence of fields and (ii) a right-hand side (RHS) access path including a second variable and a second sequence of fields, determining, using an incoming access path, an outgoing access path for the instruction, determining that the incoming access path subsumes the LHS access path, generating a specialized outgoing access path by appending a field of the LHS access path to the outgoing access path, determining, using the specialized outgoing access path, that an entry access path of the function is reachable from an exit access path of the function, in response to determining that the entry access path is reachable from the exit access path, identifying a potential taint flow from the entry access path to the exit access path.

Abstract: A method for executing a second-order taint analysis on library code may include generating, by executing a first-order taint analysis on the library code starting at a sink, a first execution path from a load instruction to the sink. The load instruction may perform: reading a first value using a first global identifier. The method may further include determining a store instruction by matching the load instruction and the store instruction. The store instruction may perform: writing a second value using a second global identifier. The method may further include, generating a second execution path from the store instruction to the load instruction, generating, by executing the first-order taint analysis on the library code starting at the store instruction, a third execution path from an entry point to the store instruction, and forming a potential second-order taint flow by joining the first, second, and third execution paths.

Abstract: A method may include extracting, from an instruction of a function in source code, (i) a left-hand side (LHS) access path including a first variable and a first sequence of fields and (ii) a right-hand side (RHS) access path including a second variable and a second sequence of fields, determining, using an incoming access path, an outgoing access path for the instruction, determining that the incoming access path subsumes the LHS access path, generating a specialized outgoing access path by appending a field of the LHS access path to the outgoing access path, determining, using the specialized outgoing access path, that an entry access path of the function is reachable from an exit access path of the function, in response to determining that the entry access path is reachable from the exit access path, identifying a potential taint flow from the entry access path to the exit access path.

Abstract: A method may include generating, by performing a full analysis of code and for each component of the code, summaries including: (i) a forward summary including a forward flow and (ii) a backward summary including a backward flow, obtaining a modification to a modified component, determining that one of the summaries for the modified component is invalid, and in response to determining that a summary for the modified component is invalid: obtaining the forward flow from the forward summary of the modified component, obtaining the backward flow from the backward summary of the modified component, generating a local flow by performing an incremental analysis of the modified component using the forward flow of the modified component and the backward flow of the modified component, and detecting a defect in the code using the forward flow of the modified component, the local flow, and the backward flow of the modified component.

Abstract: A method may include dividing code into trusted and untrusted components, and identifying a dynamic invocation in a first component of the code. The first component may be an untrusted component. The method may further include extracting dynamic information from the dynamic invocation, and identifying, using the dynamic information and metadata describing a dynamic behavior of the code, a target for the dynamic invocation. The target may correspond to a second component of the code. The method may further include determining that the target matches the dynamic invocation, and in response to determining that the target matches the dynamic invocation, adding, to a call graph generated from the code, an edge from the dynamic invocation to the target.

Abstract: A method for detecting a defect may include extracting, from application code and using a framework support specification corresponding to a framework, a framework interaction between the application code and the framework. The framework interaction specifies an object used by the application code and managed by the framework. The method may further include performing, using the framework interaction, a dynamic analysis of the application code to obtain a heap snapshot, performing, using the heap snapshot and the framework interaction, a static analysis of the application code, and detecting, by the static analysis, the defect.

Abstract: A method may include generating, by performing a full analysis of code and for each component of the code, summaries including: (i) a forward summary including a forward flow and (ii) a backward summary including a backward flow, obtaining a modification to a modified component, determining that one of the summaries for the modified component is invalid, and in response to determining that a summary for the modified component is invalid: obtaining the forward flow from the forward summary of the modified component, obtaining the backward flow from the backward summary of the modified component, generating a local flow by performing an incremental analysis of the modified component using the forward flow of the modified component and the backward flow of the modified component, and detecting a defect in the code using the forward flow of the modified component, the local flow, and the backward flow of the modified component.

Abstract: A method may include generating, by performing a full analysis of code and for each component of the code, summaries including: a forward summary including a forward flow, and a backward summary including a backward flow, obtaining a modification to a modified component, determining that one of the summaries for the modified component is invalid, and in response to determining that a summary for the modified component is invalid: obtaining the forward flow from the forward summary of the modified component, obtaining the backward flow from the backward summary of the modified component, generating a local flow by performing an incremental analysis of the modified component using the forward flow of the modified component and the backward flow of the modified component, and detecting a defect in the code using the forward flow of the modified component, the local flow, and the backward flow of the modified component.

Abstract: A method may include generating, by performing a full analysis of code and for each component of the code, summaries including: (i) a forward summary including a forward flow and (ii) a backward summary including a backward flow, obtaining a modification to a modified component, determining that one of the summaries for the modified component is invalid, and in response to determining that a summary for the modified component is invalid: obtaining the forward flow from the forward summary of the modified component, obtaining the backward flow from the backward summary of the modified component, generating a local flow by performing an incremental analysis of the modified component using the forward flow of the modified component and the backward flow of the modified component, and detecting a defect in the code using the forward flow of the modified component, the local flow, and the backward flow of the modified component.

Abstract: A method may include generating, for a concurrent application, an execution trace that includes operations, extracting actor pairs from the execution trace, assigning each of the operations to an actor pair, and generating vector clocks for the operations. Each vector clock may include a clock value for each of the actor pairs.

Abstract: A method may include obtaining a concurrent application including processes, each including operations, and obtaining an initial hybrid timestamp for an initial operation of a process. The initial hybrid timestamp may include a vector list timestamp including vector clocks, each including a clock value for each of the processes. The method may further include determining a synchronization category for a next operation of the process, and in response to the synchronization category indicating that the next operation does not require inter-process synchronization, generating a next hybrid timestamp for the next operation. The next hybrid timestamp may include a differential timestamp relative to the initial hybrid timestamp.

Abstract: A method may include dividing code into trusted and untrusted components, and identifying a dynamic invocation in a first component of the code. The first component may be an untrusted component. The method may further include extracting dynamic information from the dynamic invocation, and identifying, using the dynamic information and metadata describing a dynamic behavior of the code, a target for the dynamic invocation. The target may correspond to a second component of the code. The method may further include determining that the target matches the dynamic invocation, and in response to determining that the target matches the dynamic invocation, adding, to a call graph generated from the code, an edge from the dynamic invocation to the target.

Abstract: A method may include generating, for a concurrent application, an execution trace that includes operations, extracting actor pairs from the execution trace, assigning each of the operations to an actor pair, and generating vector clocks for the operations. Each vector clock may include a clock value for each of the actor pairs.

Abstract: A method may include obtaining a concurrent application including processes, each including operations, and obtaining an initial hybrid timestamp for an initial operation of a process. The initial hybrid timestamp may include a vector list timestamp including vector clocks, each including a clock value for each of the processes. The method may further include determining a synchronization category for a next operation of the process, and in response to the synchronization category indicating that the next operation does not require inter-process synchronization, generating a next hybrid timestamp for the next operation. The next hybrid timestamp may include a differential timestamp relative to the initial hybrid timestamp.

Abstract: In general, in one aspect, the invention relates to a method for statically analyzing a library that includes obtaining native method annotations associated with native methods invoked by the library and extracting facts corresponding to the library from the library to obtain library facts. The library is written in a first programming language. The method also includes constructing a type-object lattice, modeling an abstracted heap using the type-object lattice, expressing abstracted heap update operations as heap update rules, and constructing, based on the library, a most general application (MGA) for the library. The method additionally includes analyzing the library using the native method annotations, the library facts, the MGA, the abstracted heap, and the heap update rules to obtain results, storing the results of the analysis, and performing an action based on the results.

Abstract: In general, in one aspect, the invention relates to a method for statically analyzing a library that includes obtaining native method annotations associated with native methods invoked by the library and extracting facts corresponding to the library from the library to obtain library facts. The library is written in a first programming language. The method also includes constructing a type-object lattice, modeling an abstracted heap using the type-object lattice, expressing abstracted heap update operations as heap update rules, and constructing, based on the library, a most general application (MGA) for the library. The method additionally includes analyzing the library using the native method annotations, the library facts, the MGA, the abstracted heap, and the heap update rules to obtain results, storing the results of the analysis, and performing an action based on the results.