Abstract: Code changes may be hierarchically clustered to discover coding practices. Code change graphs for changes to code in a source code repository may be clustered according to hierarchy of different features determined for the source code into groups. The code change graphs in the groups may then be indexed according their similarity with other code change graphs in the groups. Then one or more coding practices corresponding to the indexed code changes may be provided.

Abstract: Techniques for analyzing code are described. In some instances, a code analysis service is implemented by one or more electronic devices, the code analysis service including instructions that upon execution cause the code analysis service to: perform a program analysis to mine a code segment of the stored code to generate a descriptor of each input in the code segment that appears to be have insufficient input validation; assess that an input has insufficient validation and determining a classification of input validation to use by determining a category of input validation to apply to the input; acquire suggestion for the determined category; and provide the acquired suggestion for the determined category.

Abstract: A method and method for testing an application includes performing a static analysis of metadata of coding of an application, using a test application program executed by a processor on a computer. Available user interface states are simulated based on the static analysis. A configuration file of the application is accessed and parsed to enumerate states possible for the application. A coverage metric is calculated for the application based on a number of states reached by the simulating and a number of states possible.

Abstract: Techniques for providing a visual code review editor are described. An electronic device is caused to display a graphical user interface including an editor portion to edit code review rules used by a code review service of a cloud provider network. The editor portion of the graphical user interface is caused to display a first graph associated with a first code review rule, the first graph including a first node, a second node, and a first edge connecting the first node and the second node. An indication that a third node has been added to the graph via the editor portion of the graphical user interface is received. The first code review rule is updated by the code review service to reflect the addition of the third node, the first code review rule is in a text format.

Abstract: A method includes computing a diffusion vector starting with a seed, querying nodes for connections, reweighting diffusion vector based on the degrees, sorting nodes based upon magnitude in the reweighted diffusion vector which is obtained through wave relaxation solution of a time-dependent initial value problem, detecting a community through a sweep over the nodes according to their rank, and selecting a prefix that minimizes or maximizes an objective function.

Abstract: An aggregate representation of a collection of source code examples is constructed. The collection includes positive examples that conform to a coding practice and negative examples do not conform to the coding practice. The aggregate representation includes nodes corresponding to source code elements, and edges representing relationships between code elements. Using an iterative analysis of the aggregate representation, a rule to automatically detect non-conformance is generated. The rule is used to provide an indication that a set of source code is non-conformant.

Abstract: Preliminary program analysis of an executable may be performed. A security vulnerability level of a portion of the executable may be determined based on the preliminary program analysis. The security vulnerability level of the portion may be compared to a security vulnerability threshold. The precision of runtime monitoring of the portion may be tuned based on the comparison.

Abstract: Techniques for facilitating incremental static program analysis based on machine learning techniques are provided. In one example, a system comprises a feature component that, in response to an update to a computer program, generates feature vector data representing the update, wherein the feature vector data comprises feature data representing a feature of the update derived from an abstract state of the computer program, and wherein the abstract state is based on a mathematical model of the computer program that is generated in response to static program analysis of the computer program. The system can further comprise a machine learning component that employs a classifier algorithm to identify an affected portion of the mathematical model that is affected by the update. The system can further comprise an incremental analysis component that incrementally applies the static program analysis to the computer program based on the affected portion.

Abstract: Searching a service registry system including a plurality of services identified by respective service names, wherein at least some of said service names being associated with a set of client identifiers, includes receiving a search request, said request including a service name and a further set of client identifiers, searching, using a processor, the service registry system for a match between the requested service name and a service name of one of said services in the service registry system, and, in the absence of such a match, searching, using the processor, the service registry system for services that have an association with at least some of the client identifiers in said further set. A search result can be returned.

Abstract: Techniques for management of sensitive data using static code analysis are described. A method of management of sensitive data using static code analysis includes obtaining a representation at least a portion of code, statically analyzing at least the portion of code to generate one or more candidate vectors based at least on one or more patterns, sending the one or more candidate vectors to a sensitive data model, and receiving an inference response indicating, for each of the one or more candidate vectors, whether at least a portion of the candidate vector includes sensitive data and a corresponding confidence score.

Abstract: Techniques for program verification are described. An exemplary method includes receiving a request to evaluate code based on a customized rule, the customized rule comprising one or more conditions for which the customized rule is applicable and one or more postconditions to indicate at least one check to perform for a given node in a graph for the code, wherein an application of the customized rule performs one or more of: an interleave between a backward analysis and forward analysis based on user-specified conditions, an analysis between sub-graphs by a query from a first sub-graph to a second sub-graph, and an operation on a sub-graph, storage of a result of the operation on the sub-graph, and usage of the stored result in a subsequent operation; generating a graph for the code; and evaluating the code by applying the customized rule to the generated graph.

Abstract: Techniques for performing root cause analysis in dynamic software testing via probabilistic modeling are provided. In one example, a computer-implemented method includes initializing, by a system operatively coupled to a processor, a threshold value, a defined probability value, and a counter value. The computer-implemented method also includes, in response to determining, by the system, that a probability value assigned to a candidate payload of one or more candidate payloads exceeds the defined probability value, and in response to determining, by the system, that the counter value exceeds the threshold value: determining, by the system, that a match exists between the candidate payload and an input point based on an application of the candidate payload to the input point resulting in a defined condition, wherein the one or more candidate payloads are represented by population data accessed by the system.

Abstract: Techniques for a code reviewer service to provide recommendations on source code are described. A code reviewer service may run rules and/or machine learning models to provide the recommendations. A machine learning model may identify one or more predicted issues of source code, and the code reviewer service may provide one or more recommendations based at least in part on the one or more predicted issues. Code reviewer service may allow a pull request for a code repository to trigger the generation of recommendations for the source code in the repository. The recommendations may be posted on the pull request.

Abstract: A method, computer program product, and computer system for performing, at a computing device, an analysis of a web application. A response is annotated by the web application with coverage data based upon, at least in part, the analysis, wherein the coverage data indicates which actions have been performed on the web application and which actions have not been performed on the web application according to results of the analysis. The response that includes the coverage data is shared with one or more users.

Abstract: One or more communication interfaces of a first application may be scanned. In response to the scanning, it may be determined that at least a first component of the first application is subject to public access from any application. One or more public access features associated with the first component may be removed, wherein the first component is no longer subject to public access from any application. A first module may be added to the first application to control access to data to or from the first component via one or more security rules.

Abstract: An apparatus, method and computer program product for repairing security vulnerabilities of an application running on a mobile device. The method comprises: monitoring, by a hardware processor running a mobile device application, an application program interface (API) request associated with a data access operation, the data access operation associated with a security vulnerability. The method determines one or more private values provided by the data access operation and tracks, for each determined private value, a use of the private value by the mobile device application. Further, the method determines from the tracked usage, whether a private value has been transformed in a manner associated with the security vulnerability. For each private value that has been transformed, using the processor to modify the private value deemed a security vulnerability prior to an access by the mobile device application.

Abstract: A method and system for virtualizing mobile device sensors includes requesting from a first mobile device a virtual connection with a mobile device having a specific type of sensor, configuring an operating system of the first mobile device to allow an application program to accept data by proxy from the available sensor of the second mobile device; receiving a response from a second mobile device having the sensor, establishing a trusted temporary communication connection between the first and second mobile devices, sending a control signal from an application program on the first mobile device to the second mobile for operating the sensor on the second mobile device and receiving device sensor data from the sensor on the second mobile device.

Abstract: A fine grained permission method and system that parameterizes permissions based on an objective criterion. The method includes accessing libraries of application programs requiring a permission, automatically extracting types of the parameters and respective corresponding fields read by the libraries requiring the permission, filtering the extracted types of parameters and fields based on a usage criteria to determine a filtered type of parameter and field for the permission and storing the filtered type parameter and field for the permission in a database. A request for a permission is passed to a fine grained permission module which obtains the filtered type of parameter and field for the permission, determines a specific parameter for the permission based on the filtered type of parameter and field and parameterizes the permission using the specific parameter. Downloading of the application program is completed by limiting the permission based on the specific parameter.

Abstract: A method and system of protecting user sensitive information from an application program of a user device are provided. The application program to be installed is received on the user device. Permissions to resources of the user device for the application program are identified. For each permission, mapping the permission to one or more sections of a code of the application program. For each mapped section of the code, a recipient of user sensitive information facilitated by the permission is determined. For each recipient, it is determined whether the recipient should be restricted. Upon determining that the recipient should not be restricted, the user sensitive information facilitated by the permission is provided to the recipient. However, upon determining that the recipient should be restricted, alternate information to the recipient.

Abstract: Synthesizing sanitization code for applications based upon a probabilistic prediction model includes receiving a set of applications. The set of applications is partitioned into a first subset of applications and a second subset of applications. The first subset has one or more malicious payloads associated therewith, and the second subset has one or more non-malicious payloads associated therewith. A probabilistic prediction model is computed based upon the malicious payloads associated with the first subset of applications. One or more predicted malicious payloads are predicted from the probabilistic prediction model.