DeepCode Finds Problems in C and C++ Code
DeepCode, a cloud service that uses machine learning to analyze code bases for vulnerabilities and potential problems, can now analyze C and C ++ code.
Trained through the analysis of thousands of open source projects, DeepCode provides feedback for projects on code hosting platforms or local repositories. The creators of DeepCode claim that it provides better and more detailed feedback than traditional code analysis tools, because it analyzes the code in context – not only as text, but also as working software.
Most software vulnerabilities are found in C or C ++ code bases. No matter how powerful both languages are, they practically do not protect against the mistakes of developers, and newer versions of these languages are forced to maintain backward compatibility, thus remaining vulnerable.
DeepCode’s code analysis example
When analyzing the Linux kernel, DeepCode found a number of common problems for C codebases, including unanalyzed parameters passed from command line arguments or environment variables, use problems after freeing, and missing null pointer checks.
Other, less noticeable problems were found in the C code, such as the insecure creation of temporary files or the probability, that certain instructions might be optimized during compilation and would not have the expected effect.
At initial launch, DeepCode supported Java, JavaScript, TypeScript and Python, but plans were to work with C, C ++ and other languages. According to a blog post announcing C / C ++ support, adding code analysis for C and C ++ took three months to work due to the complexities associated with low-level C / C ++ features.
via infoworldcom