Automatic vulnerability detection is of paramount importance to promote the security of an application and should be exercised at the earliest stages within the software development life cycle (SDLC) to reduce the risk of exposure. Despite the advancements with state-of-the-art deep learning techniques in software vulnerability detection, the development environments are not yet leveraging their performance. In this work, we integrate the Transformers architecture, one of the main highlights of advances in deep learning for Natural Language Processing, within a developer-friendly tool for code security. We introduce VDet for Java, a transformer-based VS Code extension that enables one to discover vulnerabilities in Java files. Our preliminary model evaluation presents an accuracy of 98.9% for multi-label classification and can detect up to 21 vulnerability types.
Check our Youtube 📺 video to see how VDET works.
- Scan a complete file (recommended)
- Scan a specific code piece highlighted by the user (useful when there are syntax errors)
List of CWEs: 113, 129, 134, 15, 190, 191, 197, 23, 319, 26, 269, 400, 470, 606, 643, 690, 78, 789, 80, 89, 90
Tested with 
To run plugin-backend server (from dir: plugin-backend/):
-
Install required packages (listed at requirements.txt):
pip install -r requirements.txt -
Make sure you have a serialized pretrained model and multi-label binarizer (ours are available here). Then, create your
.envfile (from the provided template, in the same location) and add the paths to the serialized objects. -
Start the server (it runs on port 5000 by default):
python server.py -
Check the available routes (they can be used without the extension):
1. Analyse code section (with line interval):
POST /predict/section2. Analyse complete file:
POST /predict/file
To run the extension (from dir: plugin/vdet-java/)
- Make sure you have Node.js and Git installed
- Install yo and generator-code
npm install -g yo generator-code - Install required packages
npm install - Start the extension by pressing F5. A new VS Code window should open ✨
Note: if you have any trouble starting the extension, please check "VS Code: Your First Extension" tutorial.
Our datasets are available here. The datasets were built from a single source, the Juliet Test Suite for Java.
There are three datasets available and suitable for machine learning operations. The split follows an 80/10/10 ratio for train, test and validation sets, respectively.
More info about this work here.