This repository contains the Differential Alert Analysis (DAA) source code. DAA is a Python library developed to find fixed vulnerabilities using the output of SAST tools.
Introduction • Installation • License • Cite
DAA is a language-agnostic algorithm that uses the outputs of lightweight and imprecise off-the-shelf static analysis security tools (SAST) to discover resolved vulnerabilities in software projects without relying on an announcement. The key insight driving DAA is that when a fix is introduced, it will eliminate a SAST alert present in the prior version.
Clone the DAA repository and pip install from the clone. We recommend creating a virtual environment to install DAA.
git clone git@github.com:s3c2/daa.git
cd daa
python3 -m venv .venv
source .venv/bin/activate
pip3 install .from daa import daa_hierarchy
import pandas as pd
if __name__ == '__main__':
# SET the alerts generated from your SAST tool
previous_alerts = pd.read_csv("PATH_TO_PREVIOUS_ALERTS.csv")
current_alerts = pd.read_csv("PATH_TO_CURRENT_ALERTS.csv")
# Run DAA on the alerts
daa_results = daa_hierarchy.DAA(previous_alerts, current_alerts)DAA is available under the Apache-2.0 License
- Apache-2.0 License: See LICENSE file for details.
@inproceedings{dunlap_finding_2023,
title = {Finding {Fixed} {Vulnerabilities} with {Off}-the-{Shelf} {Static} {Analysis}},
isbn = {9781665465120},
url = {https://ieeexplore.ieee.org/document/10190493/},
doi = {10.1109/EuroSP57164.2023.00036},
booktitle = {2023 {IEEE} 8th {European} {Symposium} on {Security} and {Privacy} ({EuroS}\&{P})},
publisher = {IEEE},
author = {Dunlap, Trevor and Thorn, Seaver and Enck, William and Reaves, Bradley},
month = jul,
year = {2023},
pages = {489--505},
address = {Delft, Netherlands},
}