Vulnerability detection tool in source code by building and leveraging semantic code graph

The paper presents different vulnerability detection tools to ensure the security of software applications and container environments from a preventive and holistic approach. The solution aims to improve the quality and security of software by leveraging knowledge graph technology for a more accurate and comprehensive detection process of vulnerabilities. The ambition is to detect the vulnerabilities in the whole software supply chain and to support developers holding security as a key component over the Software Development life-cycle. We design reliable tools by building a semantic graph-based abstraction of the code from the compiler state, and we reach high accuracy by developing different static code analyzers optimizing the detection of software vulnerabilities in the source code and dependencies. In this paper, we will introduce the cybersecurity suite composed of different vulnerability detection tools to promote developer autonomy and security automation over the software supply chain. The main tool (DocSpot) detects vulnerabilities in the application source code and leverages knowledge graph technology. The second tool (DocDocker) scans for vulnerabilities in containers, and the third one (SirDocker) detects orchestration vulnerabilities, e.g. related to configuration, recommends secure best practices, and supports secure management of the containers and container images. The main contributions to the field of security automation are detailed and the first experiments and results of the tools are exposed. Finally, we describe the contributions to improving security in software and IoT applications.