Document Type : Research Article
Authors
Research Center for Development of Advanced Technologies, Tehran, Iran
Abstract
In recent years, artificial intelligence has had a conspicuous growth in almost every aspect of life. One of the most applicable areas is security code review, in which a lot of AI-based tools and approaches have been proposed. Recently, ChatGPT has caught a huge amount of attention with its remarkable performance in following instructions and providing a detailed response. Regarding the similarities between natural language and code, in this paper, we study the feasibility of using ChatGPT for vulnerability detection in Python source code. Toward this goal, we feed an appropriate prompt along with
vulnerable data to ChatGPT and compare its results on two datasets with the results of three widely used Static Application Security Testing tools (Bandit, Semgrep, and SonarQube). We implement different kinds of experiments with ChatGPT and the results indicate that ChatGPT reduces the false positive and false negative rates and has the potential to be used for Python source code vulnerability detection.
Keywords
[1] Wikipedia. https://en.wikipedia.org/wiki/GitHub, 2023. Accessed: 2023-03-27.
[2] cvedetails. https://www.cvedetails.com/browse-by-date.php, 2023. Accessed: 2015-08-23.
[3] Kumar V, Anjum M, Agarwal V, and Kapur PK. A hybrid approach for evaluation and prioritization of software vulnerabilities. Predictive Analytics in System Reliability. Cham: Springer International Publishing, - -:39–51, 2023.
[4] Sharma A. Zhou Y. Automated identification of security issues from commit messages and bug reports. In Proceedings of the 2017 11th Joint Meeting on Foundations of Software Engineering, 2017.
[5] Zhou Y., Liu S., Siow J, Du X, and Liu Y. Devign. Effective vulnerability identification by learning comprehensive program semantics via graph neural networks. Advances in neural information processing systems, 32, 2019.
[6] Perl H, Dechand S, Smith M, Arp D, Yamaguchi, Rieck K, and et al. Vccfinder: Finding potential vulnerabilities in open-source projects to assist code audits. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Commu-
nications Security, 2015.
[2] cvedetails. https://www.cvedetails.com/browse-by-date.php, 2023. Accessed: 2015-08-23.
[3] Kumar V, Anjum M, Agarwal V, and Kapur PK. A hybrid approach for evaluation and prioritization of software vulnerabilities. Predictive Analytics in System Reliability. Cham: Springer International Publishing, - -:39–51, 2023.
[4] Sharma A. Zhou Y. Automated identification of security issues from commit messages and bug reports. In Proceedings of the 2017 11th Joint Meeting on Foundations of Software Engineering, 2017.
[5] Zhou Y., Liu S., Siow J, Du X, and Liu Y. Devign. Effective vulnerability identification by learning comprehensive program semantics via graph neural networks. Advances in neural information processing systems, 32, 2019.
[6] Perl H, Dechand S, Smith M, Arp D, Yamaguchi, Rieck K, and et al. Vccfinder: Finding potential vulnerabilities in open-source projects to assist code audits. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Commu-
nications Security, 2015.
[7] Jabeen G, Rahim S, Afzal W, Khan D, Khan A, Hussain Z, and et al. Machine learning techniques for software vulnerability prediction: a comparative study. Applied Intelligence, 52, 2022.
[8] Maffeis S. Hanif H. Vulberta: Simplified source code pre-training for vulnerability detection. In 2022 International Joint Conference on Neural Networks (IJCNN), pages 1–8, 2022.
[9] Berabi B, He J, Raychev V, and Vechev M. Tfix: Learning to fix coding errors with a text-to-text transformer. In Proceedings of the 38th International Conference on Machine Learning; Proceedings of Machine Learning Research: PMLR, pages 78–91, 2021.
[10] Lorenz H¨uther, Bernhard J. Berger, Stefan Edelkamp, Sebastian Eken, Lara Luhrmann, and et al Hendrik Rothe. Machine learning in the context of static application security testing -ml-sast. Federal Office for Information Security(BSI), 2021.
[11] Abdalsamad Keramatfar, Mohadeseh Rafiee, and Hossein Amirkhani. Graph neural networks: a bibliometrics overview. Machine Learning with Applications, 10:100401, 2022.
[12] Chakraborty S, Krishna R, and Ding Yand Ray B. Deep learning based vulnerability detection: Are we there yet? In IEEE Transactions on Software Engineering, pages 3280–96. IEEE, 2022.
[13] Fu Michael and et al. Vulrepair: A t5-based automated software vulnerability repair. In Proceedings of the 30th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering, pages
935–947, 2022.
[14] et al. Zhou, Yaqin. Devign: Effective vulnerability identification by learning comprehensive program semantics via graph neural networks. Advances in neural information processing systemsy, 32, 2019.
[15] et al. Ding, Yangruibo. Velvet: a novel ensemble learning approach to automatically locate vulnerable statements. In 2022 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER), pages 959–970. IEEE, 2022.
[16] spectrum. https://spectrum.ieee.org/topprogramming-languages-2022, 2022. Accessed:2023-06-23.
[17] et al. Lomio, Francesco. Just-in-time software vulnerability detection: Are we there yet? Journal of Systems and Software, - -:111283, 2022.
[18] Rebecca Russell and et al. Kim. Automated vulnerability detection in source code using deep representation learning. In 2018 17th IEEE international conference on machine learning and applications (ICMLA), pages 757–762. IEEE, 2018.
[19] Zhen Li and et al. Zou. Vuldeepecker: A deep learning-based system for vulnerability detection. arXiv preprint arXiv:1801.01681, 2018.
[20] Laura Wartschinski and et al. Nollers. Vudenc: Vulnerability detection with deep learning on a natural codebase for python. Information and Software Technology, 144:106809, 2022.
[21] et al. Steenhoek, Benjamin. An empirical study of deep learning models for vulnerability detection. arXiv preprint arXiv:2212.08109, 2022.
[22] et al. Chen, Yizheng. Diversevul: A new vulnerable source code dataset for deep learning based vulnerability detection. arXiv preprint arXiv:2304.00409, 2023.
[23] Hazim Hanif and Sergio Maffeis. Vulberta: Simplified source code pre-training for vulnerability detection. In International Joint Conference on Neural Networks (IJCNN), pages 1–8, 2022.
[24] Michael Fu and Chakkrit Tantithamthavorn. Linevul: a transformer-based line-level vulnerability prediction. In Proceedings of the 19th International Conference on Mining Software Repositories, pages 608–620, 2022.
[25] Pavel Zadorozhny Cheshkov, Anton and Rodion Levichev. Evaluation of chatgpt model for vulnerability detection. arXiv preprint arXiv:2304.07232, 2023.
[26] Mohammed Latif Siddiq and Joanna CS Santos. Securityeval dataset: mining vulnerability examples to evaluate machine learning-based code generation techniques. In Proceedings of the 1st International Workshop on Mining Software Repositories Applications for Privacy and Security, pages 29–33, 2022.
[27] Bruno Thalmann Stefan Micheelsen. Pyt: A static analysis tool for detecting security vulnerabilities in python web applications, 2016.
[28] python-security. https://github.com/pythonsecurity/pyt/tree/master/examples, 2018. Accessed: 2023-06-15.
[29] Isa Fulford Andrew Ng. Chatgpt prompt engineering for developers. https://www.deeplearning.ai/short-courses/chatgpt-
prompt-engineering-for-developers, April 2023. Accessed: 2023-04-27.
[30] Atieh Bakhshandeh and Zahra Eskandari. An efficient user identification approach based on netflow analysis. In 2018 15th International ISC(Iranian Society of Cryptology) Conference on Information Security and Cryptology (ISCISC),
pages 1–5. IEEE, 2018.
[31] Catherine Tony, Markus Mutas, Nicol´as E D´ıaz Ferreyra, and Riccardo Scandariato. Llmseceval: A dataset of natural language prompts for security evaluations. arXiv preprint arXiv:2303.09384, 2023.
[8] Maffeis S. Hanif H. Vulberta: Simplified source code pre-training for vulnerability detection. In 2022 International Joint Conference on Neural Networks (IJCNN), pages 1–8, 2022.
[9] Berabi B, He J, Raychev V, and Vechev M. Tfix: Learning to fix coding errors with a text-to-text transformer. In Proceedings of the 38th International Conference on Machine Learning; Proceedings of Machine Learning Research: PMLR, pages 78–91, 2021.
[10] Lorenz H¨uther, Bernhard J. Berger, Stefan Edelkamp, Sebastian Eken, Lara Luhrmann, and et al Hendrik Rothe. Machine learning in the context of static application security testing -ml-sast. Federal Office for Information Security(BSI), 2021.
[11] Abdalsamad Keramatfar, Mohadeseh Rafiee, and Hossein Amirkhani. Graph neural networks: a bibliometrics overview. Machine Learning with Applications, 10:100401, 2022.
[12] Chakraborty S, Krishna R, and Ding Yand Ray B. Deep learning based vulnerability detection: Are we there yet? In IEEE Transactions on Software Engineering, pages 3280–96. IEEE, 2022.
[13] Fu Michael and et al. Vulrepair: A t5-based automated software vulnerability repair. In Proceedings of the 30th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering, pages
935–947, 2022.
[14] et al. Zhou, Yaqin. Devign: Effective vulnerability identification by learning comprehensive program semantics via graph neural networks. Advances in neural information processing systemsy, 32, 2019.
[15] et al. Ding, Yangruibo. Velvet: a novel ensemble learning approach to automatically locate vulnerable statements. In 2022 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER), pages 959–970. IEEE, 2022.
[16] spectrum. https://spectrum.ieee.org/topprogramming-languages-2022, 2022. Accessed:2023-06-23.
[17] et al. Lomio, Francesco. Just-in-time software vulnerability detection: Are we there yet? Journal of Systems and Software, - -:111283, 2022.
[18] Rebecca Russell and et al. Kim. Automated vulnerability detection in source code using deep representation learning. In 2018 17th IEEE international conference on machine learning and applications (ICMLA), pages 757–762. IEEE, 2018.
[19] Zhen Li and et al. Zou. Vuldeepecker: A deep learning-based system for vulnerability detection. arXiv preprint arXiv:1801.01681, 2018.
[20] Laura Wartschinski and et al. Nollers. Vudenc: Vulnerability detection with deep learning on a natural codebase for python. Information and Software Technology, 144:106809, 2022.
[21] et al. Steenhoek, Benjamin. An empirical study of deep learning models for vulnerability detection. arXiv preprint arXiv:2212.08109, 2022.
[22] et al. Chen, Yizheng. Diversevul: A new vulnerable source code dataset for deep learning based vulnerability detection. arXiv preprint arXiv:2304.00409, 2023.
[23] Hazim Hanif and Sergio Maffeis. Vulberta: Simplified source code pre-training for vulnerability detection. In International Joint Conference on Neural Networks (IJCNN), pages 1–8, 2022.
[24] Michael Fu and Chakkrit Tantithamthavorn. Linevul: a transformer-based line-level vulnerability prediction. In Proceedings of the 19th International Conference on Mining Software Repositories, pages 608–620, 2022.
[25] Pavel Zadorozhny Cheshkov, Anton and Rodion Levichev. Evaluation of chatgpt model for vulnerability detection. arXiv preprint arXiv:2304.07232, 2023.
[26] Mohammed Latif Siddiq and Joanna CS Santos. Securityeval dataset: mining vulnerability examples to evaluate machine learning-based code generation techniques. In Proceedings of the 1st International Workshop on Mining Software Repositories Applications for Privacy and Security, pages 29–33, 2022.
[27] Bruno Thalmann Stefan Micheelsen. Pyt: A static analysis tool for detecting security vulnerabilities in python web applications, 2016.
[28] python-security. https://github.com/pythonsecurity/pyt/tree/master/examples, 2018. Accessed: 2023-06-15.
[29] Isa Fulford Andrew Ng. Chatgpt prompt engineering for developers. https://www.deeplearning.ai/short-courses/chatgpt-
prompt-engineering-for-developers, April 2023. Accessed: 2023-04-27.
[30] Atieh Bakhshandeh and Zahra Eskandari. An efficient user identification approach based on netflow analysis. In 2018 15th International ISC(Iranian Society of Cryptology) Conference on Information Security and Cryptology (ISCISC),
pages 1–5. IEEE, 2018.
[31] Catherine Tony, Markus Mutas, Nicol´as E D´ıaz Ferreyra, and Riccardo Scandariato. Llmseceval: A dataset of natural language prompts for security evaluations. arXiv preprint arXiv:2303.09384, 2023.
)