English

QLPro: Automated Code Vulnerability Discovery via LLM and Static Code Analysis Integration

Software Engineering 2025-07-22 v3 Artificial Intelligence Cryptography and Security

Abstract

We introduce QLPro, a vulnerability detection framework that systematically integrates LLMs and static analysis tools to enable comprehensive vulnerability detection across entire open-source projects.We constructed a new dataset, JavaTest, comprising 10 open-source projects from GitHub with 62 confirmed vulnerabilities. CodeQL, a state-of-the-art static analysis tool, detected only 24 of these vulnerabilities while QLPro detected 41. Furthermore, QLPro discovered 6 previously unknown vulnerabilities, 2 of which have been confirmed as 0-days.

Keywords

Cite

@article{arxiv.2506.23644,
  title  = {QLPro: Automated Code Vulnerability Discovery via LLM and Static Code Analysis Integration},
  author = {Junze Hu and Xiangyu Jin and Yizhe Zeng and Yuling Liu and Yunpeng Li and Dan Du and Kaiyu Xie and Hongsong Zhu},
  journal= {arXiv preprint arXiv:2506.23644},
  year   = {2025}
}

Comments

The experimental data in the experimental section needs to be improved, and there are some errors

R2 v1 2026-07-01T03:39:10.126Z