English

Scalable Defect Detection via Traversal on Code Graph

Software Engineering 2024-06-13 v1

Abstract

Detecting defects and vulnerabilities in the early stage has long been a challenge in software engineering. Static analysis, a technique that inspects code without execution, has emerged as a key strategy to address this challenge. Among recent advancements, the use of graph-based representations, particularly Code Property Graph (CPG), has gained traction due to its comprehensive depiction of code structure and semantics. Despite the progress, existing graph-based analysis tools still face performance and scalability issues. The main bottleneck lies in the size and complexity of CPG, which makes analyzing large codebases inefficient and memory-consuming. Also, query rules used by the current tools can be over-specific. Hence, we introduce QVoG, a graph-based static analysis platform for detecting defects and vulnerabilities. It employs a compressed CPG representation to maintain a reasonable graph size, thereby enhancing the overall query efficiency. Based on the CPG, it also offers a declarative query language to simplify the queries. Furthermore, it takes a step forward to integrate machine learning to enhance the generality of vulnerability detection. For projects consisting of 1,000,000+ lines of code, QVoG can complete analysis in approximately 15 minutes, as opposed to 19 minutes with CodeQL.

Keywords

Cite

@article{arxiv.2406.08098,
  title  = {Scalable Defect Detection via Traversal on Code Graph},
  author = {Zhengyao Liu and Xitong Zhong and Xingjing Deng and Shuo Hong and Xiang Gao and Hailong Sun},
  journal= {arXiv preprint arXiv:2406.08098},
  year   = {2024}
}
R2 v1 2026-06-28T17:02:56.333Z