In this section:
Why use Vulnerability Probability?
Given a large (or even small) number of violations for the same rule with the same severity, how can developers know which violations to prioritize first? Which violations to pay more or deeper attention to? How can developers not inadvertently miss a critical security issue while going through a set of violations?
DTP can recommend a vulnerability probability associated with a violation to assist developers when facing the above questions.
What is Vulnerability Probability?
Vulnerability probability is a measure (between 0% and 100%) that quantifies the similarity between the source code of the method containing the violation and source code with known security vulnerabilities. The higher the probability, the higher the likelihood that the method containing the violation contains a security vulnerability.
Vulnerability probability can be calculated only for violations that are found within a method (or function body). It is not available if the violation is found outside of a method.
To calculate vulnerability probability, a model was trained on code samples containing CVEs. For the java model, over 400 CVEs are covered representing 88 different CWEs including, but not limited to, the 18 most common CWEs:
| CWE-20 | CWE-22 | CWE-74 | CWE-79 | CWE-89 | CWE-94 |
| CWE-190 | CWE-200 | CWE-287 | CWE-352 | CWE-400 | CWE-444 |
| CWE-502 | CWE-611 | CWE-770 | CWE-862 | CWE-863 | CWE-918 |
The diagram below illustrates how DTP, the Vulnerability Probability model, and OpenAI API work together.
Supported Tools
Vulnerability Probability can be calculated for static analysis violations from Jtest only. C/C++test and dotTEST are currently not supported.
Prerequisites
OpenAI Settings
OpenAI settings must be configured in order to calculate Vulnerability Probability for violations. See Using DTP with OpenAI for more information.
Source Code View Configuration
DTP must be configured to display source code in the Violations Explorer. See Source Code View Configuration Overview for more information.
Jtest
In order to calculate Vulnerability Probability for Jtest violations, one of the following conditions must be met:
- Jtest is configured to send advanced metadata to DTP for machine learning. This setting is disabled by default, but it can be enabled under the Advanced Settings on the Static Analysis Settings tab in your Jtest test configurations. See the Jtest documentation at https://docs.parasoft.com/ for more information.
- Metrics analysis is run in addition to static analysis and both reports are sent to DTP. During the metrics analysis, one of the following metrics must be enabled:
METRIC.CLLOCRIM
METRIC.NOBLIM
METRIC.NOCLIM
METRIC.NOLLOCIM
- METRIC.NOMCIM
- METRIC.NOPAR
METRIC.NOPLIM
METRIC.NORET
METRIC.NOSLIM
Operating System Requirements
Older Linux operating systems (CentOS 7.x and older) might be missing some libraries that are needed by the vulnerability probability model. In these situations, when you try to calculate the vulnerability probability you might see an error message, "The Vulnerability Probability model is not loaded. See logs for more information." Check the logs for more information about the missing library. Note: the error is created when the first missing library is encountered. If multiple libraries are missing, you might get this error multiple times.
Microsoft Visual C++ Redistributable package (2019 or higher) is required by the Vulnerability Probability model on Windows. Unless you have disabled Windows updates, this package should already be installed on your system.
Calculating Vulnerability Probability
To calculate the vulnerability probability for a violation, select it in the Violations Explorer and click Get Recommendations on the Prioritizations tab.
If the prerequisite conditions have been met, the vulnerability probability will be added to the Recommendations section. If one or more prerequisite conditions have not been met, there will be an info icon to the left of the Recommendations label that you can hover over for details.
Note: The OpenAI embeddings API is called when calculating the vulnerability probability for a violation. Since each API call incurs a cost, DTP 2024.1 only allows calculating vulnerability probability for one violation at a time.
