QLPro: Automated Code Vulnerability Discovery via LLM and Static Code Analysis Integration
This addresses the challenge of improving vulnerability detection for software security, though it is incremental as it builds on existing static analysis methods.
The authors tackled the problem of automated vulnerability detection in open-source projects by integrating LLMs with static analysis tools, resulting in QLPro detecting 41 out of 62 confirmed vulnerabilities compared to 24 by CodeQL and discovering 6 previously unknown vulnerabilities, including 2 confirmed 0-days.
We introduce QLPro, a vulnerability detection framework that systematically integrates LLMs and static analysis tools to enable comprehensive vulnerability detection across entire open-source projects.We constructed a new dataset, JavaTest, comprising 10 open-source projects from GitHub with 62 confirmed vulnerabilities. CodeQL, a state-of-the-art static analysis tool, detected only 24 of these vulnerabilities while QLPro detected 41. Furthermore, QLPro discovered 6 previously unknown vulnerabilities, 2 of which have been confirmed as 0-days.