Explaining Software Vulnerabilities with Large Language Models
This addresses usability issues in SAST tools for developers, though it is incremental as it builds on existing LLM capabilities.
The paper tackles the problem of static application security testing (SAST) tools having generic warning messages that hinder developer understanding, by introducing SAFE, an IDE plugin that uses GPT-4o to explain vulnerabilities, and finds in a user study that it significantly helps beginner to intermediate developers.
The prevalence of security vulnerabilities has prompted companies to adopt static application security testing (SAST) tools for vulnerability detection. Nevertheless, these tools frequently exhibit usability limitations, as their generic warning messages do not sufficiently communicate important information to developers, resulting in misunderstandings or oversight of critical findings. In light of recent developments in Large Language Models (LLMs) and their text generation capabilities, our work investigates a hybrid approach that uses LLMs to tackle the SAST explainability challenges. In this paper, we present SAFE, an Integrated Development Environment (IDE) plugin that leverages GPT-4o to explain the causes, impacts, and mitigation strategies of vulnerabilities detected by SAST tools. Our expert user study findings indicate that the explanations generated by SAFE can significantly assist beginner to intermediate developers in understanding and addressing security vulnerabilities, thereby improving the overall usability of SAST tools.