公开(公告)号：US09792200B2

公开(公告)日：2017-10-17

申请号：US15057812

申请日：2016-03-01

Applicant: SAP SE

Inventor： Henrik Plate ,  Serena Ponta ,  Antonino Sabetta

IPC: G06F9/44 ,  G06F11/36 ,  G06F21/57

CPC classification number: G06F11/3636 ,  G06F11/3624 ,  G06F21/577

Abstract: Implementations are directed to enhancing assessment of one or more known vulnerabilities inside one or more third-party libraries used within an application program that interacts with the one or more third-party libraries. In some examples, actions include receiving a complete call graph that is provided by static source code analysis (SSCA) of the application program and any third-party libraries used by the application, receiving one or more stack traces that are provided based on dynamic source code analysis (DSCA) during execution of the application program, processing the complete call graph, the one or more stack traces, and vulnerable function data to provide one or more combined call graphs, the vulnerable function data identifying one or more vulnerable functions included in the one or more third-party libraries, each combined call graph being specific to a respective vulnerable function, and providing a graphical representation of each combined call graph.

公开(公告)号：US20160314302A1

公开(公告)日：2016-10-27

申请号：US14692203

申请日：2015-04-21

Applicant: SAP SE

Inventor： Antonino Sabetta ,  Luca Compagna ,  Serena Ponta ,  Stanislav Dashevskyi ,  Daniel Dos Santos ,  Fabio Massacci

IPC: G06F21/57 ,  G06F21/53 ,  G06F21/54

CPC classification number: G06F21/577 ,  G06F21/53 ,  G06F21/54 ,  G06F21/566 ,  G06F2221/033

Abstract: An input handler receives an exploit test request specifying at least one exploit to be tested against at least one application in at least one execution environment. A deployment engine deploys the at least one execution environment including instantiating a container providing a virtual machine image and configured based on the exploit test request, the instantiated container including the at least one application. A scheduler schedules execution of the at least one execution environment within at least one execution engine, including scheduling an injection of the at least one exploit as specified in the exploit test request. A report generator generates an exploit test report characterizing a result of the at least one exploit being injected into the at least one execution environment of the at least one execution engine.

Abstract translation: 输入处理程序接收在至少一个执行环境中针对至少一个应用程序指定要测试的至少一个漏洞利用的漏洞利用测试请求。 所述部署引擎部署所述至少一个执行环境，所述至少一个执行环境包括实例化提供虚拟机映像并且基于所述漏洞利用测试请求来配置的容器，所述实例化容器包括所述至少一个应用。 调度器调度至少一个执行引擎中的至少一个执行环境的执行，包括调度在漏洞利用测试请求中指定的至少一个利用的注入。 报告生成器生成攻击测试报告，其表征被注入至少一个执行引擎的至少一个执行环境中的至少一个利用的结果。

公开(公告)号：US11972258B2

公开(公告)日：2024-04-30

申请号：US17850380

申请日：2022-06-27

Applicant: SAP SE

Inventor： Rocio Cabrera Lozoya ,  Antonino Sabetta ,  Michele Bezzi

IPC: G06F8/77

CPC classification number: G06F8/77

Abstract: Systems and methods are provided for training a machine learning model to generate a score indicating a level of discrepancy between a commit message and a corresponding code change. The computing system receives a commit comprising a given commit message and a given corresponding code change and analyzes, using the trained machine learning model, the given commit message and given corresponding code change to generate a score indicating the level of discrepancy between the given commit message and the given corresponding code change of the received commit.

公开(公告)号：US20220129261A1

公开(公告)日：2022-04-28

申请号：US17080520

申请日：2020-10-26

Applicant: SAP SE

Inventor： Rocio Cabrera Lozoya ,  Antonino Sabetta ,  Michele Bezzi ,  Arnaud Baumann

IPC: G06F8/71 ,  G06F8/40 ,  G06N20/00 ,  G06F16/25

Abstract: Distributed vector representations of source code commits, are generated to become part of a data corpus for machine learning (ML) for analyzing source code. The code commit is received, and time information is referenced to split the source code into pre-change source code and post-change source code. The pre-change source code is converted into a first code representation (e.g., based on a graph model), and the post-change source code into a second code representation. A first particle is generated from the first code representation, and a second particle is generated from the second code representation. The first particle and the second particle are compared to create a delta. The delta is transformed into a first commit vector by referencing an embedding matrix to numerically encode the first particle and the second particle. Following classification, the commit vector is stored in a data corpus for performing ML analysis upon source code.

公开(公告)号：US20190272170A1

公开(公告)日：2019-09-05

申请号：US16415192

申请日：2019-05-17

Applicant: SAP SE

Inventor： Michele Bezzi ,  Antonino Sabetta ,  Henrik Plate ,  Serena Ponta ,  Francesco Di Cerbo

IPC: G06F8/71 ,  G06F8/36 ,  G06F8/77

Abstract: Systems and methods are provided for accessing a source code repository comprising a plurality of versions of code, analyzing the plurality of versions of code of the component to compute metrics to identify each version of code, analyzing the metrics to determine a subset of the metrics to use to as a fingerprint definition to identify each version of the code, generating a fingerprint for each version of code using the fingerprint definition, generating a fingerprint matrix with the fingerprint for each version of code for the software component and storing the fingerprint definition and the fingerprint matrix

公开(公告)号：US20170255544A1

公开(公告)日：2017-09-07

申请号：US15057812

申请日：2016-03-01

Applicant: SAP SE

Inventor： Henrik Plate ,  Serena Ponta ,  Antonino Sabetta

IPC: G06F11/36 ,  G06F21/57

CPC classification number: G06F11/3636 ,  G06F11/3624 ,  G06F21/577

Abstract: Implementations are directed to enhancing assessment of one or more known vulnerabilities inside one or more third-party libraries used within an application program that interacts with the one or more third-party libraries. In some examples, actions include receiving a complete call graph that is provided by static source code analysis (SSCA) of the application program and any third-party libraries used by the application, receiving one or more stack traces that are provided based on dynamic source code analysis (DSCA) during execution of the application program, processing the complete call graph, the one or more stack traces, and vulnerable function data to provide one or more combined call graphs, the vulnerable function data identifying one or more vulnerable functions included in the one or more third-party libraries, each combined call graph being specific to a respective vulnerable function, and providing a graphical representation of each combined call graph.