-
公开(公告)号:US20180157486A1
公开(公告)日:2018-06-07
申请号:US15371678
申请日:2016-12-07
Applicant: SAP SE
Inventor: Michele Bezzi , Antonino Sabetta , Henrik Plate , Serena Ponta , Francesco Di Cerbo
IPC: G06F9/44
Abstract: Systems and methods are provided for accessing a source code repository comprising a plurality of versions of code, analyzing the plurality of versions of code of the component to compute metrics to identify each version of code, analyzing the metrics to determine a subset of the metrics to use to as a fingerprint definition to identify each version of the code, generating a fingerprint for each version of code using the fingerprint definition, generating a fingerprint matrix with the fingerprint for each version of code for the software component and storing the fingerprint definition and the fingerprint matrix
-
公开(公告)号:US09959111B2
公开(公告)日:2018-05-01
申请号:US15206323
申请日:2016-07-11
Applicant: SAP SE
Inventor: Henrik Plate , Serena Ponta , Antonino Sabetta
IPC: G06F9/445
Abstract: Various embodiments of systems, computer program products, and methods for prioritizing software patches are described herein. In an aspect, the software patches are retrieved by querying software repositories. Further, code changes associated with the software patches are determined. One or more instances of bug fix patterns are identified in determined code changes. The software patches are classified based on the identified bug fix patterns. Priorities of the software patches corresponding to the identified instances of the bug fix patterns are determined based on the classification and a pre-defined policy. Upon determining priorities, the software patches are installed based on the priorities.
-
公开(公告)号:US10831899B2
公开(公告)日:2020-11-10
申请号:US15978691
申请日:2018-05-14
Applicant: SAP SE
Inventor: Michele Bezzi , Antonino Sabetta , Henrik Plate , Serena Ponta
Abstract: Systems and methods are provided for retrieving a set of code changes to source code from a source code repository, analyzing the set of code changes to generate a vector representation of each code change of the set of code changes, analyzing the vector representation of each code change of the set of code changes using a trained security-relevant code detection machine learning model, receiving a prediction from the security-relevant code detection machine learning model representing a probability that each code change of the set of code changes contains security-relevant changes, analyzing the prediction to determine whether the prediction is below or above a predetermined threshold, and generating results based on determining whether the prediction is below or above a predetermined threshold.
-
公开(公告)号:US20200175174A1
公开(公告)日:2020-06-04
申请号:US16209826
申请日:2018-12-04
Applicant: SAP SE
Inventor: Jamarber Bakalli , Michele Bezzi , Cedric Dangremont , Sule Kahraman , Henrik Plate , Serena Ponta , Antonino Sabetta
IPC: G06F21/57 , G06F8/71 , G06N5/02 , G06F16/901
Abstract: Data is received that characterizes source code requiring a security vulnerability assessment. Using this received data, an input node of a vulnerability context graph is generated. Subsequently, at least one node is resolved from the input node using at least one of a plurality of resolvers that collectively access each of a knowledge base, a source code commit database, and at least one online resource. Additionally nodes are later iteratively resolved at different depth levels until a pre-defined threshold is met. The vulnerability context graph is then caused to be displayed in a graphical user interface such that each node has a corresponding graphical user interface element which, when activated, causes complementary information for such node to be displayed.
-
公开(公告)号:US09792200B2
公开(公告)日:2017-10-17
申请号:US15057812
申请日:2016-03-01
Applicant: SAP SE
Inventor: Henrik Plate , Serena Ponta , Antonino Sabetta
CPC classification number: G06F11/3636 , G06F11/3624 , G06F21/577
Abstract: Implementations are directed to enhancing assessment of one or more known vulnerabilities inside one or more third-party libraries used within an application program that interacts with the one or more third-party libraries. In some examples, actions include receiving a complete call graph that is provided by static source code analysis (SSCA) of the application program and any third-party libraries used by the application, receiving one or more stack traces that are provided based on dynamic source code analysis (DSCA) during execution of the application program, processing the complete call graph, the one or more stack traces, and vulnerable function data to provide one or more combined call graphs, the vulnerable function data identifying one or more vulnerable functions included in the one or more third-party libraries, each combined call graph being specific to a respective vulnerable function, and providing a graphical representation of each combined call graph.
-
Patent Agency Ranking
公开(公告)号:US11853422B2
公开(公告)日:2023-12-26
申请号:US16712514
申请日:2019-12-12
Applicant: SAP SE
Inventor: Henrik Plate
CPC classification number: G06F21/565 , G06F8/71 , G06N7/01 , G06N20/00 , G06F2221/033
Abstract: Embodiments detect malicious code in distributed software components. A detector element references a source code repository (e.g., open source, commercial) containing lines of various files of a distributed artifact. Subject to certain possible optimizations, the detector inspects the individual files and lines of the artifact file-by-file and line-by-line, to identify whether any commit history information is available from a Versioning Control System (VCS). A risk assessor element receives from the detector element, results identifying those lines and/or files for which no VCS commit history is available. The risk assessor then references code features (e.g., file extension, security-critical API calls) in the results, to generate a probability of the malicious nature of the source code lacking VCS commit history information. An analysis report including this probability and additional relevant information, is offered to a user to conduct further manual review (e.g., to detect false positives attributable to benign/legitimate source code modification).
-
公开(公告)号:US20200183820A1
公开(公告)日:2020-06-11
申请号:US16211126
申请日:2018-12-05
Applicant: SAP SE
Inventor: Cedric Hebert , Henrik Plate
Abstract: Systems and methods, as well as computing architecture for implementing the same, for decoy injection into an application. The systems and methods include splitting a standard test phase operation into two complementary phases, and add new unit tests to the process, dedicated to testing the proper coverage of the decoys and avoiding non-regression of the original code.
-
公开(公告)号:US20190272170A1
公开(公告)日:2019-09-05
申请号:US16415192
申请日:2019-05-17
Applicant: SAP SE
Inventor: Michele Bezzi , Antonino Sabetta , Henrik Plate , Serena Ponta , Francesco Di Cerbo
Abstract: Systems and methods are provided for accessing a source code repository comprising a plurality of versions of code, analyzing the plurality of versions of code of the component to compute metrics to identify each version of code, analyzing the metrics to determine a subset of the metrics to use to as a fingerprint definition to identify each version of the code, generating a fingerprint for each version of code using the fingerprint definition, generating a fingerprint matrix with the fingerprint for each version of code for the software component and storing the fingerprint definition and the fingerprint matrix
-
公开(公告)号:US20170255544A1
公开(公告)日:2017-09-07
申请号:US15057812
申请日:2016-03-01
Applicant: SAP SE
Inventor: Henrik Plate , Serena Ponta , Antonino Sabetta
CPC classification number: G06F11/3636 , G06F11/3624 , G06F21/577
Abstract: Implementations are directed to enhancing assessment of one or more known vulnerabilities inside one or more third-party libraries used within an application program that interacts with the one or more third-party libraries. In some examples, actions include receiving a complete call graph that is provided by static source code analysis (SSCA) of the application program and any third-party libraries used by the application, receiving one or more stack traces that are provided based on dynamic source code analysis (DSCA) during execution of the application program, processing the complete call graph, the one or more stack traces, and vulnerable function data to provide one or more combined call graphs, the vulnerable function data identifying one or more vulnerable functions included in the one or more third-party libraries, each combined call graph being specific to a respective vulnerable function, and providing a graphical representation of each combined call graph.
-
公开(公告)号:US20210182391A1
公开(公告)日:2021-06-17
申请号:US16712514
申请日:2019-12-12
Applicant: SAP SE
Inventor: Henrik Plate
Abstract: Embodiments detect malicious code in distributed software components. A detector element references a source code repository (e.g., open source, commercial) containing lines of various files of a distributed artifact. Subject to certain possible optimizations, the detector inspects the individual files and lines of the artifact file-by-file and line-by-line, to identify whether any commit history information is available from a Versioning Control System (VCS). A risk assessor element receives from the detector element, results identifying those lines and/or files for which no VCS commit history is available. The risk assessor then references code features (e.g., file extension, security-critical API calls) in the results, to generate a probability of the malicious nature of the source code lacking VCS commit history information. An analysis report including this probability and additional relevant information, is offered to a user to conduct further manual review (e.g., to detect false positives attributable to benign/legitimate source code modification).
-
-
-
-
-
-
-
-
-
Search Results
13
records
(took 0.012 seconds)
