Finding real world software vulnerabilities using ChatGPT

Abstract

Despite continued research and efforts in developing secure software programs, we continue to observe an increasing trend of reported software vulnerabilities in recent years. According to statistics, there have been 25,583 publicly reported software vulnerabilities in 2024 alone, and this number is expected to grow in coming years. Static analysis tools are often used by developers to detect software vulnerabilities early during development, however, these tools are notorious for their high false positive rates. This limitation has affected the adoption of static analysis tools by developers who may not perceive their warnings as relevant. Large language models (LLMs) offer a promising solution to this challenge. LLMs excel in understanding complex contexts and code semantics and have seen widespread adoption within the cybersecurity research field. By leveraging on these capabilities, LLMs provides a potential solution to enhancing the accuracy of static analysis tools, reduce false positives and encourage wider adoption. This project explores the possibility of integrating a static analysis tool with LLMs. A framework combining Tabby, a static analysis tool, with a LLM will be implemented and compared against traditional static analysis tools.