In 2024 we looked at the possibility of leveraging open weights LLMs for source code analysis.

The answer was clearly negative, as a small code base could easily take 200K tokens, more than any context window offered by open weights models.

The table below summarizes the top LLMs by context window as of today. Context windows significantly increased, compared to an average of 32.000 tokens last year. However, we are still a few orders of magnitude away from being able to feed entire code bases to LLMs.

Later in the year a tool named vulnhuntr was published (https://github.com/protectai/vulnhuntr). The tool approached limited context windows by performing source code analysis from source to sink and providing code blocks of the call chains iteratively in a multi-step process. Initially the LLM is fed code blocks for a set of files (e.g. sources where API entry points are defined). Then it literally asks for code blocks of functions and classes which are required for the analysis.

In addition to the clever approach, a track record of discovered vulnerabilities was published, making the tool even more appealing.

There is one relevant limitation though: only python code bases are supported. It is in fact very difficult to statically determine the call chain from source to sink for non-typed languages.

We decided that it was worth extending the tool to support additional languages. Therefore we created xvulnhuntr (https://github.com/CompassSecurity/xvulnhuntr), a fork of the original project where the ‘x’ stands for extended.

Xvulnuhntr also supports C#, Java and Go. For each language, there is a dedicated tool developed in the corresponding language. Given a repository path and a class or function name in input, the tool returns a json with the file name for the match and the source code of the code block matching the function/class name. This modular approach allows to easily extend support to other typed languages.

In addition, we intentionally put additional effort into making xvulnhuntr easier for developers to contribute to. Compared to the original project, it is possible to run xvulnhuntr against a local test suite, mocking API responses. This provides multiple advantages:

• reproducibility: while LLMs are not deterministic (even with temperature set to zero), mocked responses allow easier debugging
• speed: mocked responses avoid latency from the LLM provider
• cost reduction: no need to waste tokens during development

Next Steps

We primarily focused on the development of the tool. We expect refinements and bugs to come up as the tool is used against a variety of code bases. We are also interested in evaluating how analysis from different LLM providers compare to each other. Finally, we welcome and encourage contributions. Until then, happy LLM-powered hacking!

Compass Security Blog – ​Read More

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added four security flaws to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation in the wild.
The list of flaws is as follows –

CVE-2014-3931 (CVSS score: 9.8) – A buffer overflow vulnerability in Multi-Router Looking Glass (MRLG) that could allow remote attackers to cause an

The Hacker News – ​Read More

AI attacks are exposing gaps in multivendor stacks. CISOs are shifting to single-vendor SASE to consolidate, reduce risk and regain control.Read More

Security News | VentureBeat – ​Read More