We get a lot of questions from our customers around the topic of artificial intelligence in combination with SAST (Static Application Security Testing). Everybody is looking for the next level of efficiency around DevSecOps.
With CodeSonar the answer to this is a resounding yes, the reason for this is the elaborate amount of information that CodeSonar provides around SAST findings and the deep integration into CI/CD platforms.
The first level of assistance is the integration of CodeSonar findings into the CI/CD artefacts stream, such as with GitLab. The picture below is from a GitLab Vulnerability report, the CodeSonar findings, complete with MISRA rule designations are clearly presented to the user.
The second level is the complete flow of the finding path. CodeSonar explains, in great detail why it issued the finding. The image below only contains part of the finding path, it is 60 steps deep, across multiple compilation units and procedures.
Then, the third level is where AI comes in. The CodeSonar warning has lots of information and that information can then used by AI to explain the problem, how the problem can possibly be exploited and lastly how to fix the problem. The comment below is for GitLab DUO, it is a three step answer, first highlighting what the problem is, next highlighting how it could possibly be exploited and lastly, explaining how to fix the issue.
The last step is part of a GitLab merge request, after fixing the problem and submitting the fix to the CI/CD platform. Here the developer can quickly see that the problem has been resolved.
This use of AI is great for new programmers, it allows them to quickly learn about vulnerabilities and how to fix it. It but can also be a good review tool for experienced programmers, I have on several occasions found that AI provided alternate fixes than I had initially considered.
Interested in more detail? Here is a video that walks through the entire process