Tailoring Static Code Analysis for Top 25 CWE in Python

Abstract

The topic of security for computers is of significant importance. Over the past decade, countless cybercrimes have been executed by exploiting software flaws. This issue has led to considerable social stress, substantial losses, and higher interest in security. Vulnerabilities in applications developed in various programming languages can be identified using various methodologies and techniques. We can employ static or dynamic methods for analysis to detect vulnerabilities. Bandit is a tool for static analysis designed to identify security vulnerabilities in Python code, examining a defined range of issues. This study introduces an additional collection of vulnerabilities, specifically the top 25 CWE, to enhance the tool's detection capabilities. The approach involves analyzing Python code and constructing an Abstract Syntax Tree (AST) using the AST library in Python. By traversing the nodes of the tree and gathering information regarding the code's characteristics, potential vulnerabilities are identified based on predefined checks for each scenario. The tool's capability for predicting all the incorporated scenarios was demonstrated after the completion of the tests added to it.