CONTROLLING SOFTWARE CODE VULNERABILITIES USING AI-ORIENTED STATIC ANALYSIS

Abstract

This paper addresses the pressing issue of software security by exploring the integration of traditional static analysis techniques with advanced AI-based methods for source code vulnerability detection. The research proposes a hybrid architecture that combines rule-based engines, such as CodeQL with transformer-based neural networks like CodeBERT. While traditional static analyzers rely on manually crafted rules and patterns, they often fail to detect context-dependent or novel vulnerabilities. AI models, on the other hand, demonstrate a growing ability to learn latent semantic structures and security-relevant code patterns by leveraging abstract syntax trees (AST), data flow graphs (DFG), and language-model pretraining techniques. The presented architecture capitalizes on the strengths of both approaches by aggregating the results of a rule-based static analysis pipeline and an AI-assisted vulnerability classifier into a unified decision engine.

To assess the system’s effectiveness, experiments were conducted on a labeled dataset of 15,000 code samples. The AI model, based on CodeBERT, was trained for 20 epochs using binary cross-entropy and evaluated by F1-score. Three approaches were compared: rule-based, standalone AI, and the hybrid model. Results showed that the AI-only model outperformed the rule-based analyzer (F1-score: 0.81 vs. 0.68), while the hybrid approach achieved the highest score of 0.86, balancing precision and recall.

Beyond classification accuracy, the research also considered the computational trade-offs and runtime implications of integrating AI into static analysis workflows. While the AI-enhanced pipeline incurs higher memory and processing time costs, its ability to identify critical vulnerabilities missed by traditional tools justifies its application in security-sensitive environments. Case studies highlighted examples such as heap buffer overflows and use-after-free vulnerabilities, which were correctly identified by the AI model but missed by pattern-matching rules.

The paper concludes that hybrid AI-assisted static analysis is a promising direction for enhancing secure software development practices, especially in the context of DevSecOps pipelines. Future work includes extending the architecture to support multiple programming languages, integrating explainable AI components for better result interpretability, and optimizing model performance for lightweight deployment scenarios. Overall, the findings emphasize the practical feasibility and advantages of embedding AI into traditional software assurance processes to improve code security in an automated and scalable manner.