COMPOSITE RISK ASSESSMENT OF BUFFER OVERFLOWS AND ITS TRANSLATION INTO CI/CD ACTIONS

Abstract

We describe a reproducible method for buffer-overflow risk management in C/C++ within CI/CD pipelines that combines transparent, automatable engineering actions with a formal criticality assessment. Following a four-level severity stratification, the suggested composite metric incorporates path-level and local risk indicators and takes class-specific behavior (Stack/Heap/Off-by-one) into consideration. We define fix triggers for operational integration: time-to-fix policies (SLA) with clear deadlines and pipeline decisions (pass, warn with ticket, block) are immediately triggered by missing boundary checks and indexing violations. Pinning preprocessor profiles and toolchain versions, logging run manifests, and preserving audit artifacts (SARIF/HTML reports, environment parameters, and decision logs) all help to guarantee reproducibility. We benchmark the approach against cppcheck, flawfinder, and a vision-based baseline (YOLO) in our experimental study, which covers six open-source C/C++ projects under two build profiles (Debug/Release).  According to evaluations of precision, recall, F1, specificity, run-to-run stability, and per-file analysis time, the suggested method maintains CI/CD-feasible latency while achieving higher F1 and specificity as well as the best reproducibility across multiple runs.  Additionally, the SLA-integrated workflow improves release reliability and lowers operational risk at the PR/commit stage by increasing the percentage of High/Critical cases that are resolved on time.  All things considered, formalizing criticality and combining it with quality gates and fix triggers results in a closed “detection–fix–verification” loop that works with different build configurations, languages, and repositories.