Modern weapon systems and their testing infrastructure rely on the use of open-source software. Open source is provided AS IS' without guarantees. Code is often vulnerable with hard-to-mitigate attack surfaces. Tenet3, LLC will address this problem with an innovative machine learning-based approach for vulnerability detection as part of the CI/CD process. The solution is based on Explainable Artificial Intelligence (XAI) Neural Network (NN) technology able to consider low level code actions, system calls, and code data and control flows when determining if code has a vulnerability. The NN will associate code with broad vulnerability types, and via an interface based on MITRE Common Weakness Enumerations (CWEs), identify corresponding vulnerability entries in a database (NVD or CVE). The solution incorporates fast lookup of declared vulnerable library use and fast project code inspection to discover code likely copied from a vulnerable library. The solution will target C/C++ software and it will run fast enough for use in modern DevSecOps CI/CD pipelines.
