With the rapid development of the computer industry and computer software,
the risk of software vulnerabilities being exploited has greatly increased.
However, there are still many shortcomings in the existing mining techniques
for leakage source research, such as high false alarm rate, coarse-grained
detection, and dependence on expert experience. In this paper, we mainly use
the c/c++ source code data of the SARD dataset, process the source code of
CWE476, CWE469, CWE516 and CWE570 vulnerability types, test the Joern
vulnerability scanning function of the cutting-edge tool, and propose a new
cascading deep learning model VMCDL based on source code control flow to
effectively detect vulnerabilities. First, this paper uses joern to locate and
extract sensitive functions and statements to form a sensitive statement
library of vulnerable code. Then, the CFG flow vulnerability code snippets are
generated by bidirectional breadth-first traversal, and then vectorized by
Doc2vec. Finally, the cascade deep learning model based on source code control
flow is used for classification to obtain the classification results. In the
experimental evaluation, we give the test results of Joern on specific
vulnerabilities, and give the confusion matrix and label data of the binary
classification results of the model algorithm on single vulnerability type
source code, and compare and verify the five indicators of FPR, FNR, ACC, P and
F1, respectively reaching 10.30%, 5.20%, 92.50%,85.10% and 85.40%,which shows
that it can effectively reduce the false alarm rate of static analysis.

本文介绍使用 Joern 工具和基于源代码控制流的级联深度学习模型 VMCDL, 处理 SARD 数据集中 CWE476、CWE469、CWE516、CWE570 等易受攻击漏洞类型的 C/C++ 源代码数据，以有效检测软件漏洞，对模型算法进行了测试评估，同时给出了特定漏洞的 Joern 测试结果和二分类模型算法的混淆矩阵和标签数据，证明能有效减少静态分析的误报率。