Method for finding vulnerabilities in a software project

Abstract

A method () for finding vulnerabilities in a software project. The method () comprising receiving (S) a dependency file (), specifying software components related to the software project; extracting (S) information from the dependency file () using a dependency file parser (), wherein the dependency file parser () is configured for a programming language of the dependency file (), and wherein the extracted information comprises one or more dependency attributes; generating (S) a first dependency common platform enumeration, CPE, () based on the one or more dependency attributes; receiving (S) vulnerability CPEs () from a vulnerability database, VD, () wherein the vulnerability CPEs () comprises one or more vulnerability attributes; generating (S) a first condensed dataset () of vulnerability CPEs by selecting the vulnerability CPEs () that has at least one vulnerability attribute that matches at least one dependency attribute in the first dependency CPE (); evaluating (S) the vulnerability CPEs from the first condensed dataset () of vulnerability CPEs by determining a confidence score for each vulnerability CPE, wherein the confidence score is an estimate of a probability of the vulnerability CPE being relevant to the software project; generating (S) a second condensed dataset () of vulnerability CPEs, wherein the second condensed dataset () is smaller than the first condensed dataset (), from the first condensed dataset of vulnerability CPEs by selecting the vulnerability CPEs that has a confidence score above a threshold.