Perseverance is a tool developed in Python for analyzing repositories using Pydriller. It works with a dataset of open-source projects labeled as vulnerable or non-vulnerable. The tool extracts three distinct data models from Java code preceding vulnerability-fixing commits:
- Text Mining: Creates a dictionary containing keywords found in the file and their frequency within it.
- Software Metrics: Uses the tool Understand to calculate nine different metrics assessing the complexity of the file.
- Static Analysis: Uses SonarQube to identify vulnerabilities in the file, referring to applicable Java rules. These models are used to train and evaluate various machine learning classifiers, including Logistic Regression, Naive Bayes, Support Vector Machine, and Random Forest, which are not included in the original version of the system.
-
Set up the Python environment: Ensure you have Python installed on your system. It's recommended to use a virtual environment to manage dependencies.
python -m venv venv source venv/bin/activate # On Windows use `venv\Scripts\activate`
-
Install dependencies: Use
requirements.txtto install all necessary packages.pip install -r requirements.txt
-
Install SonarScanner and SonarQube: SonarScanner and SonarQube are required for static analysis. Please follow the official installation instructions:
Ensure that SonarQube is running locally or accessible from your environment for analysis.
-
Generate a SonarQube User Token: A user token is required for authentication with the SonarQube server. You can generate one by logging into SonarQube, navigating to your user account settings, and selecting Security > Generate Token. Save this token as you will need it to configure the analysis.
