Oracle Parfait -- The Journey Towards Security Productivity

The Parfait static code analysis tool focuses on detecting vulnerabilities that matter in widely used languages including Java, C, C++, Go, Python, Swift and more. Its focus has been on key items expected out of a commercial tool that lives in a commercial organisation, namely, precision of results (i.e., high true positive rate), scalability (i.e., being able to run quickly over millions of lines of code), incremental analysis (i.e., being able to run over deltas of the code quickly), and usability (i.e., ease of integration into standard build processes, reporting of traces to the vulnerable location, etc). Today, Oracle Parfait is used by thousands of developers at Oracle worldwide on a day-to-day basis. In this presentation I’ll sample a flavour of Parfait — we explore some real world challenges faced in the creation of a robust vulnerability detection tool, look into various examples of vulnerabilities, and recount what matters to developers for integrating such a tool into today's continuous integration (CI) pipelines, where automatic integration is required. I also provide a peek into the future -- recent experiments on automatic generation of patches for vulnerabilities reported by Oracle Parfait through program and AI-assisted analyses.