Find the minimum number of code fixes to eliminate all vulnerabilities from SARIF scan results using mathematical optimization

Navigation

Verified details

These details have been verified by PyPI
Owner
Maintainers
Avatar for amine-boudraa-tr from gravatar.com amine-boudraa-tr

Unverified details

These details have not been verified by PyPI
Project links
Meta
  • License: MIT License
  • Author: Amine Boudraa, Gianfranco Romani, Yassine Ilmi
  • Tags optimization , sarif , sast , security , static-analysis , vulnerability
  • Requires: Python >=3.9
Classifiers
Report project as malware

Project description

CodeFlow Solver

PyPI version GitHub

Overview

CodeFlow Solver helps security engineers efficiently fix vulnerabilities by finding the optimal minimum number of code fixes needed to eliminate all vulnerabilities from SARIF scan results. Using mathematical optimization (set cover problem), it determines the most efficient fix strategy - guaranteeing the absolute minimum number of code changes required to address all security issues.

Installation

From PyPI

pip install codeflow-solver

From Source

git clone https://github.com/thomsonreuters/codeflow-solver.git
cd codeflow-solver
uv sync
uv pip install -e .

Usage

CLI Options

# Basic usage
codeflow-solver vulnerabilities.sarif

# Filtering options
codeflow-solver vulnerabilities.sarif --severity-filter high medium
codeflow-solver vulnerabilities.sarif --rule-filter java/XSS java/PT

# Export options
codeflow-solver vulnerabilities.sarif --export              # Detailed solution with vulnerability details
codeflow-solver vulnerabilities.sarif --minimal-export     # Optimal path with fix locations only

# Quiet mode
codeflow-solver vulnerabilities.sarif --quiet --minimal-export

Using as Package

from codeflow_solver import SarifSetCoverSolver

# Basic usage
optimizer = SarifSetCoverSolver("vulnerabilities.sarif")
optimizer.solve_mathematical_optimization()

# With filtering and export
optimizer = SarifSetCoverSolver(
    "vulnerabilities.sarif",
    severity_filter=["high", "medium"],
    rule_filter=["java/XSS"],
    export_detailed=True
)
optimizer.solve_mathematical_optimization()

Development Usage

cd codeflow-solver
uv run python -m codeflow_solver.cli.main vulnerabilities.sarif

Package Structure

src/
└── codeflow_solver/
    ├── __init__.py
    ├── cli/
    │   ├── __init__.py
    │   └── main.py             # CLI entry point
    ├── utils/
    │   ├── __init__.py
    │   ├── sarif_parser.py     # SARIF parsing
    │   ├── severity_mapper.py  # Severity mapping
    │   └── data_structures.py  # Data classes
    ├── solver/
    │   ├── __init__.py
    │   ├── set_cover_solver.py # Main solver implementation
    │   └── optimizer.py        # Optimization algorithms
    ├── set_cover/
    │   ├── __init__.py
    │   └── initializer.py      # Set cover initialization
    └── docs/                   # Documentation
tests/                          # Test files

Tests

# Run tests
uv run pytest

# Format and lint
uv run ruff format .
uv run ruff check .
uv run mypy .

How It Works

CodeFlow Solver uses mathematical optimization to find the minimum set of code changes needed to fix all vulnerabilities:

  1. Parse SARIF results - Extract vulnerabilities and dataflow paths
  2. Map coverage - Identify which fixes eliminate which vulnerabilities
  3. Optimize - Use integer programming to find the minimum fix set
  4. Export - Generate prioritized fix recommendations

Repository

GitHub: https://github.com/thomsonreuters/codeflow-solver

License

MIT License

Contributing

Contributions are welcome! Please:

  1. Fork the repository at github.com/thomsonreuters/codeflow-solver
  2. Create a feature branch
  3. Add tests for new functionality
  4. Submit a pull request

Authors

  • Amine Boudraa
  • Gianfranco Romani
  • Yassine Ilmi

Project details

Verified details

These details have been verified by PyPI
Owner
Maintainers
Avatar for amine-boudraa-tr from gravatar.com amine-boudraa-tr

Unverified details

These details have not been verified by PyPI
Project links
Meta
  • License: MIT License
  • Author: Amine Boudraa, Gianfranco Romani, Yassine Ilmi
  • Tags optimization , sarif , sast , security , static-analysis , vulnerability
  • Requires: Python >=3.9
Classifiers

Release history Release notifications | RSS feed

1.0.2

This version

1.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

codeflow_solver-1.0.tar.gz (136.5 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

codeflow_solver-1.0-py3-none-any.whl (24.1 kB view details)

Uploaded Python 3

File details

Details for the file codeflow_solver-1.0.tar.gz.

File metadata

  • Download URL: codeflow_solver-1.0.tar.gz
  • Upload date:
  • Size: 136.5 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: uv/0.8.15

File hashes

Hashes for codeflow_solver-1.0.tar.gz
Algorithm Hash digest
SHA256 e8b994754c304b36a4fa1ac014793cee1afaf69bf33b500e817e0264d1578e1e
MD5 d666e34ac6cf8a33f1b9f8111b33c792
BLAKE2b-256 174c25f74bd187e83cc46f19c96dcfad9a37705f3c3fd08caec3c3b7231e1b65

See more details on using hashes here.

File details

Details for the file codeflow_solver-1.0-py3-none-any.whl.

File metadata

File hashes

Hashes for codeflow_solver-1.0-py3-none-any.whl
Algorithm Hash digest
SHA256 1817c999f9488e37b7ea0164749889a689569f91dd11aebbedfb0d3919b30124
MD5 baff169696c1a1f96cdc862e256821e8
BLAKE2b-256 62293255b13ac8e5c658b63cae9cdbda53d02c28172d02dbf24afab2b88f4ce8

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page