AutoFix
This capability is in Beta, and not generally available. Please contact Customer Success if you need assistance.
Qwiet AI AutoFix uses large language models (LLMs) to generate potential code fix suggestions for findings produced by preZero analyses. In addition to code changes, AutoFix also provides steps to address the vulnerability findings.
AutoFix suggestions are provided in context of a particular analysis and the existing application source code. To generate the fix, the LLM uses data available in the Code Property Graph (CPG) generated during the application analysis, including relevant source code snippets captured only when this capability is enabled. Qwiet AI AutoFix LLMs are deployed in Qwiet AI's virtual private cloud, and none of the data is shared with any third party.
AutoFix suggestions are generated automatically while the application is being analyzed in the cloud. This is an asynchronous process, and will not slow down the reporting of findings. Suggestions might take several seconds to be available for a particular finding. At the moment, AutoFix suggestions are generated for the top ten findings for each application, sorted by severity in descending order (critical, high, medium, low).
Viewing and using AutoFix suggestions
The main goal of Qwiet AI AutoFix suggestions is to help software developers and security practitioners fix vulnerability findings faster.
AutoFix suggestions generally include the updated code and steps to address the vulnerability finding. The user can copy the code and paste it in an IDE or code editor, verify that the code works as intended, and then re-analyze the application. The user can also ignore the code and use the steps to address the finding to write their own code, and then re-analyze the application. A combination of both approaches could also work well.
To view an AutoFix suggestion, click on a finding in the Vulnerabilities tab in the application details page, and then click on the AutoFix tab.
To help streamline the amount of information displayed, you can toggle on Qwiet the Noise, which filters for only critical and high severity vulnerabilities.
Please provide feedback by scrolling down to the bottom of the AutoFix suggestion panel, and clicking the thumbs up/down button. Optionally, select a reason for the thumbs up/down, type in additional feedback, and click the Submit button.
Enabling or disabling AutoFix suggestions
This capability is in Beta, and not generally available. Please contact Customer Success if you need assistance.
AutoFix can be configured at the organization level in the Organization Settings page. Use the Enable AutoFix toggle to turn the feature on or off. When enabled, AutoFix will work for all applications in the organization unless it's explicitly disabled, since the default application setting for AutoFix is Inherit (see below).
Autofix can also be configured at the application level, in each application's Settings page. The AutoFix section has three options: Inherit (which is the default), Enable, and Disable. When the Inherit option is selected, AutoFix will be enabled or disabled for this application based on the organization settings. When Enable or Disable are selected, Autofix will be enabled or disabled irrespective of the organization settings.
Supported languages
Qwiet AI AutoFix is available for applications written in the following programming languages:
- C/C++
- C#
- Go
- Java
- JavaScript
- PHP
- Python
- TypeScript
In most cases, only the latest "src" CPG frontend is supported (e.g. --jssrc instead of --js, --javasrc instead of --java, --pythonsrc instead of --python). This is the default behavior when language detection is in use.
Limitations
Users must always consider the limitations of AI and review and edit the suggestion to ensure that the resulting code and application are correct, secure, performant, compliant, etc.
Qwiet AI AutoFix capability has the following known limitations:
- The system primarily uses English data. If code and comments are written in other languages, the quality of the suggestions might be diminished
- The AutoFix suggestion might contain code that is not syntactically correct. Linters and proper test coverage should help mitigate this issue
- AutoFix suggestions might change the semantics of the application. Good test coverage should help mitigate this issue
- Some AutoFix suggestions might not fix or resolve the vulnerability finding, and in some cases it might introduce additional issues. Review suggestions carefully
For further assistance or inquiries, please contact your Customer Success representative.