DeepCode brings AI-powered code review to C and C++

DeepCode, the cloud service that uses machine learning to analyze codebases for security flaws and potential bugs, can now analyze C and C++ code.

Trained by analyzing thousands of open source projects, DeepCode provides feedback for projects in code-hosting platforms or local repositories. DeepCode’s creators claim it provides better and more detailed feedback than traditional code analysis tools because it analyzes code in context not just as text, but as running software.

Most of the vulnerabilities found in software turn up in C or C++ codebases. As powerful as the two languages are, they provide little to no protection against developer mistakes, and newer versions of these languages are forced to retain backwards compatibility and thus remain vulnerable.

DeepCode’s knowledge base of issues encompasses many common problems found in C and C++ as well as other languages: style issues, resource leaks, memory allocation issues, date handling issues, and incompatibilities across versions of a language.

In an analysis of the Linux kernel, DeepCode found a number of common problems in C codebases including unsanitized parameters passed from command line arguments or environment variables, use-after-free issues, and missing checks for null pointers. Other issues in C code are more subtle, like the insecure creation of temporary files, or the possibility that certain instructions might be optimized away in compilation and not have the intended effect.

When originally launched, DeepCode supported Java, JavaScript, TypeScript, and Python, but plans were on the table for C, C++, and other languages. According to the blog post announcing C/C++ support, adding code analysis for C and C++ took three months of work, because of complexities involving C/C++’s low-level features.