IRIS is a neurosymbolic framework designed for automated security vulnerability detection in code. It uniquely combines Large Language Models (LLMs) with traditional static analysis techniques to identify potential security flaws. The framework targets developers and security researchers, offering an advanced approach to sift through codebases for vulnerabilities, thereby enhancing software security posture.

How It Works

IRIS employs a neurosymbolic architecture where LLMs play a dual role: generating source and sink specifications crucial for static analysis, and filtering out false positives from identified vulnerable paths. The core process involves taking a project and a specific Common Weakness Enumeration (CWE) as input. IRIS then performs static analysis on the project, leveraging the LLM-generated specifications, to output a set of potential vulnerabilities matching the specified CWE.

Quick Start & Requirements

• Primary Install: Docker integration is recommended (docker build, docker run). Native setup requires Conda (conda env create -f environment.yml, conda activate iris).
• Prerequisites:
  • CUDA-capable GPU and compatible toolkit (e.g., pytorch-cuda=12.1) for hardware acceleration.
  • Java build tools (JDK, Maven, Gradle) with specific versions defined in data/build_info.csv, configurable via dep_configs.json. SDKMAN! is suggested for management.
  • CodeQL Action bundle, requiring its location to be set via CODEQL_DIR or added to the system PATH.
• Resources: Setup involves managing Conda environments, build tools, and CodeQL, which can be time-consuming.
• Links: Read the Docs, ICLR 2025 Paper, Docker Hub.

Highlighted Details

• Includes the comprehensive CWE-Bench-Java dataset (213 CVEs across 49 CWEs) for vulnerability research and benchmarking.
• Supports detection for numerous CWEs, with notable counts for CWE-22 (60), CWE-79 (38), and CWE-94 (23).
• Recent updates include Docker integration and expansion of the CWE-Bench-Java dataset.
• Associated with ICLR 2025 research, indicating a strong academic backing.

Maintenance & Community

IRIS is a collaborative project between researchers at Cornell University and the University of Pennsylvania.

Licensing & Compatibility

The project is released under the MIT license, permitting broad use and compatibility with closed-source projects.

Limitations & Caveats

The README does not explicitly detail known limitations, unsupported platforms, or alpha status. Native setup requires careful configuration of multiple complex dependencies (CUDA, Java build tools, CodeQL).