Claim 4 (Comparing Languages)
If I have an engine that can scan and compare codebases across time and language, independent of compilation, I don't know about you but I want to take it for a spin! What patterns will emerge as we compare repos of python, COBOL and typescript? This is my current validation/proof of principle data set. I've analyzed 104 code bases and score them according to the blAST engine's risk exposure metrics and present it publically for validation and criticism. Openness and public input is the only way forward with a system like this. The following ridge line plots visualize the distribution of risk exposures and other metrics across languages. Please note, this data set needs to grow and likely has non-representative numbers of repos per language (3-10). Once I get a better automated pipeline going, I hope to automate the scanning of repos to get more representative distributions. The population distributions also clearly highlight that some of my risk exposure metrics are not dialed in well, like concurrency, these should produce ranges not be binary on/off measures. I have currently set the security measures to be very sensitive so normal coding practices are being listed as security warnings, but the sensitivity of these detections can be tuned down for a less annoying workflow and then turned back to --paranoid for your final sanity check before pushing it live.
Click on any image to view it at full resolution.
Core Security & Vulnerability Risks
 Hardcoded Payload Artifacts |
 Obfuscation & Evasion Surface |
 Exploit Generation Surface |
 Weaponizable Injection Vectors |
 Raw Memory Manipulation |
Architectural Risk Exposures
Volatility & Authorship
 Volatility Exposure (Churn) |
 Instability Exposure (Age) |
 Silo Risk (Bus Factor) |
 Ownership Entropy |
Structural Physics & DNA
 Structural Mass |
 Control Flow Ratio |
 Control Flow Branches |
 Max Function Complexity |
 Avg Function Arguments |
 Outbound Imports |
 I/O & Network Boundaries |