GRAPH-BASED DATA PREPARATION FOR DETECTING BUFFER OVERFLOW VULNERABILITIES IN CODE WITHIN CI/CD PIPELINES

Abstract

We offer a clear method for managing buffer-overflow risks in C/C++ within CI/CD pipelines. This method combines a formal criticality assessment with clear and manageable engineering actions. Our metric includes local and path-level risk indicators and considers class-specific behavior such as Stack, Heap, and Off-by-one errors. It also includes a four-level severity scale: Low, Medium, High, and Critical. For operational integration, we define fix triggers. Missing boundary checks and indexing violations directly translate into pipeline decisions, such as pass, warn with ticket, or block. They also influence time-to-fix policies with specific deadlines. We ensure reproducibility by fixing preprocessor profiles and toolchain versions, recording run manifests, and keeping audit artifacts like SARIF or HTML reports, environment parameters, and decision logs.Our experimental study looks at six open-source C/C++ projects using two build profiles: Debug and Release. We compare our method with cppcheck, flawfinder, and a vision-based baseline called YOLO. We evaluate performance based on Precision, Recall, F1, specificity, run-to-run stability, and per-file analysis time. Our approach achieves higher F1 and specificity, along with the best reproducibility across repeated runs while maintaining feasible latency for CI/CD. Also, our SLA-integrated workflow improves the timely resolution of High and Critical cases, which reduces operational risk during the PR or commit stage and boosts release reliability. In conclusion, formalizing criticality and linking it with fix triggers and quality gates creates a complete detection, fix, and verification loop. The research presents migration guidelines for current codebases while demonstrating that organizations achieve better developer resistance management through a staged adoption approach which begins with high-risk modules and uses codified templates for expansion, while preserving safety guarantees and governance outcomes. This method can scale across different repositories, languages, and build configurations.