**6.1 Results and discussion**

In this section, we capture a conversation between the Google Assistant app during the analysis of the WebGoat Project, present the report generated by the assistant, and discuss the results. It must be noted that the errors found by the Assistant during the code analysis are the same as those that would be produced by the standalone PMD project.

At this early stage of the project, the main benefit of the system is the ability to use a virtual assistant to perform code analysis while multitasking, thus improving productivity. After the system is setup, the programmer can configure and engage with the VA by voice without having to manually configure the code analyzer or browse and try to understand lengthy bug reports. The assistant can be used to perform actions based on the severity of the vulnerabilities found in the project. In the current version of MyCodeAnalyzer, Google Assistant can email the user a wellformatted report or read out the most important action items after analyzing the code. **Figure 8** captures a conversation between a human tester and the Google Assistant. **Figure 9** shows a formatted vulnerability report generated by the assistant and emailed to the user after scanning the WebGoat project. The WebGoat project has more severe vulnerabilities, but only those in the figure were captured by PMD based on the rulesets used by the analyzer. As can be seen from the report, MyCodeAnalyzer was able to process the lengthy XML reported returned by PMD


#### **Figure 9.**

*The report generated by MyCodeAnalyzer and emailed to the user after scanning the OWASP WebGoat project.*

into a more easily understood report that captures only pertinent information. These results demonstrate the applicability of using a framework backed by virtual assistants to scan code for vulnerabilities and generate meaningful reports.

#### **6.2 Challenges**

It is important to outline some challenges with the use of VAs for code analysis and mitigation of vulnerabilities. The main challenge with this new approach to code analysis is adoption. A recent study involving a small sample of participants shows that currently the primary use of VAs are for music procurement (40% of users), for information (17%), and automation (9%) [40]. Since this is a new avenue of research, there may be initial challenges with adoption in the code analysis arena. However, we believe that as the market grows and coders get exposed to this technology, the adoption rates will increase. Researchers predict a growing use for digital voice assistants over the next few years [41, 42].

Another challenge with using the PnP model discussed in this research is handling the differences between output reports from different code analyzers. To mitigate this issue, the code analysis community may require standardization of vulnerability reports in popular formats such as XML, JSON, and HTML. Currently, most tools include information such as files, classes, and line numbers where errors are found. While the output formats may be different, NLP techniques such as NER can also be used to mine these reports for key pieces of information to achieve a

standard format that can be handled by the virtual assistant and the proposed analysis framework.
