Automated Classification of Static Code Analysis Alerts: A Case Study

Yüksel, Ulaş; Sözer, Hasan

doi:10.1109/icsm.2013.89

Cited by 38 publications

(19 citation statements)

References 14 publications

(25 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Yuksel and Sozer [20] developed a binary classifier to distinguish between true and false warnings based on 10 attributes, including the warning severity, type of warning, number of warnings in the file, and length of time the warning has persisted through consecutive runs of the static code analysis tool. While the authors concluded their approach to be viable, their classifier still depended on the developer's initial perception of the error-whether it was an actual error or could be ignored.…”

Section: Machine Learningmentioning

confidence: 99%

Identifying and Documenting False Positive Patterns Generated by Static Code Analysis Tools

Reynolds

Jayanth

Koç

et al. 2017

2017 IEEE/ACM 4th International Workshop on Software Engineering Research and Industrial Practice (SER&IP)

View full text Add to dashboard Cite

show abstract

Section: Machine Learningmentioning

confidence: 99%

Identifying and Documenting False Positive Patterns Generated by Static Code Analysis Tools

Reynolds

Jayanth

Koç

et al. 2017

2017 IEEE/ACM 4th International Workshop on Software Engineering Research and Industrial Practice (SER&IP)

View full text Add to dashboard Cite

show abstract

“…They complement manual software reviews and testing activities to assist in the development of dependable software systems. A major disadvantage of these tools is the large amount of alerts (i.e., warnings, issues) being exposed to developers [8]. The density of alerts can be as much as 40 alerts per thousand lines of code (KLOC) [3].…”

Section: Static Code Analysismentioning

confidence: 99%

“…The density of alerts can be as much as 40 alerts per thousand lines of code (KLOC) [3]. Around 3000 alerts can be quite common for large-scale industrial projects [8]. Moreover, these alerts are subject to false positives.…”

Section: Static Code Analysismentioning

confidence: 99%

See 1 more Smart Citation

Integrated static code analysis and runtime verification

Sözer

2014

Softw Pract Exp

View full text Add to dashboard Cite

Due to copyright restrictions, the access to the full text of this article is only available via subscription.Static code analysis tools automatically generate alerts for potential software faults that can lead to failures. However, these tools usually generate a very large number of alerts, some of which are subject to false positives. Because of limited resources, it is usually hard to inspect all the alerts. As a complementary approach, runtime verification techniques verify dynamic system behavior with respect to a set of specifications. However, these specifications are usually created manually based on system requirements and constraints. In this paper, we introduce a noval approach and a toolchain for integrated static code analysis and runtime verification. Alerts that are generated by static code analysis tools are utilized for automatically generating runtime verification specifications. On the other hand, runtime verification results are used for automatically generating filters for static code analysis tools to eliminate false positives. The approach is illustrated for the static analysis and runtime verification of an open-source bibliography reference manager software.TÜBİTA

show abstract

“…The detected violations are reported in the form of a list of alerts. Although SCAT have been successfully utilized in the industry [7,8,15], they have limitations as well. It is very hard or undecidable to show whether an execution path is feasible or infeasible without the runtime context information [11].…”

Section: Introductionmentioning

confidence: 99%

Extending Static Code Analysis with Application-Specific Rules by Analyzing Runtime Execution Traces

Ersoy

Sözer

2016

Communications in Computer and Information Science

View full text Add to dashboard Cite

Abstract. Static analysis tools cannot detect violations of applicationspecific rules. They can be extended with specialized checkers that implement the verification of these rules. However, such rules are usually not documented explicitly. Moreover, the implementation of specialized checkers is a manual process that requires expertise. In this work, application-specific programming rules are automatically extracted from execution traces collected at runtime. These traces are analyzed offline to identify programming rules. Then, specialized checkers for these rules are introduced as extensions to a static analysis tool so that their violations can be checked throughout the source code. We implemented our approach for Java programs, considering 3 types of faults. We performed an evaluation with an industrial case study from the telecommunications domain. We were able to detect real faults with checkers that were generated based on the analysis of execution logs.

show abstract

Automated Classification of Static Code Analysis Alerts: A Case Study

Cited by 38 publications

References 14 publications

Identifying and Documenting False Positive Patterns Generated by Static Code Analysis Tools

Identifying and Documenting False Positive Patterns Generated by Static Code Analysis Tools

Integrated static code analysis and runtime verification

Extending Static Code Analysis with Application-Specific Rules by Analyzing Runtime Execution Traces

Contact Info

Product

Resources

About