Identifying and Documenting False Positive Patterns Generated by Static Code Analysis Tools

Reynolds, Zachary P.; Jayanth, Abhinandan B.; Koç, Uğur; Porter, Adam; Raje, Rajeev R.; Hill, James H.

doi:10.1109/ser-ip.2017..20

Cited by 21 publications

(14 citation statements)

References 18 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Source code is commonly parsed and transformed into graph representation to perform pattern recognition [49], [50], [55], [57], [115], [116]. It is common to use source code as the input for quality assurance tools [55], [116]. Besides it is a common analysis used for code clone detection [49], [54], [117].…”

Section: ) Source Code Analysismentioning

confidence: 99%

On Code Analysis Opportunities and Challenges for Enterprise Systems and Microservices

et al. 2020

View full text Add to dashboard Cite

Code analysis brings excellent benefits to software development, maintenance, and quality assurance. Various tools can uncover code defects or even software bugs in a range of seconds. For many projects and developers, the code analysis tools became essential in their daily routines. However, how can code analysis help in an enterprise environment? Enterprise software solutions grow in scale and complexity. These solutions no longer involve only plain objects and basic language constructs but operate with various components and mechanisms simplifying the development of such systems. Enterprise software vendors have adopted various development and design standards; however, there is a gap between what constructs the enterprise frameworks use and what current code analysis tools recognize. This manuscript aims to challenge the mainstream research directions of code analysis and motivate for a transition towards code analysis of enterprise systems with interesting problems and opportunities. In particular, this manuscript addresses selected enterprise problems apparent for monolithic and distributed enterprise solutions. It also considers challenges related to the recent architectural push towards a microservice architecture. Along with open-source proof-of-concept prototypes to some of the challenges, this manuscript elaborates on code analysis directions and their categorization. Furthermore, it suggests one possible perspective of the problem area using aspect-oriented programming.

show abstract

Section: ) Source Code Analysismentioning

confidence: 99%

On Code Analysis Opportunities and Challenges for Enterprise Systems and Microservices

et al. 2020

View full text Add to dashboard Cite

show abstract

“…Ruthruff et al (2008) proposed a logistic regression model based on 33 features extracted from the alarms themselves to predict actionable alarms found by FindBugs, and a screening methodology was used to quickly discard features with low predictive power in order to build cost-effectively predictive models. Reynolds et al (2017) used a set of descriptive attributes to standardize the patterns of false positives. Several studies (Brun and Ernst 2004;Yi et al 2007;Heckman and Williams 2009;Liang et al 2010;Yuksel and Sözer 2013;Hanam et al 2014;Yoon et al 2014;Flynn et al 2018) have utilized machine learning classification models to abstract the difference between the actionable alarms and the unactionable alarms for automatically identifying defects.…”

Section: Related Workmentioning

confidence: 99%

A variable-level automated defect identification model based on machine learning

et al. 2019

View full text Add to dashboard Cite

Static analysis tools, automatically detecting potential source code defects at an early phase during the software development process, are diffusely applied in safety-critical software fields. However, alarms reported by the tools need to be inspected manually by developers, which is inevitable and costly, whereas a large proportion of them are found to be false positives. Aiming at automatically classifying the reported alarms into true defects and false positives, we propose a defect identification model based on machine learning. We design a set of novel features at variable level, called variable characteristics, for building the classification model, which is more fine-grained than the existing traditional features. We select 13 base classifiers and two ensemble learning methods for model building based on our proposed approach, and the reported alarms classified as unactionable (false positives) are pruned for the purpose of mitigating the effort of manual inspection. In this paper, we firstly evaluate the approach on four open-source C projects, and the classification results show that the proposed model achieves high performance and reliability in practice. Then, we conduct a baseline experiment to evaluate the effectiveness of our proposed model in contrast to traditional features, indicating that features at variable level improve the performance significantly in defect identification. Additionally, we use machine learning techniques to rank the variable characteristics in order to identify the contribution of each feature to our proposed model.

show abstract

“…On the other hand, we evaluate which metrics are highly correlated with each type of warning generated by the SCA tool, while in their work the authors evaluated which source code structures force the SCA tools to generate false positive warnings. Reynolds et al [31] identified and documented 14 of different kinds of false positive patterns, by running three of SCA tools against C/C++ Juliet test suite. Then the authors reduced the source code manually in order to remove the unrelated instructions.…”

Section: Related Workmentioning

confidence: 99%

Using Machine Learning Techniques to Classify and Predict Static Code Analysis Tool Warnings

Alikhashashneh

Raje

Hill

2018

2018 IEEE/ACS 15th International Conference on Computer Systems and Applications (AICCSA)

Self Cite

View full text Add to dashboard Cite

This paper discusses our work on using software engineering metrics (i.e., source code metrics) to classify an error message generated by a Static Code Analysis (SCA) tool as a true-positive, false-positive, or false-negative. Specifically, we compare the performance of Support Vector Machine (SVM), K-Nearest Neighbor (KNN), Random Forests, and Repeated Incremental Pruning to Produce Error Reduction (RIPPER) over eight datasets. The performance of the techniques is assessed by computing the F-measure metric, which is defined as the weighted harmonic mean of the precision and recall of the predicted model. The overall results of the study show that the F-measure value of the predicted model, which is generated using Random Forests technique, ranges from 83% to 98%. Additionally, the Random Forests technique outperforms the other techniques. Lastly, our results indicate that the complexity and coupling metrics have the most impact on whether a SCA tool with generate a false-positive warning or not.

show abstract

Identifying and Documenting False Positive Patterns Generated by Static Code Analysis Tools

Abstract: Head of the Graduate Program iiiTo my parents, brothers, and sister.

Cited by 21 publications

References 18 publications

On Code Analysis Opportunities and Challenges for Enterprise Systems and Microservices

On Code Analysis Opportunities and Challenges for Enterprise Systems and Microservices

A variable-level automated defect identification model based on machine learning

Using Machine Learning Techniques to Classify and Predict Static Code Analysis Tool Warnings

Contact Info

Product

Resources

About