Survey of Approaches for Postprocessing of Static Analysis Alarms

Muske, Tukaram; Serebrenik, Alexander

doi:10.1145/3494521

Cited by 12 publications

(2 citation statements)

References 159 publications

(252 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Nevertheless, one major drawback of ASATs is that they generate numerous alarms with a high false positive rate, which often discourages most developers from adopting these tools [1]. To improve the usability of ASATs, researchers have proposed several approaches for the post-processing of static analysis alarms, and these approaches were divided into six main categories by Muske et al [2]: clustering, ranking, pruning, the automated elimination of false positives, the combination of static and dynamic analyses, and the simplification of manual inspection. In this study, we propose a novel approach that utilizes warning details and code snippets as input sequences for the deep learning (DL) model to classify and filter the static analysis warnings.…”

Section: Introductionmentioning

confidence: 99%

A Method for Processing Static Analysis Alarms Based on Deep Learning

Tan,

Tian

2024

Applied Sciences

View full text Add to dashboard Cite

Automatic static analysis tools (ASATs), also known as static analyzers, have demonstrated their significance and practicability in detecting software defects. ASATs assist developers to identify potential vulnerabilities, errors, and security hazards in source code without executing the software. As software systems grow in scale and complexity, ASATs are replacing manual security audits and becoming crucial for detecting issues in code. However, ASATs often generate numerous warnings with high false positive rates, while developers typically only take measures on a small portion of actionable alarms. To cope with this problem, we propose an innovative method that combines the pre-trained CodeBERT model and neural networks to reduce false positives detected by ASATs. Our approach was evaluated on the Defects4J dataset, which comprises 835 real-world software defects extracted from 17 open-source Java projects. The experimental results explicitly manifest the effectiveness in processing static analysis alarms. By employing a bidirectional recurrent neural network for context embeddings, our approach achieved an accuracy of 95.77% and an AUC score of 98.3%. This research enables developers to minimize false positive alarms and ensure a reasonable number of actionable warnings while guaranteeing software quality and security.

show abstract

Section: Introductionmentioning

confidence: 99%

A Method for Processing Static Analysis Alarms Based on Deep Learning

Tan,

Tian

2024

Applied Sciences

View full text Add to dashboard Cite

show abstract

“…The latter represents an error in the source code that can be detected by the compiler or even the program editor, while the former indicates the abuse of variables, functions, etc., resulting in a potential operational risk or risk of attack on the software. Static code analysis techniques [3][4][5] can help developers and reviewers quickly locate defects in the source code. As determined by what we are about to present in Section 2, machine-learning-based techniques are the research direction that currently seems to have the most potential for development and practical application.…”

Section: Introductionmentioning

confidence: 99%

A Flexible Code Review Framework for Combining Defect Detection and Review Comments

Chen

Dong

et al. 2023

Aerospace

View full text Add to dashboard Cite

Defects and errors in code are different in that they are not detected by editors or compilers but pose a potential risk to software operation. For safety-critical software such as airborne software, the code review process is necessary to ensure the proper operation of software applications and even an aircraft. The traditional manual review method can no longer meet the current needs with the dramatic increase in code sizes and variety. To this end, we propose Deep Reviewer, a general and flexible code review framework that automatically detects code defects and correlates the review comments of the defects. The framework first preprocesses the data using several methods, including the proposed D2U flow. Then, features are extracted and matched by the detector, which contains a pair of twin LSTM models, one for code defect type detection and the other for review comment retrieval. Finally, the review comment output function is implemented based on the masks generated by the code defect types. The method is validated using a large public dataset, SARD. For the binary-classification task, the test results of the proposed are 98.68% and 98.67% in terms of precision and F1 score, respectively. For the multi-classification task, the proposed framework shows a significant advantage over other methods.

show abstract

Improving actionable warning identification via the refined warning-inducing context representation

Ge,

Fang,

et al. 2024

Sci. China Inf. Sci.

View full text Add to dashboard Cite

Survey of Approaches for Postprocessing of Static Analysis Alarms

Cited by 12 publications

References 159 publications

A Method for Processing Static Analysis Alarms Based on Deep Learning

A Method for Processing Static Analysis Alarms Based on Deep Learning

A Flexible Code Review Framework for Combining Defect Detection and Review Comments

Improving actionable warning identification via the refined warning-inducing context representation

Contact Info

Product

Resources

About