Towards modeling the behavior of static code analysis tools

Velicheti, Lakshmi Manohar Rao; Feiock, Dennis C.; Peiris, Manjula; Raje, Rajeev; Hill, James H.

doi:10.1145/2602087.2602101

Cited by 8 publications

(10 citation statements)

References 3 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…We start with description of related works that used the Juliet benchmark as an input in evaluation of static code analysis tools [13][14][15][16][17]. These works are the closest to our work.…”

Section: Related Workmentioning

confidence: 99%

“…Recently, researchers have started to use Juliet test suite for evaluation of static code analysis [15,17]. A small subset of Juliet test suite was used in [15] to compare the performance of nine tools in detecting security vulnerabilities in C code.…”

Section: Related Workmentioning

confidence: 99%

“…(These values were called 'absolute' in [15] and were obtained by taking into account only the vulnerabilities that specific tools were designed to detect, that is, 'vulnerabilities not covered' were excluded.) A 2014 study [17] evaluated two commercial static analysis tools (which were not identified) using the Juliet test suite. This work did not provide detailed results; it only provided a bar graph of recall values per CWE and the true positive, false positive, and false negative numbers for two selected CWEs (i.e., CWE 134 and CWE 401).…”

Section: Related Workmentioning

confidence: 99%

See 2 more Smart Citations

On the capability of static code analysis to detect security vulnerabilities

Goševa-Popstojanova

Perhinschi²

2015

Information and Software Technology

View full text Add to dashboard Cite

Section: Related Workmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

On the capability of static code analysis to detect security vulnerabilities

Goševa-Popstojanova

Perhinschi²

2015

Information and Software Technology

View full text Add to dashboard Cite

“…More specifically, we integrated each static code analysis tool into the Static Code Analysis Tool Evaluator (SCATE) [19], a framework for evaluating the quality of static code analysis tools. SCATE uses rules similar to the foregoing to automatically classify static code analysis tool warnings in the Juliet test suite.…”

Section: // J U L I E T Cwe476_null_pointer_dereference__char_73b Cmentioning

confidence: 99%

“…For example, one study evaluated how different static code analysis tools performed on the Juliet test suite [18] from the National Institute of Standards and Technology and discovered a large number of false positives [19]. For two commercial off-the-shelf static code analysis tools used in the study, as many as 59% and 63%, respectively, of the warnings generated were false positives.…”

mentioning

confidence: 99%

Identifying and Documenting False Positive Patterns Generated by Static Code Analysis Tools

Reynolds

Jayanth

Koç

et al. 2017

2017 IEEE/ACM 4th International Workshop on Software Engineering Research and Industrial Practice (SER&IP)

Self Cite

View full text Add to dashboard Cite

show abstract

Static Code Analysis Alarms Filtering Reloaded: A New Real-World Dataset and its ML-Based Utilization

Hegedűs

Ferenć

2022

IEEE Access

View full text Add to dashboard Cite

Even though Static Code Analysis (SCA) tools are integrated into many modern software building and testing pipelines, their practical impact is still seriously hindered by the excessive number of false positive warnings they usually produce. To cope with this problem, researchers have proposed several post-processing methods that aim to filter out false hits (or equivalently identify "actionable" warnings) after the SCA tool produced its results. However, we found that most of these approaches are targeted (i.e., deal with only a few SCA warning types) and evaluated on synthetic benchmarks or small-scale manually collected data sets (i.e., with typical sample sizes of several hundred). In this paper, we present a dataset containing 224,484 real-world warning samples fixed (true positives) or explicitly ignored (false positives) by the developers, which we collected from 9,958 different opensource Java projects from GitHub using a data mining approach. Additionally, we utilize this rich dataset to train a code embedding-based machine learning model for filtering false positive warnings produced by 160 different SonarQube rule checks, one of the most widely adopted SCA tools today. This is the most extensive real-world public dataset and study we know of in this area. Our method works with an accuracy of 91% (best F1-score of 81.3% and AUC of 95.3%) for the classification of SonarQube warnings.INDEX TERMS Static code analysis, filtering false positives, real-world dataset, code embedding, machine learning.

show abstract

Towards modeling the behavior of static code analysis tools

Cited by 8 publications

References 3 publications

On the capability of static code analysis to detect security vulnerabilities

On the capability of static code analysis to detect security vulnerabilities

Identifying and Documenting False Positive Patterns Generated by Static Code Analysis Tools

Static Code Analysis Alarms Filtering Reloaded: A New Real-World Dataset and its ML-Based Utilization

Contact Info

Product

Resources

About