C-3PR: A Bot for Fixing Static Analysis Violations via Pull Requests

Static analysis tools are frequently used to detect common programming mistakes or bad practices. Yet, the existing literature reports that these tools are still underused in the industry, which is partly due to (1) the frequent high number of false positives generated, (2) the lack of automated repairing solutions, and (3) the possible mismatches between tools and workflows of development teams. In this study we explored the question: “How could a bot-based approach allow seamless integration of static analysis tools into developers' workflows?” To this end we introduce C-3PR, an event-based bot infrastructure that automatically proposes fixes to static analysis violations through pull requests (PRs). We have been using C-3PR in an industrial setting for a period of eight months. To evaluate C-3PR usefulness, we monitored its operation in response to 2179 commits to the code base of the tracked projects. The bot autonomously executed 201346 analyses, yielding 610 pull requests. Among them, 346 (57%) were merged into the projects' code bases. We observed that, on average, these PRs are evaluated faster than general-purpose PRs (2.58 and 5.78 business days, respectively). Accepted transformations take even shorter time (1.56 days). Among the reasons for rejection, bugs in C-3PR and in the tools it uses are the most common ones. PRs that require the resolution of a merge conflict are almost always rejected as well. We also conducted a focus group to assess how C-3PR affected the development workflow. We observed that developers perceived C-3PR as efficient, reliable, and useful. For instance, the participants mentioned that, given the chance, they would keep using C-3PR. Our findings bring new evidence that a bot-based infrastructure could mitigate some challenges that hinder the wide adoption of static analysis tools.

[1]  Robert W. Bowdidge,et al.  Why don't software developers use static analysis tools to find bugs? , 2013, 2013 35th International Conference on Software Engineering (ICSE).

[2]  Alexander Serebrenik,et al.  Survey of Approaches for Handling Static Analysis Alarms , 2016, 2016 IEEE 16th International Working Conference on Source Code Analysis and Manipulation (SCAM).

[3]  Michael D. Ernst,et al.  Which warnings should I fix first? , 2007, ESEC-FSE '07.

[4]  Hajimu Iida,et al.  How do GitHub Users Feel with Pull-Based Development? , 2016, 2016 7th International Workshop on Empirical Software Engineering in Practice (IWESEP).

[5]  Marco Pistoia,et al.  ALETHEIA: Improving the Usability of Static Security Analysis , 2014, CCS.

[6]  Alexander Serebrenik,et al.  Repositioning of static analysis alarms , 2018, ISSTA.

[7]  Paulo Borba,et al.  Understanding semi-structured merge conflict characteristics in open-source Java projects , 2017, Empirical Software Engineering.

[8]  Marvin Wyrich,et al.  Towards an Autonomous Bot for Automatic Source Code Refactoring , 2019, 2019 IEEE/ACM 1st International Workshop on Bots in Software Engineering (BotSE).

[9]  Lucas Layman,et al.  Toward Reducing Fault Fix Time: Understanding Developer Behavior for the Design of Automated Fault Detection Tools , 2007, First International Symposium on Empirical Software Engineering and Measurement (ESEM 2007).

[10]  Georgios Gousios,et al.  Work practices and challenges in pull-based development: the contributor's perspective , 2015, ICSE.

[11]  Edna Dias Canedo,et al.  Are Static Analysis Violations Really Fixed? A Closer Look at Realistic Usage of SonarQube , 2019, 2019 IEEE/ACM 27th International Conference on Program Comprehension (ICPC).

[12]  Ivan Beschastnikh,et al.  Accelerating Software Engineering Research Adoption with Analysis Bots , 2017, 2017 IEEE/ACM 39th International Conference on Software Engineering: New Ideas and Emerging Technologies Results Track (ICSE-NIER).

[13]  Arie van Deursen,et al.  An exploratory study of the pull-based software development model , 2014, ICSE.

[14]  Mathias Payer,et al.  Automatic Contract Insertion with CCBot , 2017, IEEE Transactions on Software Engineering.

[15]  Gustavo Pinto,et al.  Detecting and Reporting Object-Relational Mapping Problems: An Industrial Report , 2019, 2019 ACM/IEEE International Symposium on Empirical Software Engineering and Measurement (ESEM).

[16]  Simon Urli,et al.  How to Design a Program Repair Bot? Insights from the Repairnator Project , 2017, 2018 IEEE/ACM 40th International Conference on Software Engineering: Software Engineering in Practice Track (ICSE-SEIP).

[17]  Georgios Gousios,et al.  Work Practices and Challenges in Pull-Based Development: The Integrator's Perspective , 2014, ICSE.

[18]  Vipin Balachandran,et al.  Reducing human effort and improving quality in peer code reviews using automatic static analysis and reviewer recommendation , 2013, 2013 35th International Conference on Software Engineering (ICSE).

[19]  Gustavo Pinto,et al.  Mining Rule Violations in JavaScript Code Snippets , 2019, 2019 IEEE/ACM 16th International Conference on Mining Software Repositories (MSR).

[20]  Ken Schwaber,et al.  Agile Project Management with Scrum , 1980 .

[21]  Lin Tan,et al.  Finding patterns in static analysis alerts: improving actionable alert ranking , 2014, MSR 2014.

[22]  Claire Le Goues,et al.  Towards s/engineer/bot: principles for program repair bots , 2019, BotSE@ICSE.

[23]  Ciera Jaspan,et al.  Tricorder: Building a Program Analysis Ecosystem , 2015, 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering.

[24]  J. Ivey Focus groups. , 2011, Pediatric nursing.

[25]  Alexander Serebrenik,et al.  Challenges for Static Analysis of Java Reflection - Literature Review and Empirical Study , 2017, 2017 IEEE/ACM 39th International Conference on Software Engineering (ICSE).

[26]  Laura Lehtola,et al.  The Focus Group Method as an Empirical Tool in Software Engineering , 2008, Guide to Advanced Empirical Software Engineering.