Ranking warnings from multiple source code static analyzers via ensemble learning

While there is a wide variety of both open source and proprietary source code static analyzers available in the market, each of them usually performs better in a small set of problems, making it hard to choose one single tool to rely on when examining a program looking for bugs in the source code. Combining the analysis of different tools may reduce the number of false negatives, but yields a corresponding increase in the absolute number of false positives (which is already high for many tools). A possible solution, then, is to filter these results to identify the issues least likely to be false positives. In this study, we post-analyze the reports generated by three tools on synthetic test cases provided by the US National Institute of Standards and Technology. In order to make our technique as general as possible, we limit our data to the reports themselves, excluding other information such as change histories or code metrics. The features extracted from these reports are used to train a set of decision trees using AdaBoost to create a stronger classifier, achieving 0.8 classification accuracy (the combined false positive rate from the used tools was 0.61). Finally, we use this classifier to rank static analyzer alarms based on the probability of a given alarm being an actual bug in the source code.

[1]  William Landi,et al.  Undecidability of static analysis , 1992, LOPL.

[2]  Robert W. Bowdidge,et al.  Why don't software developers use static analysis tools to find bugs? , 2013, 2013 35th International Conference on Software Engineering (ICSE).

[3]  Sarah Smith Heckman,et al.  A Model Building Process for Identifying Actionable Static Analysis Alerts , 2009, 2009 International Conference on Software Testing Verification and Validation.

[4]  Andy Zaidman,et al.  UAV: Warnings from multiple Automated Static Analysis Tools at a glance , 2017, 2017 IEEE 24th International Conference on Software Analysis, Evolution and Reengineering (SANER).

[5]  L. Moonen,et al.  Prioritizing Software Inspection Results using Static Profiling , 2006, 2006 Sixth IEEE International Workshop on Source Code Analysis and Manipulation.

[6]  Sebastian G. Elbaum,et al.  Predicting accurate and actionable static analysis warnings , 2008, 2008 ACM/IEEE 30th International Conference on Software Engineering.

[7]  Yoav Freund,et al.  A Short Introduction to Boosting , 1999 .

[8]  Paul E. Black Static Analyzers in Software Engineering , 2009 .

[9]  Corinna Cortes,et al.  Boosting Decision Trees , 1995, NIPS.

[10]  Benjamin Hummel,et al.  Teamscale: software quality control in real-time , 2014, ICSE Companion.

[11]  Haiyun Xu,et al.  A Framework for Combining and Ranking Static Analysis Tool Findings Based on Tool Performance Statistics , 2017, 2017 IEEE International Conference on Software Quality, Reliability and Security Companion (QRS-C).

[12]  Sarah Smith Heckman Adaptively ranking alerts generated from automated static analysis , 2007, ACM Crossroads.

[13]  Fabio Kon,et al.  Ranking Source Code Static Analysis Warnings for Continuous Monitoring of FLOSS Repositories , 2018, OSS.

[14]  Kwangkeun Yi,et al.  Taming False Alarms from a Domain-Unaware C Analyzer by a Bayesian Statistical Post Analysis , 2005, SAS.

[15]  Dawson R. Engler,et al.  Z-Ranking: Using Statistical Analysis to Counter the Impact of Static Analysis Approximations , 2003, SAS.

[16]  Alexander Serebrenik,et al.  Survey of Approaches for Handling Static Analysis Alarms , 2016, 2016 IEEE 16th International Working Conference on Source Code Analysis and Manipulation (SCAM).

[17]  Michael D. Ernst,et al.  Which warnings should I fix first? , 2007, ESEC-FSE '07.

[18]  Yungbum Jung,et al.  Reducing False Alarms from an Industrial-Strength Static Analyzer by SVM , 2014, 2014 21st Asia-Pacific Software Engineering Conference.

[19]  Peter Norvig,et al.  Artificial Intelligence: A Modern Approach , 1995 .

[20]  Paul E. Black,et al.  Juliet 1.1 C/C++ and Java Test Suite , 2012, Computer.

[21]  Hasan Sözer,et al.  Automated Classification of Static Code Analysis Alerts: A Case Study , 2013, 2013 IEEE International Conference on Software Maintenance.

[22]  Yoram Singer,et al.  An Efficient Boosting Algorithm for Combining Preferences by , 2013 .

[23]  Tukaram B. Muske,et al.  Review efforts reduction by partitioning of static analysis warnings , 2013, 2013 IEEE 13th International Working Conference on Source Code Analysis and Manipulation (SCAM).

[24]  Lerina Aversano,et al.  The Evolution and Decay of Statically Detected Source Code Vulnerabilities , 2008, 2008 Eighth IEEE International Working Conference on Source Code Analysis and Manipulation.

[25]  Junfeng Yang,et al.  Correlation exploitation in error ranking , 2004, SIGSOFT '04/FSE-12.