Sorald: Automatic Patch Suggestions for SonarQube Static Analysis Violations

Previous work has shown that early resolution of issues detected by static code analyzers can prevent major costs later on. However, developers often ignore such issues for two main reasons. First, many issues should be interpreted to determine if they correspond to actual flaws in the program. Second, static analyzers often do not present the issues in a way that is actionable. To address these problems, we present SORALD: a novel system that devise metaprogramming templates to transform the abstract syntax trees of programs and suggest fixes for static analysis warnings. Thus, the burden on the developer is reduced from interpreting and fixing static issues, to inspecting and approving full fledged solutions. SORALD fixes violations of 10 rules from SONARQUBE, one of the most widely used static analyzers for Java. We evaluate SORALD on a dataset of 161 popular repositories on GITHUB. Our analysis shows the effectiveness of SORALD as it fixes 65% (852/1,307) of the violations that meets the repair preconditions. Overall, our experiments show it is possible to automatically fix notable violations of the static analysis rules produced by the state-of-the-art static

[1]  Renaud Pawlak,et al.  SPOON: A library for implementing analyses and transformations of Java source code , 2016, Softw. Pract. Exp..

[2]  D. Taibi,et al.  Some SonarQube Issues have a Significant but SmallEffect on Faults and Changes. A large-scale empirical study , 2019, J. Syst. Softw..

[3]  Martin Monperrus,et al.  Styler: Learning Formatting Conventions to Repair Checkstyle Errors , 2019, ArXiv.

[4]  Brendan Murphy,et al.  How Do Developers Act on Static Analysis Alerts? An Empirical Study of Coverity Usage , 2019, 2019 IEEE 30th International Symposium on Software Reliability Engineering (ISSRE).

[5]  Sandro Morasca,et al.  An Empirical Study on the Persistence of SpotBugs Issues in Open-Source Software Evolution , 2020, QUATIC.

[6]  Marvin Wyrich,et al.  Towards an Autonomous Bot for Automatic Source Code Refactoring , 2019, 2019 IEEE/ACM 1st International Workshop on Bots in Software Engineering (BotSE).

[7]  Edna Dias Canedo,et al.  Are Static Analysis Violations Really Fixed? A Closer Look at Realistic Usage of SonarQube , 2019, 2019 IEEE/ACM 27th International Conference on Program Comprehension (ICPC).

[8]  Matias Martinez,et al.  Fine-grained and accurate source code differencing , 2014, ASE.

[9]  Mark Harman,et al.  SapFix: Automated End-to-End Repair at Scale , 2019, 2019 IEEE/ACM 41st International Conference on Software Engineering: Software Engineering in Practice (ICSE-SEIP).

[10]  David Hovemeyer,et al.  Finding bugs is easy , 2004, SIGP.

[11]  Maria Teresa Baldassarre,et al.  On the Accuracy of SonarQube Technical Debt Remediation Time , 2019, 2019 45th Euromicro Conference on Software Engineering and Advanced Applications (SEAA).

[12]  Andy Zaidman,et al.  Analyzing the State of Static Analysis: A Large-Scale Evaluation in Open Source Software , 2016, 2016 IEEE 23rd International Conference on Software Analysis, Evolution, and Reengineering (SANER).

[13]  Robert W. Bowdidge,et al.  Why don't software developers use static analysis tools to find bugs? , 2013, 2013 35th International Conference on Software Engineering (ICSE).

[14]  Maria Teresa Baldassarre,et al.  On the diffuseness of technical debt items and accuracy of remediation time when using SonarQube , 2020, Inf. Softw. Technol..

[15]  Carlo A. Furia,et al.  SpongeBugs: Automatically generating fix suggestions in response to static code analysis warnings , 2020, J. Syst. Softw..

[16]  Simon Urli,et al.  How to Design a Program Repair Bot? Insights from the Repairnator Project , 2017, 2018 IEEE/ACM 40th International Conference on Software Engineering: Software Engineering in Practice Track (ICSE-SEIP).

[17]  Eelco Visser,et al.  An Algorithm for Layout Preservation in Refactoring Transformations , 2011, SLE.

[18]  Robert K. Cunningham,et al.  The Real Cost of Software Errors , 2009, IEEE Security & Privacy.

[19]  Róbert KITLEI,et al.  LAYOUT PRESERVING PARSER FOR REFACTORING IN ERLANG , 2009 .

[20]  Thomas Ball,et al.  Modular and verified automatic program repair , 2012, OOPSLA '12.

[21]  Edna Dias Canedo,et al.  C-3PR: A Bot for Fixing Static Analysis Violations via Pull Requests , 2020, 2020 IEEE 27th International Conference on Software Analysis, Evolution and Reengineering (SANER).

[22]  Jens Grabowski,et al.  A longitudinal study of static analysis warning evolution and the effects of PMD on software quality in Apache open source projects , 2019, Empirical Software Engineering.

[23]  Matias Martinez,et al.  Automated patch assessment for program repair at scale , 2019, Empirical Software Engineering.

[24]  Alexander Serebrenik,et al.  SAW-BOT: Proposing Fixes for Static Analysis Warnings with GitHub Suggestions , 2021, 2021 IEEE/ACM Third International Workshop on Bots in Software Engineering (BotSE).

[25]  Marouane Kessentini,et al.  RefBot: Intelligent Software Refactoring Bot , 2019, 2019 34th IEEE/ACM International Conference on Automated Software Engineering (ASE).

[26]  Laurie A. Williams,et al.  Challenges with Responding to Static Analysis Tool Alerts , 2019, 2019 IEEE/ACM 16th International Conference on Mining Software Repositories (MSR).

[27]  Michael L. Van de Vanter Preserving the Documentary Structure of Source Code in Language-Based Transformation Tools , 2001, SCAM.

[28]  Arie van Deursen,et al.  An exploratory study of the pull-based software development model , 2014, ICSE.

[29]  Tegawendé F. Bissyandé,et al.  AVATAR: Fixing Semantic Bugs with Fix Patterns of Static Analysis Violations , 2018, 2019 IEEE 26th International Conference on Software Analysis, Evolution and Reengineering (SANER).

[30]  Hiroaki Yoshida,et al.  Phoenix: automated data-driven synthesis of repairs for static analysis violations , 2019, ESEC/SIGSOFT FSE.

[31]  Martin Vechev,et al.  TFix: Learning to Fix Coding Errors with a Text-to-Text Transformer , 2021, ICML.

[32]  James R. Wright,et al.  Why Do Software Developers Use Static Analysis Tools? A User-Centered Study of Developer Needs and Motivations , 2020, IEEE Transactions on Software Engineering.

[33]  Harald C. Gall,et al.  How developers engage with static analysis tools in different contexts , 2019, Empirical Software Engineering.

[34]  Shin Yoo,et al.  Mining Fix Patterns for FindBugs Violations , 2017, IEEE Transactions on Software Engineering.

[35]  Peter W. O'Hearn,et al.  Moving Fast with Software Verification , 2015, NFM.

[36]  Johannes Bader,et al.  Getafix: learning to fix bugs automatically , 2019, Proc. ACM Program. Lang..

[37]  Matias Martinez,et al.  Repairnator patches programs automatically , 2019, Ubiquity.

[38]  Alexander Serebrenik,et al.  Techniques for Efficient Automated Elimination of False Positives , 2020, 2020 IEEE 20th International Working Conference on Source Code Analysis and Manipulation (SCAM).

[39]  Ciera Jaspan,et al.  Lessons from building static analysis tools at Google , 2018, Commun. ACM.

[40]  Ralf Lämmel,et al.  Parse-tree annotations meet re-engineering concerns , 2003, Proceedings Third IEEE International Workshop on Source Code Analysis and Manipulation.

[41]  Neil A. Ernst,et al.  Measure it? Manage it? Ignore it? software practitioners and technical debt , 2015, ESEC/SIGSOFT FSE.

[42]  Raymond P. L. Buse,et al.  A metric for software readability , 2008, ISSTA '08.

[43]  Claire Le Goues,et al.  Towards s/engineer/bot: principles for program repair bots , 2019, BotSE@ICSE.

[44]  Tim Menzies,et al.  Understanding static code warnings: An incremental AI approach , 2019, Expert Syst. Appl..

[45]  Manuel Fähndrich,et al.  Static Contract Checking with Abstract Interpretation , 2010, FoVeOOS.

[46]  Michael Pradel,et al.  How Many of All Bugs Do We Find? A Study of Static Bug Detectors , 2018, 2018 33rd IEEE/ACM International Conference on Automated Software Engineering (ASE).

[47]  Hiroaki Yoshida,et al.  Phoenix: A Tool for Automated Data-Driven Synthesis of Repairs for Static Analysis Violations , 2020, 2020 IEEE/ACM 42nd International Conference on Software Engineering: Companion Proceedings (ICSE-Companion).

[48]  Armin Biere,et al.  Combined Static and Dynamic Analysis , 2005, AIOOL@VMCAI.

[49]  Harald C. Gall,et al.  Continuous Code Quality: Are We (Really) Doing That? , 2018, 2018 33rd IEEE/ACM International Conference on Automated Software Engineering (ASE).

[50]  Sundaresan Krishnan,et al.  Building Useful Program Analysis Tools Using an Extensible Java Compiler , 2012, 2012 IEEE 12th International Working Conference on Source Code Analysis and Manipulation.

[51]  William Pugh,et al.  The Google FindBugs fixit , 2010, ISSTA '10.

[52]  Gerardo Canfora,et al.  How Open Source Projects Use Static Code Analysis Tools in Continuous Integration Pipelines , 2017, 2017 IEEE/ACM 14th International Conference on Mining Software Repositories (MSR).