Reducing False Positives of Static Analysis for SEI CERT C Coding Standard

Static analysis tools have important roles in detecting violations in source code which is not compliant with coding standards. However, for industrious size systems, these tools report an overwhelming number of violations, which contain many false positives. This research considers the SEI CERT C Coding Standard and proposes a method for automatically reducing false positives of static analysis tools by combining static analysis and deductive verification. Firstly, static analysis tools are used to detect positions in the source code which may not conform to the SEI CERT C. Secondly, behavioral properties of the program at the detected positions are described by ANSI/ISO C Specification Language regarding the SEI CERT C rule or recommendation they may violate. Deductive verification is then used to prove whether these properties satisfy conventions of the SEI CERT C. Our experiment with source code for tractors, shows that 20% of violation suggestions of Rosecheckers can be handled automatically and 90% false positives of them are reduced.

[1]  Kwang-Moo Choe,et al.  Filtering false alarms of buffer overflow analysis using SMT solvers , 2010, Inf. Softw. Technol..

[2]  Yunzhan Gong,et al.  Diagnosis-Oriented Alarm Correlations , 2013, 2013 20th Asia-Pacific Software Engineering Conference (APSEC).

[3]  Kathryn T. Stolee,et al.  Evaluating how static analysis tools can reduce code review effort , 2017, 2017 IEEE Symposium on Visual Languages and Human-Centric Computing (VL/HCC).

[4]  Carsten Sinz,et al.  Reducing False Positives by Combining Abstract Interpretation and Bounded Model Checking , 2008, 2008 23rd IEEE/ACM International Conference on Automated Software Engineering.

[5]  J. Filliâtre,et al.  ACSL: ANSI/ISO C Specification Language , 2008 .

[6]  Priyanka Darke,et al.  Precise Analysis of Large Industry Code , 2012, 2012 19th Asia-Pacific Software Engineering Conference.

[7]  David Hovemeyer,et al.  Using Static Analysis to Find Bugs , 2008, IEEE Software.

[8]  Robert W. Bowdidge,et al.  Why don't software developers use static analysis tools to find bugs? , 2013, 2013 35th International Conference on Software Engineering (ICSE).

[9]  Hakjoo Oh,et al.  Sound Non-Statistical Clustering of Static Analysis Alarms , 2017, ACM Trans. Program. Lang. Syst..