Assessing Validity of Static Analysis Warnings using Ensemble Learning

by   Anshul Tanwar, et al.

Static Analysis (SA) tools are used to identify potential weaknesses in code and fix them in advance, while the code is being developed. In legacy codebases with high complexity, these rules-based static analysis tools generally report a lot of false warnings along with the actual ones. Though the SA tools uncover many hidden bugs, they are lost in the volume of fake warnings reported. The developers expend large hours of time and effort in identifying the true warnings. Other than impacting the developer productivity, true bugs are also missed out due to this challenge. To address this problem, we propose a Machine Learning (ML)-based learning process that uses source codes, historic commit data, and classifier-ensembles to prioritize the True warnings from the given list of warnings. This tool is integrated into the development workflow to filter out the false warnings and prioritize actual bugs. We evaluated our approach on the networking C codes, from a large data pool of static analysis warnings reported by the tools. Time-to-time these warnings are addressed by the developers, labelling them as authentic bugs or fake alerts. The ML model is trained with full supervision over the code features. Our results confirm that applying deep learning over the traditional static analysis reports is an assuring approach for drastically reducing the false positive rates.


page 1

page 2

page 3

page 4


Learning to Reduce False Positives in Analytic Bug Detectors

Due to increasingly complex software design and rapid iterative developm...

An Expert System for Learning Software Engineering Knowledge (with Case Studies in Understanding Static Code Warning)

Knowledge-based systems reason over some knowledge base. Hence, an impor...

ACWRecommender: A Tool for Validating Actionable Warnings with Weak Supervision

Static analysis tools have gained popularity among developers for findin...

Targeted Static Analysis for OCaml C Stubs: eliminating gremlins from the code

Migration to OCaml 5 requires updating a lot of C bindings due to the re...

Using Multiple Code Representations to Prioritize Static Analysis Warnings

In order to ensure the quality of software and prevent attacks from hack...

Deploying Static Analysis

Static source code analysis is a powerful tool for finding and fixing bu...

Getafix: Learning to fix bugs automatically

Static analyzers, including linters, can warn developers about programmi...

Please sign up or login with your details

Forgot password? Click here to reset