Assessing Validity of Static Analysis Warnings using Ensemble Learning

by   Anshul Tanwar, et al.

Static Analysis (SA) tools are used to identify potential weaknesses in code and fix them in advance, while the code is being developed. In legacy codebases with high complexity, these rules-based static analysis tools generally report a lot of false warnings along with the actual ones. Though the SA tools uncover many hidden bugs, they are lost in the volume of fake warnings reported. The developers expend large hours of time and effort in identifying the true warnings. Other than impacting the developer productivity, true bugs are also missed out due to this challenge. To address this problem, we propose a Machine Learning (ML)-based learning process that uses source codes, historic commit data, and classifier-ensembles to prioritize the True warnings from the given list of warnings. This tool is integrated into the development workflow to filter out the false warnings and prioritize actual bugs. We evaluated our approach on the networking C codes, from a large data pool of static analysis warnings reported by the tools. Time-to-time these warnings are addressed by the developers, labelling them as authentic bugs or fake alerts. The ML model is trained with full supervision over the code features. Our results confirm that applying deep learning over the traditional static analysis reports is an assuring approach for drastically reducing the false positive rates.



There are no comments yet.


page 1

page 2

page 3

page 4


An Expert System for Learning Software Engineering Knowledge (with Case Studies in Understanding Static Code Warning)

Knowledge-based systems reason over some knowledge base. Hence, an impor...

How Effective are Smart Contract Analysis Tools? Evaluating Smart Contract Static Analysis Tools Using Bug Injection

Security attacks targeting smart contracts have been on the rise, which ...

Getafix: Learning to fix bugs automatically

Static analyzers, including linters, can warn developers about programmi...

Ranking Warnings of Static Analysis Tools Using Representation Learning

Static analysis tools are frequently used to detect potential vulnerabil...

Debugging Static Analysis

To detect and fix bugs and security vulnerabilities, software companies ...

A True Positives Theorem for a Static Race Detector - Extended Version

RacerD is a static race detector that has been proven to be effective in...

The Cost and Benefits of Static Analysis During Development

Without quantitative data, deciding whether and how to use static analys...
This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.