Ranking Source Code Static Analysis Warnings for Continuous Monitoring of FLOSS Repositories

Athos Ribeiro, Paulo Meirelles, Nelson Lago, Fabio Kon
Proceedings of the 14th IFIP International Conference on Open Source Systems: Enterprise Software and Solutions. OSS 2018. IFIP Advances in Information and Communication Technology, vol 525. Springer, Cham

Performing source code static analysis during the software development cycle is a difficult task. There are different static analyzers available, and each of them usually works better in a small subset of problems, making it hard to choose a single tool. Combining the analysis of different tools solves this problem, but brings about other problems, namely the generated false positives and a large amount of unsorted alarms. This paper presents kiskadee, a system to support the usage of static analysis during software development by providing carefully ranked static analysis reports. First, it runs multiple static analyzers on the source code. Then, using a classification model, the potential bugs detected by the static analyzers are ranked based on their importance, with critical flaws ranked first, and potential false positives ranked last. Our experimental results show that, on average, when inspecting warnings ranked by kiskadee, one hits 5.2 times less false positives before each bug than when using a randomly sorted warning list.

author = {Ribeiro, Athos and Meirelles, Paulo and Lago, Nelson and Kon, Fabio},
year = {2018},
month = {06},
pages = {90-101},
title = {Ranking Source Code Static Analysis Warnings for Continuous Monitoring of FLOSS Repositories},
isbn = {978-3-319-92374-1},
doi = {10.1007/978-3-319-92375-8_8}