Loading [MathJax]/extensions/MathZoom.js
Mitigating False Positive Static Analysis Warnings: Progress, Challenges, and Opportunities | IEEE Journals & Magazine | IEEE Xplore
Subscribe
ADVANCED SEARCH
Journals & Magazines >IEEE Transactions on Software... >Volume: 49 Issue: 12

Mitigating False Positive Static Analysis Warnings: Progress, Challenges, and Opportunities

PDF
Zhaoqiang Guo; Tingting Tan; Shiran Liu; Xutong Liu; Wei Lai; Yibiao Yang
All Authors

Abstract:

Static analysis (SA) tools can generate useful static warnings to reveal the problematic code snippets in a software system without dynamically executing the correspondin...Show More

Metadata

Abstract:

Static analysis (SA) tools can generate useful static warnings to reveal the problematic code snippets in a software system without dynamically executing the corresponding source code. In the literature, static warnings are of paramount importance because they can easily indicate specific types of software defects in the early stage of a software development process, which accordingly reduces the maintenance costs by a substantial margin. Unfortunately, due to the conservative approximations of such SA tools, a large number of false positive (FP for short) warnings (i.e., they do not indicate real bugs) are generated, making these tools less effective. During the past two decades, therefore, many false positive mitigation (FPM for short) approaches have been proposed so that more accurate and critical warnings can be delivered to developers. This paper offers a detailed survey of research achievements on the topic of FPM. Given the collected 130 surveyed papers, we conduct a comprehensive investigation from five different perspectives. First, we reveal the research trends of this field. Second, we classify the existing FPM approaches into five different types and then present the concrete research progress. Third, we analyze the evaluation system applied to examine the performance of the proposed approaches in terms of studied SA tools, evaluation scenarios, performance indicators, and collected datasets, respectively. Fourth, we summarize the four types of empirical studies relating to SA warnings to exploit the insightful findings that are helpful to reduce FP warnings. Finally, we sum up 10 challenges unresolved in the literature from the aspects of systematicness, effectiveness, completeness, and practicability and outline possible research opportunities based on three emerging techniques in the future.
Published in: IEEE Transactions on Software Engineering ( Volume: 49, Issue: 12, December 2023)
Page(s): 5154 - 5188
Date of Publication: 02 November 2023

ISSN Information:

DOI: 10.1109/TSE.2023.3329667

Funding Agency:

References is not available for this document.
Contents

I. Introduction

STATIC analysis (SA) tools have been widely used in software quality assurance (SQA) activities to detect the potential problematic code snippets [99], [133], [136] of both commercial and open source software (OSS) systems. The reasons are as follows. First, plenty of software quality issues, such as coding defects [143], vulnerabilities [115], and code style violations [87], can be detected by SA tools. Therefore, various SQA resources (e.g., human costs and test suites) can be assigned more effectively to improve software quality based on the detection results of SA tools. Second, SA tools provide a simple and convenient way to detect quality issues in a target program without a process of dynamical execution. Instead, these tools retrieve a set of pre-defined common bug patterns that are summarized by software experts, and then report the information of all problematic code captured by the bug patterns. Notably, most SA tools are designed as flexible and lightweight tools (e.g., FindBugs [12], and PMD [41]), which can be used in the form of either independent command line tools or built-in components of some popular IDEs such as Eclipse and IntelliJ IDEA. As a result, developers could leverage SA tools to extract a set of warnings from the target software project and then manually review, understand, and fix them later [147].

Select All
1.
T. Kremenek and D. R. Engler, "Z-Ranking: Using statistical analysis to counter the impact of static analysis approximations", Proc. 10th Int. Static Anal. Symp. (SAS), pp. 295-315, 2003.
CrossRef Google Scholar
2.
T. Kremenek, K. Ashcraft, J. Yang and D. R. Engler, "Correlation exploitation in error ranking", Proc. 12th ACM SIGSOFT Int. Symp. Found. Softw. Eng. (FSE), pp. 83-93, 2004.
CrossRef Google Scholar
3.
Y. Jung, J. Kim, J. Shin and K. Yi, "Taming false alarms from a domain-unaware C analyzer by a Bayesian statistical post analysis", Proc. 12th Int. Static Anal. Symp. (SAS), pp. 203-217, 2005.
CrossRef Google Scholar
4.
X. Rival, "Understanding the origin of alarms in Astrée", Proc. 12th Int. Static Anal. Symp. (SAS), pp. 303-319, 2005.
CrossRef Google Scholar
5.
X. Rival, "Abstract dependences for alarm diagnosis", Proc. 3rd Asian Program. Lang. Syst. Symp. (APLAS), pp. 347-363, 2005.
CrossRef Google Scholar
6.
A. Aggarwal and P. Jalote, "Integrating static and dynamic analysis for detecting vulnerabilities", Proc. 30th Annu. Int. Comput. Softw. Appl. Conf. (COMPSAC), pp. 343-350, 2006.
View Article
Google Scholar
7.
C. Boogerd and L. Moonen, "Prioritizing software inspection results using static profiling", Proc. 6th IEEE Int. Workshop Source Code Anal. Manipulation (SCAM), pp. 149-160, 2006.
View Article
Google Scholar
8.
P. Cousot et al., "Combination of abstractions in the Astrée static analyzer", Proc. 11th Asian Comput. Sci. Conf. (ASIAN), pp. 272-300, 2006.
CrossRef Google Scholar
9.
N. Ayewah, W. Pugh, J. D. Morgenthaler, J. Penix and Y. Zhou, "Evaluating static analysis defect warnings on production software", Proc. 7th ACM SIGPLAN-SIGSOFT Workshop Program Anal. Softw. Tools Eng. (PASTE), pp. 1-8, 2007.
CrossRef Google Scholar
10.
S. S. Heckman, "Adaptive probabilistic model for ranking code-based static analysis alerts", Proc. 29th Int. Conf. Softw. Eng. (ICSE Companion), pp. 89-90, 2007.
View Article
Google Scholar
11.
S. S. Heckman, "Adaptively ranking alerts generated from automated static analysis", ACM Crossroads, vol. 14, no. 1, pp. 1-11, 2007.
CrossRef Google Scholar
12.
D. Hovemeyer and W. W. Pugh, "Finding more null pointer bugs but not too many", Proc. 7th ACM SIGPLAN-SIGSOFT Workshop Program Anal. Softw. Tools Eng. (PASTE), pp. 9-14, 2007.
CrossRef Google Scholar
13.
S. Kim and M. D. Ernst, "Which warnings should I fix first?", Proc. 6th Joint Meeting Eur. Softw. Eng. Conf. ACM SIGSOFT Int. Symp. Found. Softw. Eng. (FSE), pp. 45-54, 2007.
CrossRef Google Scholar
14.
S. Kim and M. D. Ernst, "Prioritizing warning categories by analyzing software history", Proc. 4h Int. Workshop Mining Softw. Repositories (MSR), pp. 27, 2007.
View Article
Google Scholar
15.
D. Kong, Q. Zheng, C. Chen, J. Shuai and M. Zhu, "ISA: A source code static vulnerability detection system based on data fusion", Proc. 2nf Int. Conf. Scalable Inf. Syst. (Infoscale), pp. 55, 2007.
CrossRef Google Scholar
16.
L. Layman, L. A. Williams and R. S. Amant, "Toward reducing fault fix time: Understanding developer behavior for the design of automated fault detection tools", Proc. 1st Int. Symp. Empirical Softw. Eng. Meas. (ESEM), pp. 176-185, 2007.
View Article
Google Scholar
17.
M. Sherriff, S. S. Heckman, J. M. Lake and L. A. Williams, "Using groupings of static analysis alerts to identify files likely to contain field failures", Proc. 6th Joint Meeting Eur. Softw. Eng. Conf. ACM SIGSOFT Int. Symp. Found. Softw. Eng. (FSE), pp. 565-568, 2007.
CrossRef Google Scholar
18.
D. Delmas and J. Souyris, "Astrée: From research to industry", Proc. 14th Int. Static Anal. Symp. (SAS), pp. 437-451, 2007.
CrossRef Google Scholar
19.
C. Csallner, Y. Smaragdakis and T. Xie, "DSD-crasher: A hybrid analysis tool for bug finding", ACM Trans. Softw. Eng. Methodol., vol. 17, no. 2, pp. 8:1-8:37, 2008.
CrossRef Google Scholar
20.
P. Emanuelsson and U. Nilsson, "A comparative study of industrial static analysis tools", Electron. Notes Theor. Comput. Sci., vol. 217, pp. 5-21, Jul. 2008.
CrossRef Google Scholar
21.
S. Smith Heckman and L. A. Williams, "On establishing a benchmark for evaluating static analysis alert prioritization and classification techniques", Proc. 2nd Int. Symp. Empirical Softw. Eng. Meas. (ESEM), pp. 41-50, 2008.
CrossRef Google Scholar
22.
H. Post, C. Sinz, A. Kaiser and T. Gorges, "Reducing false positives by combining abstract interpretation and bounded model checking", Proc. 23rd IEEE/ACM Int. Conf. Automated Softw. Eng. (ASE), pp. 188-197, 2008.
View Article
Google Scholar
23.
N. Rungta and E. G. Mercer, "A meta heuristic for effectively detecting concurrency errors", Proc. 4th Int. Haifa Verification Conf. (HVC), pp. 23-37, 2008.
CrossRef Google Scholar
24.
J. R. Ruthruff, J. Penix, J. D. Morgenthaler, S. G. Elbaum and G. Rothermel, "Predicting accurate and actionable static analysis warnings: An experimental approach", Proc. 30th Int. Conf. Softw. Eng. (ICSE), pp. 341-350, 2008.
View Article
Google Scholar
25.
N. Ayewah and W. Pugh, "Using checklists to review static analysis warnings", Proc. 2nd Int. Workshop Defects Large Softw. Syst. (DEFECTS), pp. 11-15, 2009.
CrossRef Google Scholar
26.
V. B. Livshits, A. V. Nori, S. K. Rajamani and A. Banerjee, "Merlin: Specification inference for explicit information flow problems", Proc. ACM SIGPLAN Conf. Program. Lang. Des. Implementation (PLDI), pp. 75-86, 2009.
CrossRef Google Scholar
27.
S. S. Heckman and L. A. Williams, "A model building process for identifying actionable static analysis alerts", Proc. 2nd Int. Conf. Softw. Testing Verification Validation (ICST), pp. 161-170, 2009.
View Article
Google Scholar
28.
F. Wedyan, D. Alrmuny and J. M. Bieman, "The effectiveness of automated static analysis tools for fault detection and refactoring Prediction", Proc. 2nd Int. Conf. Softw. Testing Verification Validation (ICST), pp. 141-150, 2009.
View Article
Google Scholar
29.
D. Baca, "Identifying security relevant warnings from static code analysis tools through code tainting", Proc. 5th Int. Conf. Availability Rel. Secur. (ARES), pp. 386-390, 2010.
View Article
Google Scholar
30.
Y. Kim, J. Lee, H. Han and K.-M. Choe, "Filtering false alarms of buffer overflow analysis using SMT solvers", Inf. Softw. Technol., vol. 52, no. 2, pp. 210-219, 2010.
CrossRef Google Scholar

Contact IEEE to Subscribe
More Like This
Survey on the Impact of Agile Development on Software Quality

2024 IEEE 24th International Conference on Software Quality, Reliability, and Security Companion (QRS-C)

Published: 2024

Static Analysis of Infrastructure as Code: a Survey

2022 IEEE 19th International Conference on Software Architecture Companion (ICSA-C)

Published: 2022

Show More

References

References is not available for this document.

IEEE Account

Purchase Details

Profile Information

Need Help?

A not-for-profit organization, IEEE is the world's largest technical professional organization dedicated to advancing technology for the benefit of humanity.
© Copyright 2025 IEEE - All rights reserved. Use of this web site signifies your agreement to the terms and conditions.