Case Studies of a Machine Learning Process for Improving the Accuracy of Static Analysis Tools

摘要

Static analysis tools analyze source code and report suspected problems as warningsto the user. The use of these tools is a key feature of most modern software developmentprocesses; however, the tools tend to generate large result sets that can be hard to processand prioritize in an automated way. Two particular problems are (a) a high false positiverate, where warnings are generated for code that is not problematic and (b) a high rateof non-actionable true positives, where the warnings are not acted on or do not representsigni cant risks to the quality of the source code as perceived by the developers. Previouswork has explored the use of machine learning to build models that can predict legitimatewarnings with logistic regression [38] against Google Java codebase. Heckman [19]experimented with 15 machine learning algorithms on two open source projects to classifyactionable static analysis alerts.In our work, we seek to replicate these ideas on di erent target systems, using di erentstatic analysis tools along with more machine learning techniques, and with an emphasison security-related warnings. Our experiments indicate that these models can achieve highaccuracy in actionable warning classi cation. We found that in most cases, our modelsoutperform those of Heckman [19].