Identifying and Documenting False Positive Patterns Generated by Static Code Analysis Tools | IEEE Conference Publication | IEEE Xplore

Identifying and Documenting False Positive Patterns Generated by Static Code Analysis Tools


Abstract:

This paper presents our results from identifying anddocumenting false positives generated by static code analysistools. By false positives, we mean a static code analysis...Show More

Abstract:

This paper presents our results from identifying anddocumenting false positives generated by static code analysistools. By false positives, we mean a static code analysis toolgenerates a warning message, but the warning message isnot really an error. The goal of our study is to understandthe different kinds of false positives generated so we can (1)automatically determine if an error message is truly indeed a truepositive, and (2) reduce the number of false positives developersand testers must triage. We have used two open-source tools andone commercial tool in our study. The results of our study haveled to 14 core false positive patterns, some of which we haveconfirmed with static code analysis tool developers.
Date of Conference: 21-21 May 2017
Date Added to IEEE Xplore: 03 July 2017
ISBN Information:
Conference Location: Buenos Aires, Argentina
No metrics found for this document.

I. Introduction

Static code analysis [1] is the process of checking programs for errors without actually executing them. Developers and testers can use static code analysis to locate flaws in source code (e.g., buffer overflows, null pointer dereferences, etc.) that (1) are hard to identify manually, and (2) can eventually lead to security vulnerabilities. For example, the MITRE Corporation [2] manages a list of Common Weakness Enumerations (CWEs) [3], which are weaknesses that can lead to vulnerabilities in software systems. Static code analysis tool developers can then use the list of CWEs as a guideline when developing a static code analysis tool.

Usage
Select a Year
2025

View as

Total usage sinceJul 2017:785
02468JanFebMarAprMayJunJulAugSepOctNovDec244470000000
Year Total:21
Data is updated monthly. Usage includes PDF downloads and HTML views.

Contact IEEE to Subscribe

References

References is not available for this document.