I. Introduction
Static code analysis [1] is the process of checking programs for errors without actually executing them. Developers and testers can use static code analysis to locate flaws in source code (e.g., buffer overflows, null pointer dereferences, etc.) that (1) are hard to identify manually, and (2) can eventually lead to security vulnerabilities. For example, the MITRE Corporation [2] manages a list of Common Weakness Enumerations (CWEs) [3], which are weaknesses that can lead to vulnerabilities in software systems. Static code analysis tool developers can then use the list of CWEs as a guideline when developing a static code analysis tool.