Identifying and Documenting False Positive Patterns Generated by Static Code Analysis Tools | IEEE Conference Publication | IEEE Xplore
Subscribe
ADVANCED SEARCH
Conferences >2017 IEEE/ACM 4th Internation...

Identifying and Documenting False Positive Patterns Generated by Static Code Analysis Tools

PDF
Zachary P. Reynolds; Abhinandan B. Jayanth; Ugur Koc; Adam A. Porter; Rajeev R. Raje; James H. Hill
All Authors

Abstract:

This paper presents our results from identifying anddocumenting false positives generated by static code analysistools. By false positives, we mean a static code analysis...Show More

Metadata

Abstract:

This paper presents our results from identifying anddocumenting false positives generated by static code analysistools. By false positives, we mean a static code analysis toolgenerates a warning message, but the warning message isnot really an error. The goal of our study is to understandthe different kinds of false positives generated so we can (1)automatically determine if an error message is truly indeed a truepositive, and (2) reduce the number of false positives developersand testers must triage. We have used two open-source tools andone commercial tool in our study. The results of our study haveled to 14 core false positive patterns, some of which we haveconfirmed with static code analysis tool developers.
Published in: 2017 IEEE/ACM 4th International Workshop on Software Engineering Research and Industrial Practice (SER&IP)
Date of Conference: 21-21 May 2017
Date Added to IEEE Xplore: 03 July 2017
ISBN Information:
DOI: 10.1109/SER-IP.2017..20
Conference Location: Buenos Aires, Argentina
No metrics found for this document.
Contents

I. Introduction

Static code analysis [1] is the process of checking programs for errors without actually executing them. Developers and testers can use static code analysis to locate flaws in source code (e.g., buffer overflows, null pointer dereferences, etc.) that (1) are hard to identify manually, and (2) can eventually lead to security vulnerabilities. For example, the MITRE Corporation [2] manages a list of Common Weakness Enumerations (CWEs) [3], which are weaknesses that can lead to vulnerabilities in software systems. Static code analysis tool developers can then use the list of CWEs as a guideline when developing a static code analysis tool.

Usage
Select a Year
2025

View as

Total usage sinceJul 2017:785
02468JanFebMarAprMayJunJulAugSepOctNovDec244470000000
Year Total:21
Data is updated monthly. Usage includes PDF downloads and HTML views.
Citations
20
Crossref®
19
Web
of Science®
Search for
Citations in
Google Scholar®

Contact IEEE to Subscribe

References

References is not available for this document.

IEEE Account

Purchase Details

Profile Information

Need Help?

A not-for-profit organization, IEEE is the world's largest technical professional organization dedicated to advancing technology for the benefit of humanity.
© Copyright 2025 IEEE - All rights reserved. Use of this web site signifies your agreement to the terms and conditions.