WINE: : Warning miner for improving bug finders
References
[1]
PMD, Pmd, 2021, URL https://pmd.github.io/latest/pmd_rules_java_errorprone.html, Accessed on 20, Aug., 2021.
[2]
checkstyle, Checkstyle 8.45.1, 2021, URL https://checkstyle.sourceforge.io/.
[3]
Pugh W., Hovemeyer D., Finding bugs is easy, ACM Sigplan Not. 39 (12) (2004).
[4]
Aftandilian E., Sauciuc R., Priya S., Krishnan S., Building useful program analysis tools using an extensible java compiler, in: 2012 IEEE 12th International Working Conference on Source Code Analysis and Manipulation, 2012, pp. 14–23,.
[5]
Calcagno C., Distefano D., Dubreil J., Gabi D., Hooimeijer P., Luca M., O’Hearn P., Papakonstantinou I., Purbrick J., Rodriguez D., Moving fast with software verification, in: NASA Formal Methods, Vol. 9058, 2015,.
[6]
Vassallo C., Panichella S., Palomba F., et al., How developers engage with static analysis tools in different contexts, Empir. Softw. Eng. 25 (2020) 1419–1457,.
[7]
N. Nagappan, T. Ball, Static analysis tools as early indicators of pre-release defect density, in: Proceedings. 27th International Conference on Software Engineering, 2005. ICSE 2005, 2005, pp. 580–586, https://doi.org/10.1109/ICSE.2005.1553604.
[8]
Emanuelsson P., Nilsson U., A comparative study of industrial static analysis tools, Electron. Notes Theor. Comput. Sci. 217 (2008) 5–21,. URL https://www.sciencedirect.com/science/article/pii/S1571066108003824,Proceedings of the 3rd International Workshop on Systems Software Verification (SSV 2008).
[9]
Ayewah N., Pugh W., Hovemeyer D., Morgenthaler J.D., Penix J., Using static analysis to find bugs, IEEE Softw. 25 (5) (2008) 22–29,.
[10]
Synopsys N., Coverity SAST software, 2021, URL https://www.synopsys.com/software-integrity/security-testing/static-analysis-sast.html, Accessed on 20, Aug., 2021.
[11]
Perforce N., Static code analysis for c, c, c#, java, and JavaScript, 2021, URL https://www.perforce.com/products/klocwork, Accessed on 20, Aug., 2021.
[12]
Simulink M., Polyspace code prover, 2021, URL https://www.mathworks.com/products/polyspace-code-prover.html, Accessed on 20, Aug., 2021.
[13]
Chess B., McGraw G., Static analysis for security, IEEE Secur. Privacy 2 (6) (2004) 76–79,.
[14]
Aggarwal A., Jalote P., Integrating static and dynamic analysis for detecting vulnerabilities, in: 30th Annual International Computer Software and Applications Conference (COMPSAC’06), Vol. 1, 2006, pp. 343–350,.
[15]
Boogerd C., Moonen L., Prioritizing software inspection results using static profiling, in: 2006 Sixth IEEE International Workshop on Source Code Analysis and Manipulation, 2006, pp. 149–160,.
[16]
S. Heckman, L. Williams, On Establishing a Benchmark for Evaluating Static Analysis Alert Prioritization and Classification Techniques, in: Proceedings of the 2nd International Symposium on Empirical Software Engineering and Measurement, 2008, pp. 41–50.
[17]
Heckman S., Williams L., A model building process for identifying actionable static analysis alerts, in: 2009 International Conference on Software Testing Verification and Validation, 2009, pp. 161–170,.
[18]
Kim S., Ernst M.D., Prioritizing warning categories by analyzing software history, in: Fourth International Workshop on Mining Software Repositories (MSR’07:ICSE Workshops 2007), 2007, p. 27,.
[19]
S. Kim, M.D. Ernst, Which Warnings Should I Fix First?, in: Proceedings of the 6th Joint Meeting of the European Software Engineering Conference and the ACM SIGSOFT Symposium on the Foundations of Software Engineering, Dubrovnik, Croatia, 2007.
[20]
T. Kremenek, K. Ashcraft, J. Yang, D. Engler, Correlation Exploitation in Error Ranking, in: Proceedings of the 12th ACM SIGSOFT International Symposium on Foundations of Software Engineering, Newport Beach, CA, USA, 2004.
[21]
T. Kremenek, D. Engler, Z-Ranking: Using Statistical Analysis to Counter the Impact of Static Analysis Approximations, in: Proceedings of the 10th International Static Analysis Symposium, San Diego, California, 2003.
[22]
Imtiaz N., Rahman A., Farhana E., Williams L., Challenges with responding to static analysis tool alerts, in: 2019 IEEE/ACM 16th International Conference on Mining Software Repositories (MSR), 2019, pp. 245–249,.
[23]
Johnson B., Song Y., Murphy-Hill E., Bowdidge R., Why don’t software developers use static analysis tools to find bugs?, in: 2013 35th International Conference on Software Engineering (ICSE), 2013, pp. 672–681,.
[24]
Heckman S., Williams L., A systematic literature review of actionable alert identification techniques for automated static code analysis, Inf. Softw. Technol. 53 (4) (2011) 363–387,. URL https://www.sciencedirect.com/science/article/pii/S0950584910002235,Special section: Software Engineering track of the 24th Annual Symposium on Applied Computing.
[25]
Sadowski C., Van Gogh J., Jaspan C., Soderberg E., Winter C., Tricorder: Building a program analysis ecosystem, in: 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering, Vol. 1, 2015, pp. 598–608,.
[26]
Heo K., Oh H., Yi K., Machine-learning-guided selectively unsound static analysis, in: 2017 IEEE/ACM 39th International Conference on Software Engineering (ICSE), 2017, pp. 519–529,.
[27]
Muske T., Serebrenik A., Survey of approaches for handling static analysis alarms, in: 2016 IEEE 16th International Working Conference on Source Code Analysis and Manipulation (SCAM), 2016, pp. 157–166,.
[28]
Liu K., Kim D., Bissyandé T.F., Yoo S., Le Traon Y., Mining fix patterns for FindBugs violations, IEEE Trans. Softw. Eng. 47 (1) (2021) 165–188,.
[29]
Schnappinger M., Osman M.H., Pretschner A., Fietzke A., Learning a classifier for prediction of maintainability based on static analysis tools, in: 2019 IEEE/ACM 27th International Conference on Program Comprehension (ICPC), 2019, pp. 243–248,.
[30]
Cheirdari F., Karabatis G., Analyzing false positive source code vulnerabilities using static analysis tools, in: 2018 IEEE International Conference on Big Data (Big Data), 2018, pp. 4782–4788,.
[31]
Lee S., Hong S., Yi J., Kim T., Kim C., Yoo S., Classifying false positive static checker alarms in continuous integration using convolutional neural networks, in: 2019 12th IEEE Conference on Software Testing, Validation and Verification (ICST), 2019, pp. 391–401,.
[32]
Q. Hanam, L. Tan, R. Holmes, P. Lam, Finding patterns in static analysis alerts: improving actionable alert ranking, in: Proceedings of the 11th Working Conference on Mining Software Repositories, 2014, pp. 152–161.
[33]
Nam J., Wang S., Xi Y., Tan L., A bug finder refined by a large set of open-source projects, Inf. Softw. Technol. 112 (2019) 164–175,. URL https://www.sciencedirect.com/science/article/pii/S0950584919300977.
[34]
Boogerd C., Moonen L., Prioritizing software inspection results using static profiling, in: 2006 Sixth IEEE International Workshop on Source Code Analysis and Manipulation, IEEE, 2006, pp. 149–160.
[35]
Toman J., Grossman D., Taming the static analysis beast, in: Lerner B.S., Bodík R., Krishnamurthi S. (Eds.), 2nd Summit on Advances in Programming Languages (SNAPL 2017), Vol. 71, Schloss Dagstuhl–Leibniz-Zentrum fuer Informatik, Dagstuhl, Germany, 2017, pp. 18:1–18:14,. URL http://drops.dagstuhl.de/opus/volltexte/2017/7121.
[36]
Yang X., Yu Z., Wang J., Menzies T., Understanding static code warnings: An incremental AI approach, Expert Syst. Appl. (2020),. URL https://www.sciencedirect.com/science/article/pii/S0957417420308824.
[37]
Olivo O., Dillig I., Lin C., Static detection of asymptotic performance bugs in collection traversals, in: Proceedings of the 36th ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI ’15, Association for Computing Machinery, New York, NY, USA, 2015, pp. 369–378,.
[38]
Novak J., Krajnc A., Žontar R., Taxonomy of static code analysis tools, in: The 33rd International Convention MIPRO, 2010, pp. 418–422.
[39]
Rahman F., Khatri S., Barr E.T., Devanbu P., Comparing static bug finders and statistical prediction, in: Proceedings of the 36th International Conference on Software Engineering, in: ICSE 2014, Association for Computing Machinery, New York, NY, USA, 2014, pp. 424–434,.
[40]
Vetro’ A., Torchiano M., Morisio M., Assessing the precision of FindBugs by mining Java projects developed at a university, in: 2010 7th IEEE Working Conference on Mining Software Repositories (MSR 2010), 2010, pp. 110–113,.
[41]
Yang X., Yu Z., Wang J., Menzies T., Understanding static code warnings: An incremental AI approach, Expert Syst. Appl. 167 (2021),. URL https://www.sciencedirect.com/science/article/pii/S0957417420308824.
[42]
Yan M., Zhang X., Xu L., Hu H., Sun S., Xia X., Revisiting the correlation between alerts and software defects: A case study on myfaces, camel, and cxf, in: 2017 IEEE 41st Annual Computer Software and Applications Conference (COMPSAC), Vol. 1, IEEE, 2017, pp. 103–108.
[43]
Q. Hanam, L. Tan, R. Holmes, P. Lam, Finding patterns in static analysis alerts: improving actionable alert ranking, in: Proceedings of the 11th Working Conference on Mining Software Repositories, 2014, pp. 152–161.
[44]
N. Ayewah, W. Pugh, J.D. Morgenthaler, J. Penix, Y. Zhou, Evaluating static analysis defect warnings on production software, in: Proceedings of the 7th ACM SIGPLAN-SIGSOFT Workshop on Program Analysis for Software Tools and Engineering, 2007, pp. 1–8.
[45]
Venkatasubramanyam R.D., Gupta S., An automated approach to detect violations with high confidence in incremental code using a learning system, in: Companion Proceedings of the 36th International Conference on Software Engineering, 2014, pp. 472–475.
[46]
Logozzo F., Lahiri S.K., Fähndrich M., Blackshear S., Verification modulo versions: Towards usable verification, ACM Sigplan Not. 49 (6) (2014) 294–304.
[47]
Ruthruff J., Penix J., Morgenthaler J., Elbaum S., Rothermel G., Predicting accurate and actionable static analysis warnings, in: 2008 ACM/IEEE 30th International Conference on Software Engineering, IEEE, 2008, pp. 341–350.
[48]
Das A., Lahiri S.K., Lal A., Li Y., Angelic verification: Precise verification modulo unknowns, in: International Conference on Computer Aided Verification, Springer, 2015, pp. 324–342.
[49]
Post H., Sinz C., Kaiser A., Gorges T., Reducing false positives by combining abstract interpretation and bounded model checking, in: 2008 23rd IEEE/ACM International Conference on Automated Software Engineering, IEEE, 2008, pp. 188–197.
[50]
Chimdyalwar B., Darke P., Chavda A., Vaghani S., Chauhan A., Eliminating static analysis false positives using loop abstraction and bounded model checking, in: International Symposium on Formal Methods, Springer, 2015, pp. 573–576.
[51]
Kim Y., Lee J., Han H., Choe K.-M., Filtering false alarms of buffer overflow analysis using SMT solvers, Inf. Softw. Technol. 52 (2) (2010) 210–219.
[52]
Muske T., Improving review of clustered-code analysis warnings, in: 2014 IEEE International Conference on Software Maintenance and Evolution, IEEE, 2014, pp. 569–572.
[53]
Lee W., Lee W., Yi K., Sound non-statistical clustering of static analysis alarms, in: International Workshop on Verification, Model Checking, and Abstract Interpretation, Springer, 2012, pp. 299–314.
[54]
Zhang D., Jin D., Gong Y., Zhang H., Diagnosis-oriented alarm correlations, in: 2013 20th Asia-Pacific Software Engineering Conference (APSEC), Vol. 1, IEEE, 2013, pp. 172–179.
[55]
Muske T.B., Baid A., Sanas T., Review efforts reduction by partitioning of static analysis warnings, in: 2013 IEEE 13th International Working Conference on Source Code Analysis and Manipulation (SCAM), IEEE, 2013, pp. 106–115.
[56]
Podelski A., Schäf M., Wies T., Classifying bugs with interpolants, in: International Conference on Tests and Proofs, Springer, 2016, pp. 151–168.
[57]
Fry Z.P., Weimer W., Clustering static analysis defect reports to reduce maintenance costs, in: 2013 20th Working Conference on Reverse Engineering (WCRE), IEEE, 2013, pp. 282–291.
[58]
Kremenek T., Engler D., Z-ranking: Using statistical analysis to counter the impact of static analysis approximations, in: International Static Analysis Symposium, Springer, 2003, pp. 295–315.
[59]
Shen H., Fang J., Zhao J., Efindbugs: Effective error ranking for findbugs, in: 2011 Fourth IEEE International Conference on Software Testing, Verification and Validation, IEEE, 2011, pp. 299–308.
[60]
Liang G., Wu Q., Wang Q., Mei H., An effective defect detection and warning prioritization approach for resource leaks, in: 2012 IEEE 36th Annual Computer Software and Applications Conference, IEEE, 2012, pp. 119–128.
[61]
S. Blackshear, S.K. Lahiri, Almost-correct specifications: A modular semantic framework for assigning confidence to warnings, in: Proceedings of the 34th ACM SIGPLAN Conference on Programming Language Design and Implementation, 2013, pp. 209–218.
[62]
Rival X., Understanding the origin of alarms in Astrée, in: International Static Analysis Symposium, Springer, 2005, pp. 303–319.
[63]
Dillig I., Dillig T., Aiken A., Automated error diagnosis using abductive inference, ACM Sigplan Not. 47 (6) (2012) 181–192.
[64]
D. Zhang, A.C. Myers, Toward general diagnosis of static errors, in: Proceedings of the 41st ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, 2014, pp. 569–581.
[65]
R. Mangal, X. Zhang, A.V. Nori, M. Naik, A user-guided approach to program analysis, in: Proceedings of the 2015 10th Joint Meeting on Foundations of Software Engineering, 2015, pp. 462–473.
[66]
Alikhashashneh E.A., Raje R.R., Hill J.H., Using machine learning techniques to classify and predict static code analysis tool warnings, in: 2018 IEEE/ACS 15th International Conference on Computer Systems and Applications (AICCSA), 2018, pp. 1–8,.
[67]
Reynolds Z.P., Jayanth A.B., Koc U., Porter A.A., Raje R.R., Hill J.H., Identifying and documenting false positive patterns generated by static code analysis tools, in: 2017 IEEE/ACM 4th International Workshop on Software Engineering Research and Industrial Practice (SER IP), 2017, pp. 55–61,.
[68]
Koc U., Saadatpanah P., Foster J.S., Porter A.A., Learning a classifier for false positive error reports emitted by static code analysis tools, in: Proceedings of the 1st ACM SIGPLAN International Workshop on Machine Learning and Programming Languages, in: MAPL 2017, Association for Computing Machinery, New York, NY, USA, 2017, pp. 35–42,.
[69]
Trautsch A., Herbold S., Grabowski J., A longitudinal study of static analysis warning evolution and the effects of PMD on software quality in Apache open source projects, Empir. Softw. Eng. 25 (2020) 5137–5192,.
[70]
Zimmermann T., Nagappan N., Zeller A., Predicting bugs from history, Softw. Evolut. 25 (2008) 69–88,.
[71]
Khan A.A., Mahmood A., Amralla S.M., Mirza T.H., Comparison of software complexity metrics, Int. J. Comput. Netw. Technol. 4 (01) (2016).
[72]
Yu S., Zhou S., A survey on metric of software complexity, in: 2010 2nd IEEE International Conference on Information Management and Engineering, IEEE, 2010, pp. 352–356.
[73]
Menzies T., Greenwald J., Frank A., Data mining static code attributes to learn defect predictors, IEEE Trans. Softw. Eng. 33 (1) (2007) 2–13,.
[74]
A.S. Namin, J.H. Andrews, The influence of size and coverage on test suite effectiveness, in: Proceedings of the Eighteenth International Symposium on Software Testing and Analysis, 2009, pp. 57–68.
[75]
PMD A.S., Error prone, 2021, URL https://pmd.github.io/latest/pmd_rules_java_errorprone.html, Accessed on 20, Aug., 2021.
[76]
Arcuri A., Briand L., A practical guide for using statistical tests to assess randomized algorithms in software engineering, in: 2011 33rd International Conference on Software Engineering (ICSE), 2011, pp. 1–10,.
[77]
Ilene B., Practical Software Testing, Springer-Verlag, 2006, p. 623.
Index Terms
- WINE: Warning miner for improving bug finders
Index terms have been assigned to the content through auto-classification.
Recommendations
A bug finder refined by a large set of open-source projects
Abstract ContextStatic bug detection techniques are commonly used to automatically detect software bugs. The biggest obstacle to the wider adoption of static bug detection tools is false positives, i.e., reported bugs that ...
Breast Asymmetry, Distortion and Density Are Key Factors for False Positive Decisions
IWDM 2016: Proceedings of the 13th International Workshop on Breast Imaging - Volume 9699Aim: Understanding both normal mammographic appearance and how false positive FP errors occur is paramount to improving the efficiency and diagnostic accuracy of screening mammography services. While much of the focus of research is on increasing ...
M&M: Tackling False Positives in Mammography with a Multi-view and Multi-instance Learning Sparse Detector
Medical Image Computing and Computer Assisted Intervention – MICCAI 2023AbstractDeep-learning-based object detection methods show promise for improving screening mammography, but high rates of false positives can hinder their effectiveness in clinical practice. To reduce false positives, we identify three challenges: (1) ...
Comments
Information & Contributors
Information
Published In
Elsevier B.V.
Publisher
Butterworth-Heinemann
United States
Publication History
Published: 01 March 2023
Author Tags
Qualifiers
- Research-article
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 0Total Downloads
- Downloads (Last 12 months)0
- Downloads (Last 6 weeks)0
Reflects downloads up to 26 Jan 2025