Predicting program behavior using real or estimated profiles
PLDI '91 Proceedings of the ACM SIGPLAN 1991 conference on Programming language design and implementation
Dynamically Discovering Likely Program Invariants to Support Program Evolution
IEEE Transactions on Software Engineering - Special issue on 1999 international conference on software engineering
Prioritizing Test Cases For Regression Testing
IEEE Transactions on Software Engineering
Extended static checking for Java
PLDI '02 Proceedings of the ACM SIGPLAN 2002 Conference on Programming language design and implementation
Using benchmarking to advance research: a challenge to software engineering
Proceedings of the 25th International Conference on Software Engineering
Writing good software engineering research papers: minitutorial
Proceedings of the 25th International Conference on Software Engineering
ITS4: A static vulnerability scanner for C and C++ code
ACSAC '00 Proceedings of the 16th Annual Computer Security Applications Conference
ASE '00 Proceedings of the 15th IEEE international conference on Automated software engineering
Experiences with Program Static Analysis
METRICS '98 Proceedings of the 5th International Symposium on Software Metrics
Applying Static Analysis to Large-Scale, Multi-Threaded Java Programs
ASWEC '01 Proceedings of the 13th Australian Conference on Software Engineering
ISSTA '04 Proceedings of the 2004 ACM SIGSOFT international symposium on Software testing and analysis
OOPSLA '04 Companion to the 19th annual ACM SIGPLAN conference on Object-oriented programming systems, languages, and applications
Correlation exploitation in error ranking
Proceedings of the 12th ACM SIGSOFT twelfth international symposium on Foundations of software engineering
Performing High Efficiency Source Code Static Analysis with Intelligent Extensions
APSEC '04 Proceedings of the 11th Asia-Pacific Software Engineering Conference
IEEE Security and Privacy
JCrasher: an automatic robustness tester for Java
Software—Practice & Experience
Check 'n' crash: combining static checking and testing
Proceedings of the 27th international conference on Software engineering
Automatic Mining of Source Code Repositories to Improve Bug Finding Techniques
IEEE Transactions on Software Engineering
Looking for bugs in all the right places
Proceedings of the 2006 international symposium on Software testing and analysis
Integrating Static and Dynamic Analysis for Detecting Vulnerabilities
COMPSAC '06 Proceedings of the 30th Annual International Computer Software and Applications Conference - Volume 01
Prioritizing Software Inspection Results using Static Profiling
SCAM '06 Proceedings of the Sixth IEEE International Workshop on Source Code Analysis and Manipulation
Data Mining: Practical Machine Learning Tools and Techniques, Second Edition (Morgan Kaufmann Series in Data Management Systems)
An empirical study on classification methods for alarms from a bug-finding static C analyzer
Information Processing Letters
Checking system rules using system-specific, programmer-written compiler extensions
OSDI'00 Proceedings of the 4th conference on Symposium on Operating System Design & Implementation - Volume 4
Prioritizing Warning Categories by Analyzing Software History
MSR '07 Proceedings of the Fourth International Workshop on Mining Software Repositories
Predicting Defects for Eclipse
PROMISE '07 Proceedings of the Third International Workshop on Predictor Models in Software Engineering
Which warnings should I fix first?
Proceedings of the the 6th joint meeting of the European software engineering conference and the ACM SIGSOFT symposium on The foundations of software engineering
DSD-Crasher: A hybrid analysis tool for bug finding
ACM Transactions on Software Engineering and Methodology (TOSEM)
ISA: a source code static vulnerability detection system based on data fusion
Proceedings of the 2nd international conference on Scalable information systems
Predicting accurate and actionable static analysis warnings: an experimental approach
Proceedings of the 30th international conference on Software engineering
An Evaluation of Two Bug Pattern Tools for Java
ICST '08 Proceedings of the 2008 International Conference on Software Testing, Verification, and Validation
Spin model checker, the: primer and reference manual
Spin model checker, the: primer and reference manual
Secure programming with static analysis
Secure programming with static analysis
Proceedings of the Second ACM-IEEE international symposium on Empirical software engineering and measurement
On the Value of Static Analysis for Fault Detection in Software
IEEE Transactions on Software Engineering
An Approach to Merge Results of Multiple Static Analysis Tools (Short Paper)
QSIC '08 Proceedings of the 2008 The Eighth International Conference on Quality Software
A Meta Heuristic for Effectively Detecting Concurrency Errors
HVC '08 Proceedings of the 4th International Haifa Verification Conference on Hardware and Software: Verification and Testing
A Model Building Process for Identifying Actionable Static Analysis Alerts
ICST '09 Proceedings of the 2009 International Conference on Software Testing Verification and Validation
A Hybrid Approach to Detecting Security Defects in Programs
QSIC '09 Proceedings of the 2009 Ninth International Conference on Quality Software
Z-ranking: using statistical analysis to counter the impact of static analysis approximations
SAS'03 Proceedings of the 10th international conference on Static analysis
Making defect-finding tools work for you
Proceedings of the 32nd ACM/IEEE International Conference on Software Engineering - Volume 2
A systematic model building process for predicting actionable static analysis alerts
A systematic model building process for predicting actionable static analysis alerts
Automatic construction of an effective training set for prioritizing static analysis warnings
Proceedings of the IEEE/ACM international conference on Automated software engineering
Eclat: automatic generation and classification of test inputs
ECOOP'05 Proceedings of the 19th European conference on Object-Oriented Programming
Taming false alarms from a domain-unaware c analyzer by a bayesian statistical post analysis
SAS'05 Proceedings of the 12th international conference on Static Analysis
IntFinder: automatically detecting integer bugs in x86 binary program
ICICS'09 Proceedings of the 11th international conference on Information and Communications Security
Proceedings of the 27th IEEE/ACM International Conference on Automated Software Engineering
Research state of the art on GoF design patterns: A mapping study
Journal of Systems and Software
A comparative evaluation of static analysis actionable alert identification techniques
Proceedings of the 9th International Conference on Predictive Models in Software Engineering
Hi-index | 0.00 |
Context: Automated static analysis (ASA) identifies potential source code anomalies early in the software development lifecycle that could lead to field failures. Excessive alert generation and a large proportion of unimportant or incorrect alerts (unactionable alerts) may cause developers to reject the use of ASA. Techniques that identify anomalies important enough for developers to fix (actionable alerts) may increase the usefulness of ASA in practice. Objective: The goal of this work is to synthesize available research results to inform evidence-based selection of actionable alert identification techniques (AAIT). Method: Relevant studies about AAITs were gathered via a systematic literature review. Results: We selected 21 peer-reviewed studies of AAITs. The techniques use alert type selection; contextual information; data fusion; graph theory; machine learning; mathematical and statistical models; or dynamic detection to classify and prioritize actionable alerts. All of the AAITs are evaluated via an example with a variety of evaluation metrics. Conclusion: The selected studies support (with varying strength), the premise that the effective use of ASA is improved by supplementing ASA with an AAIT. Seven of the 21 selected studies reported the precision of the proposed AAITs. The two studies with the highest precision built models using the subject program's history. Precision measures how well a technique identifies true actionable alerts out of all predicted actionable alerts. Precision does not measure the number of actionable alerts missed by an AAIT or how well an AAIT identifies unactionable alerts. Inconsistent use of evaluation metrics, subject programs, and ASAs in the selected studies preclude meta-analysis and prevent the current results from informing evidence-based selection of an AAIT. We propose building on an actionable alert identification benchmark for comparison and evaluation of AAIT from literature on a standard set of subjects and utilizing a common set of evaluation metrics.