Improving the Usefulness of Alerts Generated by Automated Static Analysis Tools

Static analysis tools are programs that analyze software without executing it. They can be simple style checkers or follow intricate rules to efficiently find problems often overlooked by developers. Unfortunately, the alerts generated by those tools are not always correct. The high number of false positives has been found to be one of the major reasons why such tools have not been widely adopted. One approach to improve these tools is to post-process the generated alerts and only report actionable ones, i.e. true positives which will be acted upon by the developers. In this work, we evaluate several machine-learning classifiers that use historic alert data to classify new alerts as actionable or not. We build a framework called Autobugs to collect the necessary information. It runs a static analysis tool on past revisions of a software project, saves the generated alerts and computes the lifetime-based actionability label. This is then used to train a linear support vector machine (SVM), a nonlinear SVM and a decision tree on three similar open-source forum-software projects written in PHP. We evaluate each classifiers for each project individually as well as the application of a trained model on a different project. Based on the results, we constructed an additional classifier, which only takes into account the lifetime of an alert, classifying younger ones as actionable. It outperforms the other algorithms for our sample software-projects.