Analyzing False Positive Source Code Vulnerabilities Using Static Analysis Tools

Cheirdari, Foteini; Karabatis, George

doi:10.1109/bigdata.2018.8622456

Cited by 14 publications

(6 citation statements)

References 22 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…There are also approaches that identify patterns from warnings, source code and software repositories for predicting false positives [7,9,17,17,40,45,59,71,74], and that use machine learning techniques to learn what are likely true and false positives [7, 23, 39, 45, 59, 70? ]. For example, Zhang et al automatically learned and integrated the users' feedback to rank the warnings [76].…”

Section: Related Workmentioning

confidence: 99%

Validating static warnings via testing code fragments

Joshy

Chen

Steenhoek

et al. 2021

Proceedings of the 30th ACM SIGSOFT International Symposium on Software Testing and Analysis

View full text Add to dashboard Cite

Static analysis is an important approach for finding bugs and vulnerabilities in software. However, inspecting and confirming static warnings are challenging and time-consuming. In this paper, we present a novel solution that automatically generates test cases based on static warnings to validate true and false positives. We designed a syntactic patching algorithm that can generate syntactically valid, semantic preserving executable code fragments from static warnings. We developed a build and testing system to automatically test code fragments using fuzzers, KLEE and Valgrind. We evaluated our techniques using 12 real-world C projects and 1955 warnings from two commercial static analysis tools. We successfully built 68.5% code fragments and generated 1003 test cases. Through automatic testing, we identified 48 true positives and 27 false positives, and 205 likely false positives. We matched 4 CVE and real-world bugs using Helium, and they are only triggered by our tool but not other baseline tools. We found that testing code fragments is scalable and useful; it can trigger bugs that testing entire programs or testing procedures failed to trigger. CCS CONCEPTS• Software and its engineering → Software testing and debugging; Software verification and validation; Software defect analysis.

show abstract

Section: Related Workmentioning

confidence: 99%

Validating static warnings via testing code fragments

Joshy

Chen

Steenhoek

et al. 2021

Proceedings of the 30th ACM SIGSOFT International Symposium on Software Testing and Analysis

View full text Add to dashboard Cite

show abstract

“…Their expansion reduces only one false alert type by detecting the alert's name and applying a rule-based knowledge algorithm to check its truth. Authors in [4] propose a new algorithm to distinguish true positive from false-positive alerts. They try to identify the connection between the CWE and false positives to extract new rule-based patterns.…”

Section: E Rule Based Approachesmentioning

confidence: 99%

“…• The inability of the SAT to get knowledge about the software architecture, its dependencies, and the manner of how data flows through the system, which may result in throwing FP alerts considered as potential errors [4].…”

Section: Introductionmentioning

confidence: 99%

Software Security Static Analysis False Alerts Handling Approaches

Akremi¹

2021

IJACSA

View full text Add to dashboard Cite

False Positive Alerts (FPA), generated by Static Analyzers Tools (SAT), reduce the effectiveness of the automatic code review, letting them be underused in practice. Researchers conduct a lot of tests to improve SAT accuracy while keeping FPA at a lower rate. They use different simulated and production datasets to validate their proposed methods. This paper surveys recent approaches dealing with FPA filtering; it compares them and discusses their usefulness. It also studies the used datasets to validate the identified methods and show their effectiveness to cover most program defects. This study focuses mainly on the security bugs covered by the datasets and handled by the existing methods.

show abstract

“…Tools like RATS [14], Flawfinder [40], and Infer [6] are of this type. However, they produce many false positives, a problem identified early on by [2,8,15], making these tools difficult to use effectively as part of the developer tool chain.…”

Section: Related Workmentioning

confidence: 99%

Exploring Software Naturalness through Neural Language Models

Buratti,

Pujar,

Bornea

et al. 2020

Preprint

View full text Add to dashboard Cite

The Software Naturalness hypothesis argues that programming languages can be understood through the same techniques used in natural language processing. We explore this hypothesis through the use of a pre-trained transformer-based language model to perform code analysis tasks. Present approaches to code analysis depend heavily on features derived from the Abstract Syntax Tree (AST) while our transformer-based language models work on raw source code. This work is the first to investigate whether such language models can discover AST features automatically. To achieve this, we introduce a sequence labeling task that directly probes the language model's understanding of AST. Our results show that transformer based language models achieve high accuracy in the AST tagging task. Furthermore, we evaluate our model on a software vulnerability identification task. Importantly, we show that our approach obtains vulnerability identification results comparable to graph based approaches that rely heavily on compilers for feature extraction. * Equal Contribution. In no particular order.Preprint. Under review.

show abstract

Analyzing False Positive Source Code Vulnerabilities Using Static Analysis Tools

Cited by 14 publications

References 22 publications

Validating static warnings via testing code fragments

Validating static warnings via testing code fragments

Software Security Static Analysis False Alerts Handling Approaches

Exploring Software Naturalness through Neural Language Models

Contact Info

Product

Resources

About