Evaluating static analysis defect warnings on production software

Ayewah, Nathaniel; Pugh, William; Morgenthaler, J. David; Penix, John; Zhou, YuQian

doi:10.1145/1251535.1251536

Cited by 174 publications

(141 citation statements)

References 13 publications

Supporting

Mentioning

135

Contrasting

Unclassified

Order By: Relevance

“…We used Fortify Source Code Analyzer version 5.6 for static analysis. While there is no release quality free PHP static analysis tool, two of the Java web applications used the free FindBugs [1] static analysis tool. No web application showed evidence of use of a commercial static analysis tool in the form of files in the repository (which is how we identified use of FindBugs) or web site documentation.…”

Section: Methodsmentioning

confidence: 99%

Idea: Java vs. PHP: Security Implications of Language Choice for Web Applications

Walden

Doyle

Lenhof

et al. 2010

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. While Java and PHP are two of the most popular languages for open source web applications found at freshmeat.net, Java has had a much better security reputation than PHP. In this paper, we examine whether that reputation is deserved. We studied whether the variation in vulnerability density is greater between languages or between different applications written in a single language by comparing eleven open source web applications written in Java with fourteen such applications written in PHP. To compare the languages, we created a Common Vulnerability Metric (CVM), which is the count of four vulnerability types common to both languages. Common Vulnerability Density (CVD) is CVM normalized by code size. We measured CVD for two revisions of each project, one from 2006 and the other from 2008. CVD values were higher for the aggregate PHP code base than the Java code base, but PHP had a better rate of improvement, with a decline from 6.25 to 2.36 vulnerabilities/KLOC compared to 1.15 to 0.63 in Java. These changes arose from an increase in code size in both languages and a decrease in vulnerabilities in PHP. The variation between projects was greater than the variation between languages, ranging from 0.52 to 14.39 for Java and 0.03 to 121.36 in PHP for 2006. We used security and software metrics to examine the sources of difference between projects.

show abstract

Section: Methodsmentioning

confidence: 99%

Idea: Java vs. PHP: Security Implications of Language Choice for Web Applications

Walden

Doyle

Lenhof

et al. 2010

Lecture Notes in Computer Science

View full text Add to dashboard Cite

show abstract

“…Ayewah et al (2007) discuss the warnings found by FindBugs tool and classify them by kinds, positives (warnings that aren't really defects), trivial bugs (true defects with minimal impact) and serious bugs (defects with significant impact).…”

Section: Related Workmentioning

confidence: 99%

Comparative Study of the Quality Assessment Tools Based on a Model: Sonar, Squale, EvalMetrics

Bougroun¹,

Zeearaoui²,

Bouchentouf³

2016

Journal of Computer Science

View full text Add to dashboard Cite

To build software, the customer is looking for a company that develops the product in record time with minimal cost and good quality. To measure the productivity and the software quality, several indicators and metrics have emerged, which have been the subject of various research fields and which are highly demanded by enterprises and software development teams. In order to assess the software quality and ensure of the quality of the product many tools have been developed and used. The work presented in this study is focused on tools measuring software quality, so we present the open source tools developed in java, then we compare it, according to some criteria defined in this study.

show abstract

“…The overwhelming number of 700,000 downloads (Shen et al, 2011) is an indicator of its popularity in industrial and research projects. It was also an essential analyzer in developing Java programs in Google (Ayewah et al, 2007). It uses different set of bug detectors for detecting bug patterns.…”

Section: Background Knowledge Of Findbugsmentioning

confidence: 99%

CQE - An Approach to Automatically Estimate the Code Quality using an Objective Metric From an Empirical Study

2013

Proceedings of the 8th International Joint Conference on Software Technologies

View full text Add to dashboard Cite

Abstract:Bugs in a project, at any stage of Software life cycle development are costly and difficult to find and fix. Moreover, the later a bug is found, the more expensive it is to fix. There are static analysis tools to ease the process of finding bugs, but their results are not easy to filter out critical errors and is time consuming to analyze. To solve this problem we used two steps: first to enhance the bugs severity and second is to estimate the code quality, by Weighted Error Code Density metric. Our experiment on 10 widely used open-source Java applications automatically shows their code quality estimated using our objective metric. We also enhance the error ranking of FindBugs, and provide a clear view on the critical errors to fix as well as low priority ones to potentially ignore.

show abstract

Evaluating static analysis defect warnings on production software

Cited by 174 publications

References 13 publications

Idea: Java vs. PHP: Security Implications of Language Choice for Web Applications

Idea: Java vs. PHP: Security Implications of Language Choice for Web Applications

Comparative Study of the Quality Assessment Tools Based on a Model: Sonar, Squale, EvalMetrics

CQE - An Approach to Automatically Estimate the Code Quality using an Objective Metric From an Empirical Study

Contact Info

Product

Resources

About