Explaining Static Analysis - A Perspective

Nachtigall, Marcus; Quang, Lisa Nguyen; Bodden, Eric

doi:10.1109/asew.2019.00023

Cited by 10 publications

(3 citation statements)

References 11 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…There has been work in recent years to address usability issues and improve the understandability of static analysis results [26,28]. These mostly focus on explaining analysis warnings.…”

Section: Related Workmentioning

confidence: 99%

Context-Sensitive Meta-Constraint Systems for Explainable Program Analysis

Apinis

Vojdani

2023

Lecture Notes in Computer Science

View full text Add to dashboard Cite

We show how to generate a constraint system of symbolic expressions as part of an inter-procedural constraint-system–based program analysis such that any chosen slice of the intended analysis may be computed through the evaluation of the symbolic constraints. Thus, our method ensures that the computed expressions provide genuine explanations for the chosen analysis slice. The resulting system is then annotated with program location information, translated into closed-form expressions, and simplified to yield a human-readable justification for the analyzer’s verdict. Justifications are given using program locations, constants from the program, abstract lattice operations, loops in the analysis, and computed results.

show abstract

“…There has been work in recent years to address usability issues and improve the understandability of static analysis results [26,28]. These mostly focus on explaining analysis warnings.…”

Section: Related Workmentioning

confidence: 99%

Context-Sensitive Meta-Constraint Systems for Explainable Program Analysis

Apinis

Vojdani

2023

Lecture Notes in Computer Science

View full text Add to dashboard Cite

show abstract

“…In terms of static analysis research, further framing can be done with a distinction to technical and social research topics. In general, the former deal with tools for specific programming languages, while the latter studies the question of how these tools are used with particular languages [4], [38], [79]. The social topics include also the further question of how developers use static analysis tools to diagnose and fix weaknesses and vulnerabilities [44], [60].…”

Section: B Related Workmentioning

confidence: 99%

“…Static analysis tools are highly prone to false negatives (bugs not caught) and false positives (issues that are not bugs) [9], [13]. Including detection confidence indicators is one way for addressing the problem [38]. Analogously, according to recent surveys, issue severity is the most important factor for software developers in their prioritization tasks [79].…”

Section: B Issuesmentioning

confidence: 99%

A Large-Scale Security-Oriented Static Analysis of Python Packages in PyPI

Ruohonen,

Hjerppe,

Rindell

2021

Preprint

View full text Add to dashboard Cite

Different security issues are a common problem for open source packages archived to and delivered through software ecosystems. These often manifest themselves as software weaknesses that may lead to concrete software vulnerabilities. This paper examines various security issues in Python packages with static analysis. The dataset is based on a snapshot of all packages stored to the Python Package Index (PyPI). In total, over 197 thousand packages and over 749 thousand security issues are covered. Even under the constraints imposed by static analysis, (a) the results indicate prevalence of security issues; at least one issue is present for about 46% of the Python packages. In terms of the issue types, (b) exception handling and different code injections have been the most common issues. The subprocess module stands out in this regard. Reflecting the generally small size of the packages, (c) software size metrics do not predict well the amount of issues revealed through static analysis. With these results and the accompanying discussion, the paper contributes to the field of large-scale empirical studies for better understanding security problems in software ecosystems.

show abstract