The reviewed record of science sign in
Pith

arxiv: 2110.03296 · v1 · pith:J6TGVUXN · submitted 2021-10-07 · cs.SE

Ranking Warnings of Static Analysis Tools Using Representation Learning

Reviewed by Pithpith:J6TGVUXNopen to challenge →

classification cs.SE
keywords warningsdefpanalysispositivestatictoolsvulnerabilitiesactual
0
0 comments X
read the original abstract

Static analysis tools are frequently used to detect potential vulnerabilities in software systems. However, an inevitable problem of these tools is their large number of warnings with a high false positive rate, which consumes time and effort for investigating. In this paper, we present DeFP, a novel method for ranking static analysis warnings. Based on the intuition that warnings which have similar contexts tend to have similar labels (true positive or false positive), DeFP is built with two BiLSTM models to capture the patterns associated with the contexts of labeled warnings. After that, for a set of new warnings, DeFP can calculate and rank them according to their likelihoods to be true positives (i.e., actual vulnerabilities). Our experimental results on a dataset of 10 real-world projects show that using DeFP, by investigating only 60% of the warnings, developers can find +90% of actual vulnerabilities. Moreover, DeFP improves the state-of-the-art approach 30% in both Precision and Recall.

This paper has not been read by Pith yet.

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.