Static Code Analysis: A Tree of Science Review

DOI: https://doi.org/10.31908/19098367.2846
Palabras clave: static analysis, alert, bug, defect, warning, fault code

Resumen

Static Code Analysis (SA) is the process of finding vulnerabilities in software. This process has become popular and one of the most evaluated phases in the process of continuous integration of software. However, the literature is spread over different proposals and there is a lack of research that shows the main contributions and applications to this topic. The purpose of this paper is to identify the main conceptual contributions of SA
using the Tree of Science algorithm. The results show three main branches of this area: machine learning for smell detection, actionable ranking techniques, and Technical alert tools. Artificial
Intelligence has been transforming SA and programmers will have access to more sophisticated tools.

Descargas

La descarga de datos todavía no está disponible.

Biografía del autor

Gustavo Adolfo Ruiz, Unviersidad Católica Luis Amigó

Ingeniero en Sistemas graduado de la Institución Universitaria Antonio Jose Camacho en 2017, Tecnico Profesional en Procesos Empresariales graduado de la Corporación Universitaria Centro Superior de Cali en 2009, Desarrollador de software con más de 5 años de experiencia en el desarrollo de software a la medida, experiencia certificada en diferentes clientes de reconocimiento como grupo Sura y Cencosud de Scotiabank. Actualmente me desempeño como desarrollador Senior Java para la empresa IMAGEMAKER COLOMBIA SAS, Intereses en la aplicación de las tecnologías de la información para facilitar los procesos e interés en big data y la inteligencia de negocios.

ORCID: https://orcid.org/0000-0002-3877-0284

Sebastian Robledo Giraldo, Universidad Católica Luis Amigó

Investigador Asociado categorizado por Minciencias, Ingeniero Industrial, Magíster en Administración y Doctor en Ingeniería. Ha trabajado en las áreas de ciencias sociales e ingeniería. En ciencias sociales, he estudiado la difusión de productos a través de redes sociales sin un incentivo monetario dentro de un contexto de mercadeo emprendedor. En ingeniería, ha creado herramientas tecnológicas para el análisis de datos cienciométricos (Tree of Science). Este producto se encuentra registrado por parte de la

Universidad Nacional de Colombia. También realizó una estancia postdoctoral en el Centro de Bioinformática y Biología Computacional de Colombia (BIOS) donde se realizaron desarrollos para el análisis cienciométrico. Actualmente, es docente-investigador de la Universidad Católica Luis Amigó y director de la corporación Core of Science, entidad sin ánimo de lucro que se dedica a fomentar la formación de científicos de datos.

ORCID: https://orcid.org/0000-0003-4357-4402 

Huber Hernando Morales, Universidad Católica Luis Amigó

En 2013 recibió el título de Magíster en Educación de la Universidad de Antioquia, Medellín, Colombia, en el 2009 el título de ingeniero electrónico de la Universidad de Antioquia, Medellín, Colombia. Experiencia profesional de más de 6 años como Docente universitario y 5 años como director de programas. Las principales áreas de interés en investigación son co-creación, análisis de datos, Blockchain, desarrollo de software y educación.

ORCID: https://orcid.org/0000-0003-2498-8431

Citas

S. Heckman and L. Williams, “A systematic literature review of actionable alert identification techniques for automated static code analysis,” Information and Software Technology, vol. 53, no. 4, pp. 363–387, Apr. 2011, doi: 10.1016/j.infsof.2010.12.007.

A. Kaur, S. Jain, S. Goel, and G. Dhiman, “A review on machine-learning based code smell detection techniques in object-oriented software system(s),” Recent Adv. Electr. Electron. Eng. (Former. Recent Pat. Electr. Electron. Eng.), vol. 14, no. 3, pp. 290–303, Apr. 2021, doi: 10.2174/2352096513999200922125839.

A. Al-Shaaby, H. Aljamaan, and M. Alshayeb, “Bad Smell Detection Using Machine Learning Techniques: A Systematic Literature Review,” Arab. J. Sci. Eng., vol. 45, no. 4, pp. 2341–2369, Apr. 2020, doi: 10.1007/s13369-019-04311-w.

M. I. Azeem, F. Palomba, L. Shi, and Q. Wang, “Machine learning techniques for code smell detection: A systematic literature review and meta-analysis,” Information and Software Technology, vol. 108, pp. 115–138, Apr. 2019, doi: 10.1016/j.infsof.2018.12.009.

A. Akremi, “Software security static analysis false alerts handling approaches,” Int. J. Adv. Comput. Sci. Appl., vol. 12, no. 11, 2021, doi: 10.14569/ijacsa.2021.0121180.

D. S. Valencia-Hernandez, S. Robledo, R. Pinilla, N. D. Duque-Méndez, and G. Olivar-Tost, “SAP Algorithm for Citation Analysis: An improvement to Tree of Science,” Ing. Inv., vol. 40, no. 1, pp. 45–49, Jan. 2020, doi: 10.15446/ing.investig.v40n1.77718.

M. Zuluaga, S. Robledo, G. Osorio-Zuluaga, L. Yathe, Gonzalez, and Taborda, “Metabolomics and pesticides: systematic literature review using graph theory for analysis of references,” Nova, vol. 14, no. 25, pp. 121–138, 2016, [Online]. Available: http://www.scielo.org.co/scielo.php?script=sci_arttext&pid=S1794-24702016000100010

J. A. Moral-Muñoz, E. Herrera-Viedma, A. Santisteban-Espejo, and M. J. Cobo, “Software tools for conducting bibliometric analysis in science: An up-to-date review,” EPI, vol. 29, no. 1, Jan. 2020, doi: 10.3145/epi.2020.ene.03.

S. Robledo, A. M. Grisales Aguirre, M. Hughes, and F. Eggers, “‘Hasta la vista, baby’ – will machine learning terminate human literature reviews in entrepreneurship?,” J. Small Bus. Manage., pp. 1–30, Aug. 2021, doi: 10.1080/00472778.2021.1955125.

P. Duque and E. J. D. Oliva, “Tendencias emergentes en la literatura sobre el compromiso del cliente: un análisis bibliométrico,” Estudios Gerenciales, pp. 120–132, Mar. 2022, doi: 10.18046/j.estger.2022.162.4528.

Z. B. Torres and C. O. P. Penagos, “Desarrollo tecnológico y de innovación en talleres de confección. Revisión de literatura,” bol.redipe, vol. 11, no. 6, pp. 211–224, Jun. 2022, doi: 10.36260/rbr.v11i6.1848.

J. D. G. Castellanos, P. L. D. Hurtado, L. Barahona, and E. Peña, “Marco de referencia y tendencias de investigación de economía colaborativa,” REC, vol. 10, no. 16, pp. 267–292, Jan. 2022, doi: 10.53995/23463279.1159.

D. A. Landínez-Martínez, J. F. Arias-Valencia, and A. S. Gómez-Tabares, “Executive Dysfunction in Adolescent with Obesity: A Systematic Review,” psykhe, May 2022, doi: 10.7764/psykhe.2020.21727.

J. A. González-Mendoza and M. del M. Calderon-Contreras, “Teletrabajo y sus impactos: una revisión y análisis bibliométrico,” Aibi revista investig. adm. ing., vol. 10, no. 2, Jul. 2022, doi: 10.15649/2346030x.2437.

E. G. Muñoz, R. Fabregat, J. Bacca-Acosta, N. Duque-Méndez, and C. Avila-Garzon, “Augmented Reality, Virtual Reality, and Game Technologies in Ophthalmology Training,” Information, vol. 13, no. 5, p. 222, Apr. 2022, doi: 10.3390/info13050222.

J. E. Gutiérrez-Lopera, J. A. Toloza-Rangel, Á. J. Soto-Vergel, O. A. López-Bustamante, and D. Guevara-Ibarra, “VEHÍCULOS TERRESTRES NO TRIPULADOS, SUS APLICACIONES Y TECNOLOGÍAS DE IMPLEMENTACIÓN,” ingeniare, no. 30, pp. 47–71, May 2021, doi: 10.18041/1909-2458/ingeniare.30.7925.

F. Eggers, H. Risselada, T. Niemand, and S. Robledo, “Referral campaigns for software startups: The impact of network characteristics on product adoption,” J. Bus. Res., vol. 145, pp. 309–324, Jun. 2022, doi: 10.1016/j.jbusres.2022.03.007.

S. R. Chidamber and C. F. Kemerer, “A metrics suite for object oriented design,” IEEE Trans. Software Eng., vol. 20, no. 6, pp. 476–493, Jun. 1994, doi: 10.1109/32.295895.

B. Chess and G. McGraw, “Static analysis for security,” IEEE Security Privacy, vol. 2, no. 6, pp. 76–79, Nov. 2004, doi: 10.1109/MSP.2004.111.

D. Hovemeyer and W. Pugh, “Finding bugs is easy,” SIGPLAN Not., vol. 39, no. 12, pp. 92–106, Dec. 2004, doi: 10.1145/1052883.1052895.

S. S. Heckman, “Adaptively ranking alerts generated from automated static analysis,” XRDS, vol. 14, no. 1, pp. 1–11, Dec. 2007, doi: 10.1145/1349332.1349339.

J. R. Ruthruff, J. Penix, J. D. Morgenthaler, S. Elbaum, and G. Rothermel, “Predicting accurate and actionable static analysis warnings: an experimental approach,” in Proceedings of the 30th international conference on Software engineering, Leipzig, Germany, May 2008, pp. 341–350. doi: 10.1145/1368088.1368135.

A. Bessey et al., “A few billion lines of code later: using static analysis to find bugs in the real world,” Commun. ACM, vol. 53, no. 2, pp. 66–75, Feb. 2010, doi: 10.1145/1646353.1646374.

B. Johnson, Y. Song, E. Murphy-Hill, and R. Bowdidge, “Why don’t software developers use static analysis tools to find bugs?,” in 2013 35th International Conference on Software Engineering (ICSE), May 2013, pp. 672–681. doi: 10.1109/ICSE.2013.6606613.

M. Beller, R. Bholanath, S. McIntosh, and A. Zaidman, “Analyzing the State of Static Analysis: A Large-Scale Evaluation in Open Source Software,” in 2016 IEEE 23rd International Conference on Software Analysis, Evolution, and Reengineering (SANER), Mar. 2016, vol. 1, pp. 470–481. doi: 10.1109/SANER.2016.105.

F. Zampetti, S. Scalabrino, R. Oliveto, G. Canfora, and M. Di Penta, “How Open Source Projects Use Static Code Analysis Tools in Continuous Integration Pipelines,” in 2017 IEEE/ACM 14th International Conference on Mining Software Repositories (MSR), May 2017, pp. 334–344. doi: 10.1109/MSR.2017.2.

S. Hallem, B. Chelf, Y. Xie, and D. Engler, “A system and language for building system-specific, static analyses,” SIGPLAN Not., vol. 37, no. 5, pp. 69–82, May 2002, doi: 10.1145/543552.512539.

J. Zheng, L. Williams, N. Nagappan, W. Snipes, J. P. Hudepohl, and M. A. Vouk, “On the value of static analysis for fault detection in software,” IEEE Trans. Software Eng., vol. 32, no. 4, pp. 240–253, Apr. 2006, doi: 10.1109/TSE.2006.38.

N. Ayewah, W. Pugh, D. Hovemeyer, J. D. Morgenthaler, and J. Penix, “Using Static Analysis to Find Bugs,” IEEE Softw., vol. 25, no. 5, pp. 22–29, Sep. 2008, doi: 10.1109/MS.2008.130.

H. M. Kienle, J. Kraft, and T. Nolte, “System-specific static code analyses: a case study in the complex embedded systems domain,” Software Quality Journal, vol. 20, no. 2, pp. 337–367, Jun. 2012, doi: 10.1007/s11219-011-9138-7.

D. Baca, B. Carlsson, K. Petersen, and L. Lundberg, “Improving software security with static automated code analysis in an industry setting,” Softw. Pract. Exp., vol. 43, no. 3, pp. 259–279, Mar. 2013, doi: 10.1002/spe.2109.

C. Sadowski, E. Aftandilian, A. Eagle, L. Miller-Cushon, and C. Jaspan, “Lessons from building static analysis tools at Google,” Commun. ACM, vol. 61, no. 4, pp. 58–66, Mar. 2018, doi: 10.1145/3188720.

C. Vassallo, S. Panichella, F. Palomba, S. Proksch, H. C. Gall, and A. Zaidman, “How developers engage with static analysis tools in different contexts,” Empirical Software Engineering, vol. 25, no. 2, pp. 1419–1457, Mar. 2020, doi: 10.1007/s10664-019-09750-5.

R. Gu et al., “Towards Efficient Large-Scale Interprocedural Program Static Analysis on Distributed Data-Parallel Computation,” IEEE Trans. Parallel Distrib. Syst., vol. 32, no. 4, pp. 867–883, Apr. 2021, doi: 10.1109/TPDS.2020.3036190.

F. Pecorelli, D. Di Nucci, C. De Roover, and A. De Lucia, “A large empirical assessment of the role of data balancing in machine-learning-based code smell detection,” J. Syst. Softw., vol. 169, p. 110693, Nov. 2020, doi: 10.1016/j.jss.2020.110693.

F. Pecorelli, S. Lujan, V. Lenarduzzi, F. Palomba, and A. De Lucia, “On the adequacy of static analysis warnings with respect to code smell prediction,” Empir. Softw. Eng., vol. 27, no. 3, p. 64, Mar. 2022, doi: 10.1007/s10664-022-10126-5.

F. Pecorelli, F. Palomba, D. Di Nucci, and A. De Lucia, “Comparing Heuristic and Machine Learning Approaches for Metric-Based Code Smell Detection,” in 2019 IEEE/ACM 27th International Conference on Program Comprehension (ICPC), May 2019, pp. 93–104. doi: 10.1109/ICPC.2019.00023.

D. Di Nucci, F. Palomba, D. A. Tamburri, A. Serebrenik, and A. De Lucia, “Detecting code smells using machine learning techniques: Are we there yet?,” in 2018 IEEE 25th International Conference on Software Analysis, Evolution and Reengineering (SANER), Mar. 2018, pp. 612–621. doi: 10.1109/SANER.2018.8330266.

F. Arcelli Fontana, M. V. Mäntylä, M. Zanoni, and A. Marino, “Comparing and experimenting machine learning techniques for code smell detection,” Empirical Software Engineering, vol. 21, no. 3, pp. 1143–1191, Jun. 2016, doi: 10.1007/s10664-015-9378-4.

S. Lujan, F. Pecorelli, F. Palomba, A. De Lucia, and V. Lenarduzzi, “A preliminary study on the adequacy of static analysis warnings with respect to code smell prediction,” presented at the ESEC/FSE ’20: 28th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering, Virtual USA, Nov. 2020. doi: 10.1145/3416505.3423559.

G. Catolino, F. Palomba, F. A. Fontana, A. De Lucia, A. Zaidman, and F. Ferrucci, “Improving change prediction models with code smell-related information,” Empirical Software Engineering, vol. 25, no. 1, pp. 49–95, Jan. 2020, doi: 10.1007/s10664-019-09739-0.

F. Pecorelli, F. Palomba, F. Khomh, and A. De Lucia, “Developer-driven code smell prioritization,” presented at the MSR ’20: 17th International Conference on Mining Software Repositories, Seoul Republic of Korea, Jun. 2020. doi: 10.1145/3379597.3387457.

S. Shcherban, P. Liang, A. Tahir, and X. Li, “Automatic Identification of Code Smell Discussions on Stack Overflow: A Preliminary Investigation,” in Proceedings of the 14th ACM / IEEE International Symposium on Empirical Software Engineering and Measurement (ESEM), Bari, Italy, Oct. 2020, pp. 1–6. doi: 10.1145/3382494.3422161.

A. K. Das, S. Yadav, and S. Dhal, “Detecting Code Smells using Deep Learning,” in TENCON 2019 - 2019 IEEE Region 10 Conference (TENCON), Oct. 2019, pp. 2081–2086. doi: 10.1109/TENCON.2019.8929628.

B. H. Dang, “A Practical Approach for Ranking Software Warnings from Multiple Static Code Analysis Reports,” in 2020 SoutheastCon, Mar. 2020, vol. 2, pp. 1–7. doi: 10.1109/SoutheastCon44009.2020.9368277.

D. Wang, H. Zhang, R. Liu, M. Lin, and W. Wu, “Predicting bugs’ components via mining bug reports,” J. Softw. Maint. Evol.: Res. Pract., vol. 7, no. 5, Apr. 2012, doi: 10.4304/jsw.7.5.1149-1154.

T. Boland and P. E. Black, “Juliet 1.1 C/C++ and Java Test Suite,” Computer , vol. 45, no. 10, pp. 88–90, Oct. 2012, doi: 10.1109/MC.2012.345.

S. Allier, N. Anquetil, A. Hora, and S. Ducasse, “A Framework to Compare Alert Ranking Algorithms,” in 2012 19th Working Conference on Reverse Engineering, Oct. 2012, pp. 277–285. doi: 10.1109/WCRE.2012.37.

M. Sharma, P. Bedi, K. K. Chaturvedi, and V. B. Singh, “Predicting the priority of a reported bug using machine learning techniques and cross project validation,” in 2012 12th International Conference on Intelligent Systems Design and Applications (ISDA), Nov. 2012, pp. 539–545. doi: 10.1109/ISDA.2012.6416595.

H. Shen, J. Fang, and J. Zhao, “EFindBugs: Effective Error Ranking for FindBugs,” in 2011 Fourth IEEE International Conference on Software Testing, Verification and Validation, Mar. 2011, pp. 299–308. doi: 10.1109/ICST.2011.51.

G. Liang, L. Wu, Q. Wu, Q. Wang, T. Xie, and H. Mei, “Automatic construction of an effective training set for prioritizing static analysis warnings,” in Proceedings of the IEEE/ACM international conference on Automated software engineering, Antwerp, Belgium, Sep. 2010, pp. 93–102. doi: 10.1145/1858996.1859013.

M. G. Nanda, M. Gupta, S. Sinha, S. Chandra, D. Schmidt, and P. Balachandran, “Making defect-finding tools work for you,” in Proceedings of the 32nd ACM/IEEE International Conference on Software Engineering - Volume 2, Cape Town, South Africa, May 2010, pp. 99–108. doi: 10.1145/1810295.1810310.

S. Heckman and L. Williams, “A Model Building Process for Identifying Actionable Static Analysis Alerts,” in 2009 International Conference on Software Testing Verification and Validation, Apr. 2009, pp. 161–170. doi: 10.1109/ICST.2009.45.

P. Chen et al., “IntFinder: Automatically detecting integer bugs in x86 binary program,” in Information and Communications Security, Berlin, Heidelberg: Springer Berlin Heidelberg, 2009, pp. 336–345. doi: 10.1007/978-3-642-11145-7_26.

D. S. Mendonça and M. Kalinowski, “An empirical investigation on the challenges of creating custom static analysis rules for defect localization,” Software Quality Journal, Jan. 2022, doi: 10.1007/s11219-021-09580-z.

D. Serban, B. Golsteijn, R. Holdorp, and A. Serebrenik, “SAW-BOT: Proposing Fixes for Static Analysis Warnings with GitHub Suggestions,” in 2021 IEEE/ACM Third International Workshop on Bots in Software Engineering (BotSE), Jun. 2021, pp. 26–30. doi: 10.1109/BotSE52550.2021.00013.

D. Marcilio, C. A. Furia, R. Bonifácio, and G. Pinto, “SpongeBugs: Automatically generating fix suggestions in response to static code analysis warnings,” J. Syst. Softw., vol. 168, p. 110671, Oct. 2020, doi: 10.1016/j.jss.2020.110671.

V. Lenarduzzi, F. Lomio, H. Huttunen, and D. Taibi, “Are SonarQube Rules Inducing Bugs?,” in 2020 IEEE 27th International Conference on Software Analysis, Evolution and Reengineering (SANER), Feb. 2020, pp. 501–511. doi: 10.1109/SANER48275.2020.9054821.

K. Liu, A. Koyuncu, D. Kim, and T. F. Bissyandè, “AVATAR: Fixing Semantic Bugs with Fix Patterns of Static Analysis Violations,” in 2019 IEEE 26th International Conference on Software Analysis, Evolution and Reengineering (SANER), Feb. 2019, pp. 1–12. doi: 10.1109/SANER.2019.8667970.

R. Bavishi, H. Yoshida, and M. R. Prasad, “Phoenix: automated data-driven synthesis of repairs for static analysis violations,” in Proceedings of the 2019 27th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering, Tallinn, Estonia, Aug. 2019, pp. 613–624. doi: 10.1145/3338906.3338952.

M. Wyrich and J. Bogner, “Towards an Autonomous Bot for Automatic Source Code Refactoring,” in 2019 IEEE/ACM 1st International Workshop on Bots in Software Engineering (BotSE), May 2019, pp. 24–28. doi: 10.1109/BotSE.2019.00015.

B. Aloraini, M. Nagappan, D. M. German, S. Hayashi, and Y. Higo, “An empirical study of security warnings from static application security testing tools,” J. Syst. Softw., vol. 158, p. 110427, Dec. 2019, doi: 10.1016/j.jss.2019.110427.

E. A. Alikhashashneh, R. R. Raje, and J. H. Hill, “Using Machine Learning Techniques to Classify and Predict Static Code Analysis Tool Warnings,” in 2018 IEEE/ACS 15th International Conference on Computer Systems and Applications (AICCSA), Oct. 2018, pp. 1–8. doi: 10.1109/AICCSA.2018.8612819.

Publicado
2023-07-18
Cómo citar
Ruiz, G., Robledo Giraldo, S., & Morales, H. (2023). Static Code Analysis: A Tree of Science Review. Entre Ciencia E Ingeniería, 17(34), 9-14. https://doi.org/10.31908/19098367.2846
Número
Vol. 17 Núm. 34 (2023)
Sección
Artículos
Derechos de autor 2023 Entre Ciencia e Ingeniería