论文标题
学习减少分析错误检测器中的假阳性
Learning to Reduce False Positives in Analytic Bug Detectors
论文作者
论文摘要
由于软件设计越来越复杂和快速迭代开发,因此代码缺陷和安全漏洞在现代软件中普遍存在。作为回应,程序员依靠静态分析工具定期扫描其代码库并找到潜在的错误。但是,为了最大程度地提高覆盖范围,这些工具通常倾向于报告大量的假阳性,要求开发人员手动验证每个警告。为了解决这个问题,我们提出了一种基于变压器的学习方法,以识别假阳性错误警告。我们证明我们的模型可以将静态分析的精度提高17.5%。此外,我们在两种主要的错误类型中验证了这种方法的普遍性:NULL解码和资源泄漏。
Due to increasingly complex software design and rapid iterative development, code defects and security vulnerabilities are prevalent in modern software. In response, programmers rely on static analysis tools to regularly scan their codebases and find potential bugs. In order to maximize coverage, however, these tools generally tend to report a significant number of false positives, requiring developers to manually verify each warning. To address this problem, we propose a Transformer-based learning approach to identify false positive bug warnings. We demonstrate that our models can improve the precision of static analysis by 17.5%. In addition, we validated the generalizability of this approach across two major bug types: null dereference and resource leak.
