Analyzing False Positive Source Code Vulnerabilities Using Static Analysis Tools
Links to Fileshttps://ieeexplore.ieee.org/abstract/document/8622456
MetadataShow full item record
Type of Work7 pages
conference papers and proceedings
Citation of Original PublicationFoteini Cheirdari, George Karabatis, Analyzing False Positive Source Code Vulnerabilities Using Static Analysis Tools, 2018 IEEE International Conference on Big Data (Big Data) , DOI: 10.1109/BigData.2018.8622456
RightsThis item is likely protected under Title 17 of the U.S. Copyright Law. Unless on a Creative Commons license, for uses protected by Copyright Law, contact the copyright holder or the author.
© 2018 IEEE
Static source code analysis for the detection of vulnerabilities may generate a huge amount of results making it difficult to manually verify all of them. In addition, static code analysis yields a large number of false positives. Consequently, software developers may ignore the results of static code analysis. This paper analyzes the results of static code analysis tools to identify false positive trends per tool. The novel idea is to assist developers and analysts identify the likelihood of a finding to be an actual true positive. This paper proposes an algorithm that makes use of a new critical feature, a personal identifier, which assists labeling the findings correctly as true or false. Experiments verified identification of true positives with a higher level of accuracy.