Analyzing False Positive Source Code Vulnerabilities Using Static Analysis Tools
Loading...
Links to Files
Author/Creator
Author/Creator ORCID
Date
2019-01-24
Type of Work
Department
Program
Citation of Original Publication
Foteini Cheirdari, George Karabatis, Analyzing False Positive Source Code Vulnerabilities Using Static Analysis Tools, 2018 IEEE International Conference on Big Data (Big Data) , DOI: 10.1109/BigData.2018.8622456
Rights
This item is likely protected under Title 17 of the U.S. Copyright Law. Unless on a Creative Commons license, for uses protected by Copyright Law, contact the copyright holder or the author.
© 2018 IEEE
© 2018 IEEE
Abstract
Static source code analysis for the detection of
vulnerabilities may generate a huge amount of results making it
difficult to manually verify all of them. In addition, static code
analysis yields a large number of false positives. Consequently,
software developers may ignore the results of static code
analysis. This paper analyzes the results of static code analysis
tools to identify false positive trends per tool. The novel idea is
to assist developers and analysts identify the likelihood of a
finding to be an actual true positive. This paper proposes an
algorithm that makes use of a new critical feature, a personal
identifier, which assists labeling the findings correctly as true or
false. Experiments verified identification of true positives with
a higher level of accuracy.