Analyzing False Positive Source Code Vulnerabilities Using Static Analysis Tools

Author/Creator ORCID

Date

2019-01-24

Department

Program

Citation of Original Publication

Foteini Cheirdari, George Karabatis, Analyzing False Positive Source Code Vulnerabilities Using Static Analysis Tools, 2018 IEEE International Conference on Big Data (Big Data) , DOI: 10.1109/BigData.2018.8622456

Rights

This item is likely protected under Title 17 of the U.S. Copyright Law. Unless on a Creative Commons license, for uses protected by Copyright Law, contact the copyright holder or the author.
© 2018 IEEE

Abstract

Static source code analysis for the detection of vulnerabilities may generate a huge amount of results making it difficult to manually verify all of them. In addition, static code analysis yields a large number of false positives. Consequently, software developers may ignore the results of static code analysis. This paper analyzes the results of static code analysis tools to identify false positive trends per tool. The novel idea is to assist developers and analysts identify the likelihood of a finding to be an actual true positive. This paper proposes an algorithm that makes use of a new critical feature, a personal identifier, which assists labeling the findings correctly as true or false. Experiments verified identification of true positives with a higher level of accuracy.