Analyzing the State of Static Analysis: A Large-Scale Evaluation in Open Source Software

Moritz Beller; Radjino Bholanath; Shane McIntosh; Andy Zaidman

doi:10.1109/SANER.2016.105

Analyzing the State of Static Analysis: A Large-Scale Evaluation in Open Source Software

Moritz Beller, Radjino Bholanath, Shane McIntosh, Andy Zaidman

Research output: Chapter in Book/Conference proceedings/Edited volume › Conference contribution › Scientific › peer-review

259 Downloads (Pure)

Abstract

The use of automatic static analysis has been a software engineering best practice for decades. However, we still do not know a lot about its use in real-world software projects: How prevalent is the use of Automated Static Analysis Tools (ASATs) such as FindBugs and JSHint? How do developers use these tools, and how does their use evolve over time? We research these questions in two studies on nine different ASATs for Java, JavaScript, Ruby, and Python with a population of 122 and 168,214 open-source projects. To compare warnings across the ASATs, we introduce the General Defect Classification (GDC) and provide a grounded-theory-derived mapping of 1,825 ASAT-specific warnings to 16 top-level GDC classes. Our results show that ASAT use is widespread, but not ubiquitous, and that projects typically do not enforce a strict policy on ASAT use. Most ASAT configurations deviate slightly from the default, but hardly any introduce new custom analyses. Only a very small set of default ASAT analyses is widely changed. Finally, most ASAT configurations, once introduced, never change. If they do, the changes are small and have a tendency to occur within one day of the configuration's initial introduction.

Original language	English
Title of host publication	Proceedings of the 23rd IEEE International Conference on Software Analysis, Evolution, and Reengineering
Place of Publication	Piscataway, NJ
Publisher	IEEE
Pages	470-481
Number of pages	12
ISBN (Electronic)	978-1-5090-1855-0
DOIs	https://doi.org/10.1109/SANER.2016.105
Publication status	Published - Mar 2016

Keywords

General Defect Classification
Automated Static Analysis Tools
ASATs
GitHub
Open-Source Software

Access to Document

10.1109/SANER.2016.105

2016_beller_bholanath_mcintosh_zaidman_analyzing_the_state_of_static_analysis_a_large-scale_evaluation_in_open_source_softwareAccepted author manuscript, 752 KB

Cite this

@inproceedings{33b1c0f41afd459da7b05476c9033869,

title = "Analyzing the State of Static Analysis: A Large-Scale Evaluation in Open Source Software",

abstract = "The use of automatic static analysis has been a software engineering best practice for decades. However, we still do not know a lot about its use in real-world software projects: How prevalent is the use of Automated Static Analysis Tools (ASATs) such as FindBugs and JSHint? How do developers use these tools, and how does their use evolve over time? We research these questions in two studies on nine different ASATs for Java, JavaScript, Ruby, and Python with a population of 122 and 168,214 open-source projects. To compare warnings across the ASATs, we introduce the General Defect Classification (GDC) and provide a grounded-theory-derived mapping of 1,825 ASAT-specific warnings to 16 top-level GDC classes. Our results show that ASAT use is widespread, but not ubiquitous, and that projects typically do not enforce a strict policy on ASAT use. Most ASAT configurations deviate slightly from the default, but hardly any introduce new custom analyses. Only a very small set of default ASAT analyses is widely changed. Finally, most ASAT configurations, once introduced, never change. If they do, the changes are small and have a tendency to occur within one day of the configuration's initial introduction.",

keywords = "General Defect Classification, Automated Static Analysis Tools, ASATs, GitHub, Open-Source Software",

author = "Moritz Beller and Radjino Bholanath and Shane McIntosh and Andy Zaidman",

year = "2016",

month = mar,

doi = "10.1109/SANER.2016.105",

language = "English",

pages = "470--481",

booktitle = "Proceedings of the 23rd IEEE International Conference on Software Analysis, Evolution, and Reengineering",

publisher = "IEEE",

address = "United States",

}

Analyzing the State of Static Analysis: A Large-Scale Evaluation in Open Source Software. / Beller, Moritz; Bholanath, Radjino; McIntosh, Shane et al.
Proceedings of the 23rd IEEE International Conference on Software Analysis, Evolution, and Reengineering. Piscataway, NJ: IEEE, 2016. p. 470-481.

Research output: Chapter in Book/Conference proceedings/Edited volume › Conference contribution › Scientific › peer-review

TY - GEN

T1 - Analyzing the State of Static Analysis

T2 - A Large-Scale Evaluation in Open Source Software

AU - Beller, Moritz

AU - Bholanath, Radjino

AU - McIntosh, Shane

AU - Zaidman, Andy

PY - 2016/3

Y1 - 2016/3

N2 - The use of automatic static analysis has been a software engineering best practice for decades. However, we still do not know a lot about its use in real-world software projects: How prevalent is the use of Automated Static Analysis Tools (ASATs) such as FindBugs and JSHint? How do developers use these tools, and how does their use evolve over time? We research these questions in two studies on nine different ASATs for Java, JavaScript, Ruby, and Python with a population of 122 and 168,214 open-source projects. To compare warnings across the ASATs, we introduce the General Defect Classification (GDC) and provide a grounded-theory-derived mapping of 1,825 ASAT-specific warnings to 16 top-level GDC classes. Our results show that ASAT use is widespread, but not ubiquitous, and that projects typically do not enforce a strict policy on ASAT use. Most ASAT configurations deviate slightly from the default, but hardly any introduce new custom analyses. Only a very small set of default ASAT analyses is widely changed. Finally, most ASAT configurations, once introduced, never change. If they do, the changes are small and have a tendency to occur within one day of the configuration's initial introduction.

AB - The use of automatic static analysis has been a software engineering best practice for decades. However, we still do not know a lot about its use in real-world software projects: How prevalent is the use of Automated Static Analysis Tools (ASATs) such as FindBugs and JSHint? How do developers use these tools, and how does their use evolve over time? We research these questions in two studies on nine different ASATs for Java, JavaScript, Ruby, and Python with a population of 122 and 168,214 open-source projects. To compare warnings across the ASATs, we introduce the General Defect Classification (GDC) and provide a grounded-theory-derived mapping of 1,825 ASAT-specific warnings to 16 top-level GDC classes. Our results show that ASAT use is widespread, but not ubiquitous, and that projects typically do not enforce a strict policy on ASAT use. Most ASAT configurations deviate slightly from the default, but hardly any introduce new custom analyses. Only a very small set of default ASAT analyses is widely changed. Finally, most ASAT configurations, once introduced, never change. If they do, the changes are small and have a tendency to occur within one day of the configuration's initial introduction.

KW - General Defect Classification

KW - Automated Static Analysis Tools

KW - ASATs

KW - GitHub

KW - Open-Source Software

UR - http://resolver.tudelft.nl/uuid:33b1c0f4-1afd-459d-a7b0-5476c9033869

U2 - 10.1109/SANER.2016.105

DO - 10.1109/SANER.2016.105

M3 - Conference contribution

SP - 470

EP - 481

BT - Proceedings of the 23rd IEEE International Conference on Software Analysis, Evolution, and Reengineering

PB - IEEE

CY - Piscataway, NJ

ER -

Analyzing the State of Static Analysis: A Large-Scale Evaluation in Open Source Software

Abstract

Keywords

Access to Document

Other files and links

Fingerprint

Cite this