Source Code Reduction to Summarize False Positives

Abstract

The main disadvantage of static code analysis tools is the high

rates of false positives they produce. Users may need to manually analyze a

large number of warnings, to determine if these are false or legitimate

warnings, reducing the benefits of automatic static analysis. Our long term

goal is to significantly reduce the number of false positives that these

tools report. A learning system could classify the warnings into true

positives and false positives by means of features extracted from the

program source code. This work implements and evaluates a technique to

reduce the source code producing false positives into code snippets that are

simpler to analyze. Results indicate that the method considerably reduces

the source code size and it is feasible to use it to characterize false

positives.