Source Code Reduction to Summarize False Positives

Abstract

The main disadvantage of static code analysis tools is the high rates of false positives they produce. Users may need to manually analyze a large number of warnings, to determine if these are false or legitimate warnings, reducing the benefits of automatic static analysis. Our long term goal is to significantly reduce the number of false positives that these tools report. A learning system could classify the warnings into true positives and false positives by means of features extracted from the program source code. This work implements and evaluates a technique to reduce the source code producing false positives into code snippets that are simpler to analyze. Results indicate that the method considerably reduces the source code size and it is feasible to use it to characterize false positives.