The use of automatic static analysis has been a software engineering best practice for decades. However, we still do not know a lot about its use in real-world software projects: How prevalent is the use of Automated Static Analysis Tools (ASATs) such as FindBugs and JSHint? How do developers use these tools, and how does their use evolve over time? We research these questions in two studies on nine different ASATs for Java, JavaScript, Ruby, and Python with a population of 122 and 168,214 open-source projects. To compare warnings across the ASATs, we introduce the General Defect Classification (GDC) and provide a grounded-theory-derived mapping of 1,825 ASAT-specific warnings to 16 top-level GDC classes. Our results show that ASAT use is widespread, but not ubiquitous, and that projects typically do not enforce a strict policy on ASAT use. Most ASAT configurations deviate slightly from the default, but hardly any introduce new custom analyses. Only a very small set of default ASAT analyses is widely changed. Finally, most ASAT configurations, once introduced, never change. If they do, the changes are small and have a tendency to occur within one day of the configuration’s initial introduction.
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Analyzing the State of Static Analysis: A Large-Scale Evaluation in Open Source Software
1. Analyzing the State of Static Analysis:
A Large-Scale Evaluation
in Open Source Software
2. Analyzing the State of Static Analysis:
A Large-Scale Evaluation
in Open Source Software
Moritz Beller
@Inventitech
3. Analyzing the State of Static Analysis:
A Large-Scale Evaluation
in Open Source Software
Moritz Beller
@Inventitech
Radjino Bholanath, Andy Zaidman
4. Analyzing the State of Static Analysis:
A Large-Scale Evaluation
in Open Source Software
Moritz Beller
@Inventitech
Radjino Bholanath, Andy Zaidman
Shane McIntosh
23. Source Amount of Projects Using ASATs Using >1 ASAT Enforcing ASAT
122 59% 23% -
36 77% 36% 36%
RQ1: How Prevalent Are ASATs?
24. Source Amount of Projects Using ASATs Using >1 ASAT Enforcing ASAT
122 59% 23% -
36 77% 36% 36%
RQ1: How Prevalent Are ASATs?
25. Source Amount of Projects Using ASATs Using >1 ASAT Enforcing ASAT
122 59% 23% -
36 77% 36% 36%
RQ1: How Prevalent Are ASATs?
26. Source Amount of Projects Using ASATs Using >1 ASAT Enforcing ASAT
122 59% 23% -
36 77% 36% 36%
RQ1: How Prevalent Are ASATs?
27. Source Amount of Projects Using ASATs Using >1 ASAT Enforcing ASAT
122 59% 23% -
36 77% 36% 36%
RQ1: How Prevalent Are ASATs?
28. Source Amount of Projects Using ASATs Using >1 ASAT Enforcing ASAT
122 59% 23% -
36 77% 36% 36%
1) (Automated) investigation of repository information is an
approximation of real ASAT use
RQ1: How Prevalent Are ASATs?
29. Source Amount of Projects Using ASATs Using >1 ASAT Enforcing ASAT
122 59% 23% -
36 77% 36% 36%
1) (Automated) investigation of repository information is an
approximation of real ASAT use
2) We cannot infer how a project uses ASATs from a repository
analysis alone
RQ1: How Prevalent Are ASATs?
60. RQ 2.2: Which Rules Do Developers Enable?
We: This is great!
Image: Phil Skipper, The Potentialist,http://i2.wp.com/thepotentiality.com/assets/media/Kurt-Enthusiasm.jpg
61. RQ 2.2: Which Rules Do Developers Enable?
We: This is great!
Image: Phil Skipper, The Potentialist,http://i2.wp.com/thepotentiality.com/assets/media/Kurt-Enthusiasm.jpg
62. RQ 2.2: Which Rules Do Developers Enable?
ASAT Developers*: Don't care.
Image: NiBiS, http://bidab.nibis.de/PICT/traurig.jpg
63. RQ 2.2: Which Rules Do Developers Enable?
ASAT Developers*: Don't care.
Image: NiBiS, http://bidab.nibis.de/PICT/traurig.jpg
65. RQ 2.3: How Good Is The Default?
Most ASAT configurations
deviate from the default.
66. RQ 2.3: How Good Is The Default?
Most ASAT configurations
deviate from the default.
67. RQ 2.3: How Good Is The Default?
Most ASAT configurations
deviate from the default.
68. RQ 2.3: How Good Is The Default?
But, typically only have one
change from the default …
Most ASAT configurations
deviate from the default.
69. RQ 2.3: How Good Is The Default?
But, typically only have one change from the
default …
●
- Addition
Most ASAT configurations
deviate from the default.
70. RQ 2.3: How Good Is The Default?
But, typically only have one change from the default …
●
- Addition
●
- Deletion
Most ASAT configurations
deviate from the default.
71. RQ 2.3: How Good Is The Default?
But, typically only have one change from the default …
●
- Addition
●
- Deletion
●
- Re-configuration/Custom analysis
Most ASAT configurations
deviate from the default.
73. ●
Why do projects favor certain GDC rule categories from
ASATs?
RQ2: Open Questions
74. ●
Why do projects favor certain GDC rule categories from
ASATs?
●
Can ASAT developers better fit their default configurations to
their users' needs?
RQ2: Open Questions
75. ●
Why do projects favor certain GDC rule categories from ASATs?
●
Can ASAT developers better fit their default configurations to
their users' needs?
●
Do 'dynamic' languages require more ASAT use?
RQ2: Open Questions
76. ●
Why do projects favor certain GDC rule categories from ASATs?
●
Can ASAT developers better fit their default configurations to
their users' needs?
●
Do 'dynamic' languages require more ASAT use?
RQ2: Open Questions
77. RQ3: How Do ASAT Configurations Evolve?
Image: Daimler AG, http://5komma6.mercedes-benz-passion.com/wp-content/uploads/2013/06/s-class-lineup.jpg