• The first time static analysis runs there may be thousands
of errors; typical rate is one defect per thousand LOC
• Academic answer: rank heuristics
• Pragmatic answer: ignore them all
• Simply ignore all defects in existing code
• Triage and fix defects in new code
• “Someday” get around to fixing defects in old code
• Why is this so popular?
• Old code is in the field. It works well enough. Risk is low.
• New code is unproven. It might work, or it might not. Risk is high.