Ranking Warnings of Static Analysis Tools Using Representation Learning

TL;DR

DeFP is a novel representation learning method that effectively ranks static analysis warnings by their likelihood of being true positives, significantly reducing developer effort and improving vulnerability detection accuracy.

Contribution

This paper introduces DeFP, a new approach using BiLSTM models to rank static analysis warnings based on context similarity, outperforming existing methods.

Findings

DeFP ranks warnings with over 90% of vulnerabilities found by investigating 60% of warnings.

DeFP improves precision and recall by 30% over the state-of-the-art.

Experimental results on 10 real-world projects validate DeFP's effectiveness.

Abstract

Static analysis tools are frequently used to detect potential vulnerabilities in software systems. However, an inevitable problem of these tools is their large number of warnings with a high false positive rate, which consumes time and effort for investigating. In this paper, we present DeFP, a novel method for ranking static analysis warnings. Based on the intuition that warnings which have similar contexts tend to have similar labels (true positive or false positive), DeFP is built with two BiLSTM models to capture the patterns associated with the contexts of labeled warnings. After that, for a set of new warnings, DeFP can calculate and rank them according to their likelihoods to be true positives (i.e., actual vulnerabilities). Our experimental results on a dataset of 10 real-world projects show that using DeFP, by investigating only 60% of the warnings, developers can find +90% of actual vulnerabilities. Moreover, DeFP improves the state-of-the-art approach 30% in both Precision and Recall.