TL;DR
This paper provides guidance on effectively deploying static source code analysis tools in large organizations, emphasizing the importance of focusing on bug fixing and avoiding common pitfalls that reduce effectiveness.
Contribution
It offers a practical framework for deploying static analysis tools that prioritizes bug resolution and organizational alignment over superficial metrics.
Findings
Focus on bug fixing improves static analysis effectiveness
Avoiding superficial deployment reduces false positives
Organizational focus enhances tool adoption and impact
Abstract
Static source code analysis is a powerful tool for finding and fixing bugs when deployed properly; it is, however, all too easy to deploy it in a way that looks good superficially, but which misses important defects, shows many false positives, and brings the tool into disrepute. This article is a guide to the process of deploying a static analysis tool in a large organization while avoiding the worst organizational and technical pitfalls. My main point is the importance of concentrating on the main goal of getting bugs fixed, against all the competing lesser goals which will arise during the process.
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsSoftware Engineering Research · Software System Performance and Reliability · Software Reliability and Analysis Research