An Improved Method of Static Code Analysis Based on the Context-Sensitive Rules

Improved Method of Static Code Analysis

  • Sepideh Mohajer Naraghi Islamic Azad University South Tehran Branch
  • Mir Ali Seyyedi
Keywords: Static test, Static code analysis, False Positive message, Incorrect Report, Code analysis


One of the static test methods is the static code analysis, which is used for analyzing the source code by specific tools, without running the code. This method tries to detect possible code vulnerabilities by different techniques including data analysis and flow analysis. Static code analysis contains limitations, one of which is the vulnerability report if it is not. This paper focus is on reducing these false reports, which have been dealt with in many ways. The proposed method is to have a list of code analysis rules and to examine for each context the rules in that context, as a result of which all the rules are not analyzed by the code analyzer. For instance, for security analysis, we just focus on security rules, not design or other rules. Therefore, the error messages are reduced by applying filters to the entire rules.


[1] J. Moeyersoms, E.J.d.F., K. Dejaeger, B. Baesens, D. Martens, Comprehensible software fault and effort prediction: A data mining approach, Journal of Systems and Software, Vol. 100, pp. 80-90, 2015.
[2] R. Malhotra, A.s.r.o.m.l.t.f.s.f.p., Applied Soft Computing, Vol. 27, pp. 504-518, 2015.
[3] D. Radjenovic, M.H., R. Torkar, A. Zivkovic, Software fault prediction metrics: A systematic literature review, Information and Software Technology, Vol. 55, Issue 8, pp. 1397-1418, 2013.
[4] S. Dhankhar, H. Rastogi, M. Kakkar, Software fault prediction performance in software engineering, 2nd International Conference on Computing for Sustainable Global Development (INDIACom), pp. 228-232, 2015.
[5] A. Shanthini, R.M. Chandrasekaran, Analyzing the effect of bagged ensemble approach for software fault prediction in class level and package level metrics, International Conference on Information Communication and Embedded Systems (ICICES2014), pp. 1-5, 2014.
[6] J. Chen, S. Liu, W. Liu, X. Chen, Q. Gu, D. Chen, A Two-Stage Data Preprocessing Approach for Software Fault Prediction, Eighth International Conference on Software Security and Reliability (SERE), pp. 20-29, 2014.
[7] S.S. Rathore, S. Kumar, An empirical study of some software fault prediction techniques for the number of faults prediction, Soft Computing, pp. 1-18, 2016
[8] E. Rashid, S. Patnaik, A. Usmani, Machine Learning and Its Application in Software Fault Prediction with Similarity Measures, Computational Vision and Robotics, pp. 37- 45, 2015.
[9] G. Abaei, A. Selamat, Increasing the Accuracy of Software Fault Prediction Using Majority Ranking Fuzzy Clustering, Software Engineering, Artificial Intelligence, Networking and Parallel/Distributed Computing, Studies in Computational Intelligence, Vol. 569, pp. 179-193, 2015.
[10] R. Sasidharan, P. Sriram, Hyper-Quadtree-Based K-Means Algorithm for Software Fault Prediction, Computational Intelligence, Cyber Security and Computational Models, pp. 107- 118, 2014.
[11] Reynolds, Z. P., Jayanth, A. B., Koc, U., Porter, A. A., Raje, R. R., & Hill, J. H. (2017, May). Identifying and documenting false positive patterns generated by static code analysis tools. In 2017 IEEE/ACM 4th International Workshop on Software Engineering Research and Industrial Practice (SER&IP) (pp. 55-61). IEEE.
[12] "Source Code analysis and instrumentation," in Emdeded Computing for High Performance, Elsevier, 2017, pp. 99-134.
[13] "Towards Understanding the Value of False Positives in Static Code Analysis," in IEEE, Cali, Colombia, 2016.
[14] K. Goseva-Popstojanova, "On the capability of static code analysis to detect security vulnerabilities," Information and Software Technology archive, pp. 18-33, 2015.
[15] P. Seshagiri, A. Vazhayil and P. Sriram, "Static code analysis of web page for the detection of malicious script," Computer Science, pp. 768-773, 2016.
[16] B. J. W. E. B. A. Muhammad Nadeem, "High false positive detection of security vulnerabilities," in ACM Southeast Regional Conference, Tuscaloosa, AL, USA, 2014.
[17] P. S. J. S. F. A. A. P. Ugur Koc, "Learning a classifier for false positive error reports emitted by static code analysis tools," in MAPL 2017 Proceedings of the 1st ACM SIGPLAN International Workshop on Machine Learning and Programming Languages, New York-USA, 2017.
[18] D. C. F. M. P. R. R. J. H. H. Lakshmi Manohar Rao Velicheti, "Toward modeling the behavior of static analysis tools," in CISR '14 Proceedings of the 9th Annual Cyber and Information Security Research Conference, New York-USA, 2014.
[19] H. C. Hengshu Zhu, "Exploiting enriched contextual information for mobile app classification," in CIKM '12 Proceedings of the 21st ACM international conference on Information and knowledge management, Maui, Hawaii, USA, 2012.
[20] F. M. B. E. Fran├žois Gagnon, "Using contextual information for IDS alarm classification," in International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, Berlin, Heidelberg, 2009.
[21] U. P. K. Tukaram Muske, "Efficient elimination of false positives using static analysis," in Software Reliability Engineering (ISSRE), 2015 IEEE 26th International Symposium on, Gaithersbury, MD, USA, 2015.
[22] P. D. Bharti Chimdyalwar, "Eliminating Static Analysis False Positives Using Loop Abstraction and Bounded Model Checking," in Springer, Pune, India, 2015.
How to Cite
Mohajer Naraghi, S., & Seyyedi, M. A. (2019). An Improved Method of Static Code Analysis Based on the Context-Sensitive Rules. Majlesi Journal of Mechatronic Systems, 8(3), 45-53. Retrieved from