An empirical application of user-guided program analysis

China Communications Pub Date : 2024-07-01 DOI:10.23919/JCC.fa.2023-0331.202407

Jigang Wang, Shengyu Cheng, Jicheng Cao, Meihua He

{"title":"An empirical application of user-guided program analysis","authors":"Jigang Wang, Shengyu Cheng, Jicheng Cao, Meihua He","doi":"10.23919/JCC.fa.2023-0331.202407","DOIUrl":null,"url":null,"abstract":"Although static program analysis methods are frequently employed to enhance software quality, their efficiency in commercial settings is limited by their high false positive rate. The EUGENE tool can effectively lower the false positive rate. However, in continuous integration (CI) environments, the code is always changing, and user feedback from one version of the software cannot be applied to a subsequent version. Additionally, people find it difficult to distinguish between true positives and false positives in the analytical output. In this study, we developed the EUGENE-CI technique to address the CI problem and the EUGENE-rank lightweight heuristic algorithm to rate the reports of the analysis output in accordance with the likelihood that they are true positives. On the three projects ethereum, go-cloud, and kuber-netes, we assessed our methodologies. According to the trial findings, EUGENE-CI may drastically reduce false positives while EUGENE-rank can make it much easier for users to identify the real positives among a vast number of reports. We paired our techniques with GoInsight1 and discovered a vulnerability. We also offered a patch to the community.","PeriodicalId":504777,"journal":{"name":"China Communications","volume":null,"pages":null},"PeriodicalIF":0.0000,"publicationDate":"2024-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"China Communications","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.23919/JCC.fa.2023-0331.202407","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 0

Abstract

Although static program analysis methods are frequently employed to enhance software quality, their efficiency in commercial settings is limited by their high false positive rate. The EUGENE tool can effectively lower the false positive rate. However, in continuous integration (CI) environments, the code is always changing, and user feedback from one version of the software cannot be applied to a subsequent version. Additionally, people find it difficult to distinguish between true positives and false positives in the analytical output. In this study, we developed the EUGENE-CI technique to address the CI problem and the EUGENE-rank lightweight heuristic algorithm to rate the reports of the analysis output in accordance with the likelihood that they are true positives. On the three projects ethereum, go-cloud, and kuber-netes, we assessed our methodologies. According to the trial findings, EUGENE-CI may drastically reduce false positives while EUGENE-rank can make it much easier for users to identify the real positives among a vast number of reports. We paired our techniques with GoInsight1 and discovered a vulnerability. We also offered a patch to the community.

查看原文本刊更多论文

用户指导程序分析的实证应用

尽管静态程序分析方法经常被用来提高软件质量，但由于其误报率较高，其在商业环境中的效率受到了限制。EUGENE 工具可以有效降低误报率。然而，在持续集成（CI）环境中，代码总是在不断变化，一个版本软件的用户反馈无法应用到后续版本中。此外，人们很难区分分析输出中的真阳性和假阳性。在本研究中，我们开发了 EUGENE-CI 技术来解决 CI 问题，并开发了 EUGENE-rank 轻量级启发式算法，根据真阳性的可能性对分析输出的报告进行评级。我们在以太坊、go-cloud 和 kuber-netes 这三个项目上评估了我们的方法。根据试验结果，EUGENE-CI 可以大幅减少误报，而 EUGENE-rank 则可以让用户更容易地从大量报告中识别出真正的误报。我们将我们的技术与 GoInsight1 配对，发现了一个漏洞。我们还向社区提供了一个补丁。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

China Communications

自引率

0.00%

发文量