Moritz Beller, profile picture
Uploaded byMoritz Beller
PDF, PPTX1,574 views

Analyzing the State of Static Analysis: A Large-Scale Evaluation in Open Source Software

The document presents a large-scale evaluation of automatic static analysis tools (ASATs) in open source software, revealing that 59% of 122 popular projects use ASATs, but only 23% enforce them. It discusses the configuration and usage of ASATs, highlighting that most configurations deviate from defaults and that ASATs generally perform poorly at detecting functional defects. Open questions remain regarding the evolving nature of ASAT configurations and their usage in continuous integration environments.

Embed presentation

Download as PDF, PPTX
Analyzing the State of Static Analysis: A Large-Scale Evaluation in Open Source Software
Analyzing the State of Static Analysis: A Large-Scale Evaluation in Open Source Software Moritz Beller @Inventitech
Analyzing the State of Static Analysis: A Large-Scale Evaluation in Open Source Software Moritz Beller @Inventitech Radjino Bholanath, Andy Zaidman
Analyzing the State of Static Analysis: A Large-Scale Evaluation in Open Source Software Moritz Beller @Inventitech Radjino Bholanath, Andy Zaidman Shane McIntosh
Automatic Static Analysis Tools (ASATs) Image: https://pixabay.com/static/uploads/photo/2015/06/12/18/31/cute-807306_960_720.png
Automatic Static Analysis Tools (ASATs) Image: https://pixabay.com/static/uploads/photo/2015/06/12/18/31/cute-807306_960_720.png
Automatic Static Analysis Tools (ASATs) Image: https://pixabay.com/static/uploads/photo/2015/06/12/18/31/cute-807306_960_720.png
Automatic Static Analysis Tools (ASATs) Image: https://pixabay.com/static/uploads/photo/2015/06/12/18/31/cute-807306_960_720.png
Automatic Static Analysis Tools (ASATs) Image: https://pixabay.com/static/uploads/photo/2015/06/12/18/31/cute-807306_960_720.png
Automatic Static Analysis Tools (ASATs) Image: https://pixabay.com/static/uploads/photo/2015/06/12/18/31/cute-807306_960_720.png
RQ1: How Prevalent Are ASATs? Image: http://www.valueinvestasia.com/wp-content/uploads/2015/03/odd-one-out.jpg
122 popular OSS projects
RQ1: How Prevalent Are ASATs?
RQ1: How Prevalent Are ASATs? 122
RQ1: How Prevalent Are ASATs? 122
RQ1: How Prevalent Are ASATs? 122
RQ1: How Prevalent Are ASATs? 122 122
RQ1: How Prevalent Are ASATs? 122 122
RQ1: How Prevalent Are ASATs? 122 36 122
RQ1: How Prevalent Are ASATs? 122 36 122
RQ1: How Prevalent Are ASATs? 122 36 122
RQ1: How Prevalent Are ASATs?
Source Amount of Projects Using ASATs Using >1 ASAT Enforcing ASAT 122 59% 23% - 36 77% 36% 36% RQ1: How Prevalent Are ASATs?
Source Amount of Projects Using ASATs Using >1 ASAT Enforcing ASAT 122 59% 23% - 36 77% 36% 36% RQ1: How Prevalent Are ASATs?
Source Amount of Projects Using ASATs Using >1 ASAT Enforcing ASAT 122 59% 23% - 36 77% 36% 36% RQ1: How Prevalent Are ASATs?
Source Amount of Projects Using ASATs Using >1 ASAT Enforcing ASAT 122 59% 23% - 36 77% 36% 36% RQ1: How Prevalent Are ASATs?
Source Amount of Projects Using ASATs Using >1 ASAT Enforcing ASAT 122 59% 23% - 36 77% 36% 36% RQ1: How Prevalent Are ASATs?
Source Amount of Projects Using ASATs Using >1 ASAT Enforcing ASAT 122 59% 23% - 36 77% 36% 36% 1) (Automated) investigation of repository information is an approximation of real ASAT use RQ1: How Prevalent Are ASATs?
Source Amount of Projects Using ASATs Using >1 ASAT Enforcing ASAT 122 59% 23% - 36 77% 36% 36% 1) (Automated) investigation of repository information is an approximation of real ASAT use 2) We cannot infer how a project uses ASATs from a repository analysis alone RQ1: How Prevalent Are ASATs?
RQ2: How are ASATs configured?
RQ2: How are ASATs configured?
RQ2: How are ASATs configured? checkstyle.xml
RQ2: How are ASATs configured? filename checkstyle.xml
RQ2: How are ASATs configured? filename checkstyle.xml
RQ2: How are ASATs configured? filename checkstyle.xml parse rules
RQ2: How are ASATs configured? filename checkstyle.xml enable parse rules
RQ2: How are ASATs configured? filename checkstyle.xml enable re-configure parse rules
RQ2: How are ASATs configured? filename checkstyle.xml enable re-configure parse rules custom
General Defect Classification (GDC)
General Defect Classification (GDC)
General Defect Classification (GDC) RQ1: 9
General Defect Classification (GDC) RQ1: 9 Checkstyle, FindBugs, PMD, ESLint, JSCS, JSHint, JSL, PYLint, RuboCop
General Defect Classification (GDC) 1,825 RQ1: 9 Checkstyle, FindBugs, PMD, ESLint, JSCS, JSHint, JSL, PYLint, RuboCop
RQ2: How are ASATs configured?
RQ2: How are ASATs configured?
RQ2: How are ASATs configured?
168,425 RQ2: How are ASATs configured?
168,425 RQ2: How are ASATs configured?
168,425 RQ2: How are ASATs configured?
168,425 RQ2: How are ASATs configured?
RQ2.1: How Popular Are Certain ASATs? Tool Language Configuration Files Checkstyle Java 18,785 FindBugs Java 2,090 PMD Java 7,458 ESLint JavaScript 4,435 JSCS JavaScript 11,677 JSHint JavaScript 108,770 JSL JavaScript 862 Pylint Python 4,071 RuboCop Ruby 10,066 Total - 168,405
RQ2.1: How Popular Are Certain ASATs? Tool Language Configuration Files Checkstyle Java 18,785 FindBugs Java 2,090 PMD Java 7,458 ESLint JavaScript 4,435 JSCS JavaScript 11,677 JSHint JavaScript 108,770 JSL JavaScript 862 Pylint Python 4,071 RuboCop Ruby 10,066 Total - 168,405
RQ 2.2: Which Rules Do Developers Enable?
RQ 2.2: Which Rules Do Developers Enable?
65% RQ 2.2: Which Rules Do Developers Enable?
35% 65% RQ 2.2: Which Rules Do Developers Enable?
35% 65% ASATs perform poorly at finding functional defects. Wagner et al. RQ 2.2: Which Rules Do Developers Enable?
RQ 2.2: Which Rules Do Developers Enable? 0% 00% 00% 00% 00% 00% 00% 00% 00% 00% 00% Checkstyle ESLint FindBugs JSCS JSHint JSL PMD Pylint RuboCop 100% 90% 80% 70% 60% 50% 40% 30% 20% 10% 0%
0% 00% 00% 00% 00% 00% 00% 00% 00% 00% 00% Checkstyle ESLint FindBugs JSCS JSHint JSL PMD Pylint RuboCop RQ 2.2: Which Rules Do Developers Enable? 100% 90% 80% 70% 60% 50% 40% 30% 20% 10% 0%
RQ 2.2: Which Rules Do Developers Enable? We: This is great! Image: Phil Skipper, The Potentialist,http://i2.wp.com/thepotentiality.com/assets/media/Kurt-Enthusiasm.jpg
RQ 2.2: Which Rules Do Developers Enable? We: This is great! Image: Phil Skipper, The Potentialist,http://i2.wp.com/thepotentiality.com/assets/media/Kurt-Enthusiasm.jpg
RQ 2.2: Which Rules Do Developers Enable? ASAT Developers*: Don't care. Image: NiBiS, http://bidab.nibis.de/PICT/traurig.jpg
RQ 2.2: Which Rules Do Developers Enable? ASAT Developers*: Don't care. Image: NiBiS, http://bidab.nibis.de/PICT/traurig.jpg
RQ 2.3: How Good Is The Default?
RQ 2.3: How Good Is The Default? Most ASAT configurations deviate from the default.
RQ 2.3: How Good Is The Default? Most ASAT configurations deviate from the default.
RQ 2.3: How Good Is The Default? Most ASAT configurations deviate from the default.
RQ 2.3: How Good Is The Default? But, typically only have one change from the default … Most ASAT configurations deviate from the default.
RQ 2.3: How Good Is The Default? But, typically only have one change from the default … ● - Addition Most ASAT configurations deviate from the default.
RQ 2.3: How Good Is The Default? But, typically only have one change from the default … ● - Addition ● - Deletion Most ASAT configurations deviate from the default.
RQ 2.3: How Good Is The Default? But, typically only have one change from the default … ● - Addition ● - Deletion ● - Re-configuration/Custom analysis Most ASAT configurations deviate from the default.
RQ2: Open Questions
● Why do projects favor certain GDC rule categories from ASATs? RQ2: Open Questions
● Why do projects favor certain GDC rule categories from ASATs? ● Can ASAT developers better fit their default configurations to their users' needs? RQ2: Open Questions
● Why do projects favor certain GDC rule categories from ASATs? ● Can ASAT developers better fit their default configurations to their users' needs? ● Do 'dynamic' languages require more ASAT use? RQ2: Open Questions
● Why do projects favor certain GDC rule categories from ASATs? ● Can ASAT developers better fit their default configurations to their users' needs? ● Do 'dynamic' languages require more ASAT use? RQ2: Open Questions
RQ3: How Do ASAT Configurations Evolve? Image: Daimler AG, http://5komma6.mercedes-benz-passion.com/wp-content/uploads/2013/06/s-class-lineup.jpg
RQ 3.1: How Often Do Changes Occur?
RQ 3.1: How Often Do Changes Occur?
RQ 3.1: How Often Do Changes Occur? >80% “never”
RQ 3.2: When Do Changes Occur?
RQ 3.2: When Do Changes Occur?
RQ 3.2: When Do Changes Occur? <20% of files
RQ 3.3: How Big Are The Changes?
RQ 3: Open Questions
● Why do ASAT configurations not typically evolve? RQ 3: Open Questions
● Why do ASAT configurations not typically evolve? ● How are ASATs used in a CI-environment? RQ 3: Open Questions
Moritz Beller @Inventitech Analyzing the State of Static Analysis: A Large-Scale Evaluation in Open Source Software
Moritz Beller @Inventitech Analyzing the State of Static Analysis: A Large-Scale Evaluation in Open Source Software
Moritz Beller @Inventitech Analyzing the State of Static Analysis: A Large-Scale Evaluation in Open Source Software
Moritz Beller @Inventitech Analyzing the State of Static Analysis: A Large-Scale Evaluation in Open Source Software

More Related Content

PPTX
Automatic Generation of Test Cases for REST APIs: a Specification-Based Approach
byJavier Canovas
 
PDF
The Last Line Effect
byMoritz Beller
 
PDF
How (Much) Do Developers Test?
byMoritz Beller
 
PDF
Modern Code Reviews in Open Source Projects: Which Problems Do They Fix?
byMoritz Beller
 
PDF
How (Much) Do Developers Test?
byMoritz Beller
 
PDF
Ubuntu manual
byAndrea Jerez
 
PPT
2012.10.29 新聞簡報
byERA Taiwan Master Franchise ,Inc.
 
PPT
Lucas digital portfolio
byMatthew Lucas
 
Automatic Generation of Test Cases for REST APIs: a Specification-Based Approach
byJavier Canovas
 
The Last Line Effect
byMoritz Beller
 
How (Much) Do Developers Test?
byMoritz Beller
 
Modern Code Reviews in Open Source Projects: Which Problems Do They Fix?
byMoritz Beller
 
How (Much) Do Developers Test?
byMoritz Beller
 
Ubuntu manual
byAndrea Jerez
 
2012.10.29 新聞簡報
byERA Taiwan Master Franchise ,Inc.
 
Lucas digital portfolio
byMatthew Lucas
 

Viewers also liked

PPTX
new_Effect of Magnetic Fields on Coherent Spectroscopy
byDr. Leah Margalit
 
PDF
Guía metodológica para realizar Consultas Populares en Colombia
byCrónicas del despojo
 
DOCX
professional resume final2
bySabrina McFadden
 
PDF
Progrès dans les technologies photovoltaïques: abaissement des coûts et nouve...
byswissolar-romandie
 
PPT
Html
byNatali Zhukova
 
PPT
Elena HARCONIŢA, Snejana ZADAINOVA: Particularităţile de dezvoltare a resur...
byScientific Library of Alecu Russo State University Balts Moldova
 
PPT
Graduationvideo2
byAngieTommy
 
new_Effect of Magnetic Fields on Coherent Spectroscopy
byDr. Leah Margalit
 
Guía metodológica para realizar Consultas Populares en Colombia
byCrónicas del despojo
 
professional resume final2
bySabrina McFadden
 
Progrès dans les technologies photovoltaïques: abaissement des coûts et nouve...
byswissolar-romandie
 
Html
byNatali Zhukova
 
Elena HARCONIŢA, Snejana ZADAINOVA: Particularităţile de dezvoltare a resur...
byScientific Library of Alecu Russo State University Balts Moldova
 
Graduationvideo2
byAngieTommy
 

Similar to Analyzing the State of Static Analysis: A Large-Scale Evaluation in Open Source Software

PDF
Static Analysis Techniques For Testing Application Security - Houston Tech Fest
byDenim Group
 
PPTX
SAST and Application Security: how to fight vulnerabilities in the code
byAndrey Karpov
 
PPTX
Static analysis tools as the best friend of QA
byMikalai Alimenkou
 
PPTX
Top 10 static code analysis tool
byscmGalaxy Inc
 
PPTX
Software engineering practices and software quality empirical research results
byNikolai Avteniev
 
PPTX
Visualizing the Evolution of Systems and their Library Dependencies
byAu Gai
 
PDF
Context Is King: The Developer Perspective on the Usage of Static Analysis Tools
bySebastiano Panichella
 
PDF
Would Static Analysis Tools Help Developers with Code Reviews?
bySebastiano Panichella
 
PDF
A Review on Software Fault Detection and Prevention Mechanism in Software Dev...
byiosrjce
 
PDF
F017652530
byIOSR Journals
 
PPTX
Practitioners’ Expectations on Automated Fault Localization
byPavneet Singh Kochhar
 
PPTX
When do software issues get reported in large open source software
byRAKESH RANA
 
PPTX
FaultHunter workshop (SourceMeter for SonarQube plugin module)
byFrontEndART
 
PDF
Achieving quality with tools case study
byEosSoftware
 
PPTX
Static Code Analysis
byGeneva, Switzerland
 
PDF
JIT Feedback — what Experienced Developers like about Static Analysis (icpc2018)
byYuriy Tymchuk
 
PDF
How to improve the quality of your application
byEUR ING Ioannis Kolaxis MSc
 
PPTX
OSS Java Analysis - What You Might Be Missing
byCoverity
 
PDF
Software Security Engineering (Learnings from the past to fix the future) - B...
byDebasisMohanty43
 
PDF
On Impact in Software Engineering Research
byCISPA Helmholtz Center for Information Security
 
Static Analysis Techniques For Testing Application Security - Houston Tech Fest
byDenim Group
 
SAST and Application Security: how to fight vulnerabilities in the code
byAndrey Karpov
 
Static analysis tools as the best friend of QA
byMikalai Alimenkou
 
Top 10 static code analysis tool
byscmGalaxy Inc
 
Software engineering practices and software quality empirical research results
byNikolai Avteniev
 
Visualizing the Evolution of Systems and their Library Dependencies
byAu Gai
 
Context Is King: The Developer Perspective on the Usage of Static Analysis Tools
bySebastiano Panichella
 
Would Static Analysis Tools Help Developers with Code Reviews?
bySebastiano Panichella
 
A Review on Software Fault Detection and Prevention Mechanism in Software Dev...
byiosrjce
 
F017652530
byIOSR Journals
 
Practitioners’ Expectations on Automated Fault Localization
byPavneet Singh Kochhar
 
When do software issues get reported in large open source software
byRAKESH RANA
 
FaultHunter workshop (SourceMeter for SonarQube plugin module)
byFrontEndART
 
Achieving quality with tools case study
byEosSoftware
 
Static Code Analysis
byGeneva, Switzerland
 
JIT Feedback — what Experienced Developers like about Static Analysis (icpc2018)
byYuriy Tymchuk
 
How to improve the quality of your application
byEUR ING Ioannis Kolaxis MSc
 
OSS Java Analysis - What You Might Be Missing
byCoverity
 
Software Security Engineering (Learnings from the past to fix the future) - B...
byDebasisMohanty43
 
On Impact in Software Engineering Research
byCISPA Helmholtz Center for Information Security
 

Recently uploaded

PPTX
Building a RAG System for Customer Support - L1
byBogdan Mustata
 
PDF
Smarter Testing Safer Systems Balancing AI and Oversight in Regulated Environ...
byApplitools
 
PDF
IAAM Meetup #7 chez Onepoint - Construire un Rag-as-a-service en production. ...
byiaaixmarseille
 
PDF
Bring AI and build AI agents into your Jakarta EE Apps with LangChain4J-CDI
byBuhake Sindi
 
PDF
Custom MGA Software Development: Better Apporach
byOpenkoda
 
PDF
DSD-INT 2025 MeshKernel and D-Grid Editor - Stout
byDeltares
 
PPTX
Presentation on AWS Cloud RDS Deep dive
byBimal Jain
 
PDF
DSD-INT 2025 Delft3D FM Suite 2026.01 2D3D - New features + Improvements - Sp...
byDeltares
 
PPTX
Boost Productivity the Smart Way with AI Automation Solutions
byEllocent Labs
 
PPTX
Zotero Software Demonstration. Biomedical Perspective
byDr Snehashis Singha
 
PDF
Fundamental of Information Systems introduction.pdf
byYeabsraLakew
 
PDF
SCORM Cloud: The 5 categories of content distribution
byRustici Software
 
PDF
DSD-INT 2025 Quantifying Flood Mitigation Strategies Under Sea Level Rise - H...
byDeltares
 
PDF
DSD-INT 2025 Validation of SFINCS on Historical River Floods at the Global Sc...
byDeltares
 
PPT
Presentation on TCL/TK scripting language
byBimal Jain
 
PDF
DSD-INT 2025 UK Coastal Flooding Incident Guide - Dam
byDeltares
 
PDF
DSD-INT 2025 3D-modelling of salt intrusion into Germany’s busiest waterway -...
byDeltares
 
PDF
DSD-INT 2025 Flood Early Warning System for the Trans-African Hydrometeorolog...
byDeltares
 
PDF
DSD-INT 2025 Climate and impact attribution of compound flooding induced by t...
byDeltares
 
PDF
DSD-INT 2025 Modelling Non-Newtonian Slurry Beaching with Delft3D-Slurry - Bi
byDeltares
 
Building a RAG System for Customer Support - L1
byBogdan Mustata
 
Smarter Testing Safer Systems Balancing AI and Oversight in Regulated Environ...
byApplitools
 
IAAM Meetup #7 chez Onepoint - Construire un Rag-as-a-service en production. ...
byiaaixmarseille
 
Bring AI and build AI agents into your Jakarta EE Apps with LangChain4J-CDI
byBuhake Sindi
 
Custom MGA Software Development: Better Apporach
byOpenkoda
 
DSD-INT 2025 MeshKernel and D-Grid Editor - Stout
byDeltares
 
Presentation on AWS Cloud RDS Deep dive
byBimal Jain
 
DSD-INT 2025 Delft3D FM Suite 2026.01 2D3D - New features + Improvements - Sp...
byDeltares
 
Boost Productivity the Smart Way with AI Automation Solutions
byEllocent Labs
 
Zotero Software Demonstration. Biomedical Perspective
byDr Snehashis Singha
 
Fundamental of Information Systems introduction.pdf
byYeabsraLakew
 
SCORM Cloud: The 5 categories of content distribution
byRustici Software
 
DSD-INT 2025 Quantifying Flood Mitigation Strategies Under Sea Level Rise - H...
byDeltares
 
DSD-INT 2025 Validation of SFINCS on Historical River Floods at the Global Sc...
byDeltares
 
Presentation on TCL/TK scripting language
byBimal Jain
 
DSD-INT 2025 UK Coastal Flooding Incident Guide - Dam
byDeltares
 
DSD-INT 2025 3D-modelling of salt intrusion into Germany’s busiest waterway -...
byDeltares
 
DSD-INT 2025 Flood Early Warning System for the Trans-African Hydrometeorolog...
byDeltares
 
DSD-INT 2025 Climate and impact attribution of compound flooding induced by t...
byDeltares
 
DSD-INT 2025 Modelling Non-Newtonian Slurry Beaching with Delft3D-Slurry - Bi
byDeltares
 

Analyzing the State of Static Analysis: A Large-Scale Evaluation in Open Source Software

  • 1.
    Analyzing the Stateof Static Analysis: A Large-Scale Evaluation in Open Source Software
  • 2.
    Analyzing the Stateof Static Analysis: A Large-Scale Evaluation in Open Source Software Moritz Beller @Inventitech
  • 3.
    Analyzing the Stateof Static Analysis: A Large-Scale Evaluation in Open Source Software Moritz Beller @Inventitech Radjino Bholanath, Andy Zaidman
  • 4.
    Analyzing the Stateof Static Analysis: A Large-Scale Evaluation in Open Source Software Moritz Beller @Inventitech Radjino Bholanath, Andy Zaidman Shane McIntosh
  • 5.
    Automatic Static AnalysisTools (ASATs) Image: https://pixabay.com/static/uploads/photo/2015/06/12/18/31/cute-807306_960_720.png
  • 6.
    Automatic Static AnalysisTools (ASATs) Image: https://pixabay.com/static/uploads/photo/2015/06/12/18/31/cute-807306_960_720.png
  • 7.
    Automatic Static AnalysisTools (ASATs) Image: https://pixabay.com/static/uploads/photo/2015/06/12/18/31/cute-807306_960_720.png
  • 8.
    Automatic Static AnalysisTools (ASATs) Image: https://pixabay.com/static/uploads/photo/2015/06/12/18/31/cute-807306_960_720.png
  • 9.
    Automatic Static AnalysisTools (ASATs) Image: https://pixabay.com/static/uploads/photo/2015/06/12/18/31/cute-807306_960_720.png
  • 10.
    Automatic Static AnalysisTools (ASATs) Image: https://pixabay.com/static/uploads/photo/2015/06/12/18/31/cute-807306_960_720.png
  • 11.
    RQ1: How PrevalentAre ASATs? Image: http://www.valueinvestasia.com/wp-content/uploads/2015/03/odd-one-out.jpg
  • 12.
  • 13.
  • 14.
    RQ1: How PrevalentAre ASATs? 122
  • 15.
    RQ1: How PrevalentAre ASATs? 122
  • 16.
    RQ1: How PrevalentAre ASATs? 122
  • 17.
    RQ1: How PrevalentAre ASATs? 122 122
  • 18.
    RQ1: How PrevalentAre ASATs? 122 122
  • 19.
    RQ1: How PrevalentAre ASATs? 122 36 122
  • 20.
    RQ1: How PrevalentAre ASATs? 122 36 122
  • 21.
    RQ1: How PrevalentAre ASATs? 122 36 122
  • 22.
  • 23.
    Source Amount ofProjects Using ASATs Using >1 ASAT Enforcing ASAT 122 59% 23% - 36 77% 36% 36% RQ1: How Prevalent Are ASATs?
  • 24.
    Source Amount ofProjects Using ASATs Using >1 ASAT Enforcing ASAT 122 59% 23% - 36 77% 36% 36% RQ1: How Prevalent Are ASATs?
  • 25.
    Source Amount ofProjects Using ASATs Using >1 ASAT Enforcing ASAT 122 59% 23% - 36 77% 36% 36% RQ1: How Prevalent Are ASATs?
  • 26.
    Source Amount ofProjects Using ASATs Using >1 ASAT Enforcing ASAT 122 59% 23% - 36 77% 36% 36% RQ1: How Prevalent Are ASATs?
  • 27.
    Source Amount ofProjects Using ASATs Using >1 ASAT Enforcing ASAT 122 59% 23% - 36 77% 36% 36% RQ1: How Prevalent Are ASATs?
  • 28.
    Source Amount ofProjects Using ASATs Using >1 ASAT Enforcing ASAT 122 59% 23% - 36 77% 36% 36% 1) (Automated) investigation of repository information is an approximation of real ASAT use RQ1: How Prevalent Are ASATs?
  • 29.
    Source Amount ofProjects Using ASATs Using >1 ASAT Enforcing ASAT 122 59% 23% - 36 77% 36% 36% 1) (Automated) investigation of repository information is an approximation of real ASAT use 2) We cannot infer how a project uses ASATs from a repository analysis alone RQ1: How Prevalent Are ASATs?
  • 30.
    RQ2: How areASATs configured?
  • 31.
    RQ2: How areASATs configured?
  • 32.
    RQ2: How areASATs configured? checkstyle.xml
  • 33.
    RQ2: How areASATs configured? filename checkstyle.xml
  • 34.
    RQ2: How areASATs configured? filename checkstyle.xml
  • 35.
    RQ2: How areASATs configured? filename checkstyle.xml parse rules
  • 36.
    RQ2: How areASATs configured? filename checkstyle.xml enable parse rules
  • 37.
    RQ2: How areASATs configured? filename checkstyle.xml enable re-configure parse rules
  • 38.
    RQ2: How areASATs configured? filename checkstyle.xml enable re-configure parse rules custom
  • 39.
  • 40.
  • 41.
  • 42.
    General Defect Classification(GDC) RQ1: 9 Checkstyle, FindBugs, PMD, ESLint, JSCS, JSHint, JSL, PYLint, RuboCop
  • 43.
    General Defect Classification(GDC) 1,825 RQ1: 9 Checkstyle, FindBugs, PMD, ESLint, JSCS, JSHint, JSL, PYLint, RuboCop
  • 44.
    RQ2: How areASATs configured?
  • 45.
    RQ2: How areASATs configured?
  • 46.
    RQ2: How areASATs configured?
  • 47.
    168,425 RQ2: How areASATs configured?
  • 48.
    168,425 RQ2: How areASATs configured?
  • 49.
    168,425 RQ2: How areASATs configured?
  • 50.
    168,425 RQ2: How areASATs configured?
  • 51.
    RQ2.1: How PopularAre Certain ASATs? Tool Language Configuration Files Checkstyle Java 18,785 FindBugs Java 2,090 PMD Java 7,458 ESLint JavaScript 4,435 JSCS JavaScript 11,677 JSHint JavaScript 108,770 JSL JavaScript 862 Pylint Python 4,071 RuboCop Ruby 10,066 Total - 168,405
  • 52.
    RQ2.1: How PopularAre Certain ASATs? Tool Language Configuration Files Checkstyle Java 18,785 FindBugs Java 2,090 PMD Java 7,458 ESLint JavaScript 4,435 JSCS JavaScript 11,677 JSHint JavaScript 108,770 JSL JavaScript 862 Pylint Python 4,071 RuboCop Ruby 10,066 Total - 168,405
  • 53.
    RQ 2.2: WhichRules Do Developers Enable?
  • 54.
    RQ 2.2: WhichRules Do Developers Enable?
  • 55.
    65% RQ 2.2: WhichRules Do Developers Enable?
  • 56.
    35% 65% RQ 2.2:Which Rules Do Developers Enable?
  • 57.
    35% 65% ASATs performpoorly at finding functional defects. Wagner et al. RQ 2.2: Which Rules Do Developers Enable?
  • 58.
    RQ 2.2: WhichRules Do Developers Enable? 0% 00% 00% 00% 00% 00% 00% 00% 00% 00% 00% Checkstyle ESLint FindBugs JSCS JSHint JSL PMD Pylint RuboCop 100% 90% 80% 70% 60% 50% 40% 30% 20% 10% 0%
  • 59.
    0% 00% 00% 00% 00% 00% 00% 00% 00% 00% 00% Checkstyle ESLint FindBugsJSCS JSHint JSL PMD Pylint RuboCop RQ 2.2: Which Rules Do Developers Enable? 100% 90% 80% 70% 60% 50% 40% 30% 20% 10% 0%
  • 60.
    RQ 2.2: WhichRules Do Developers Enable? We: This is great! Image: Phil Skipper, The Potentialist,http://i2.wp.com/thepotentiality.com/assets/media/Kurt-Enthusiasm.jpg
  • 61.
    RQ 2.2: WhichRules Do Developers Enable? We: This is great! Image: Phil Skipper, The Potentialist,http://i2.wp.com/thepotentiality.com/assets/media/Kurt-Enthusiasm.jpg
  • 62.
    RQ 2.2: WhichRules Do Developers Enable? ASAT Developers*: Don't care. Image: NiBiS, http://bidab.nibis.de/PICT/traurig.jpg
  • 63.
    RQ 2.2: WhichRules Do Developers Enable? ASAT Developers*: Don't care. Image: NiBiS, http://bidab.nibis.de/PICT/traurig.jpg
  • 64.
    RQ 2.3: HowGood Is The Default?
  • 65.
    RQ 2.3: HowGood Is The Default? Most ASAT configurations deviate from the default.
  • 66.
    RQ 2.3: HowGood Is The Default? Most ASAT configurations deviate from the default.
  • 67.
    RQ 2.3: HowGood Is The Default? Most ASAT configurations deviate from the default.
  • 68.
    RQ 2.3: HowGood Is The Default? But, typically only have one change from the default … Most ASAT configurations deviate from the default.
  • 69.
    RQ 2.3: HowGood Is The Default? But, typically only have one change from the default … ● - Addition Most ASAT configurations deviate from the default.
  • 70.
    RQ 2.3: HowGood Is The Default? But, typically only have one change from the default … ● - Addition ● - Deletion Most ASAT configurations deviate from the default.
  • 71.
    RQ 2.3: HowGood Is The Default? But, typically only have one change from the default … ● - Addition ● - Deletion ● - Re-configuration/Custom analysis Most ASAT configurations deviate from the default.
  • 72.
  • 73.
    ● Why do projectsfavor certain GDC rule categories from ASATs? RQ2: Open Questions
  • 74.
    ● Why do projectsfavor certain GDC rule categories from ASATs? ● Can ASAT developers better fit their default configurations to their users' needs? RQ2: Open Questions
  • 75.
    ● Why do projectsfavor certain GDC rule categories from ASATs? ● Can ASAT developers better fit their default configurations to their users' needs? ● Do 'dynamic' languages require more ASAT use? RQ2: Open Questions
  • 76.
    ● Why do projectsfavor certain GDC rule categories from ASATs? ● Can ASAT developers better fit their default configurations to their users' needs? ● Do 'dynamic' languages require more ASAT use? RQ2: Open Questions
  • 77.
    RQ3: How DoASAT Configurations Evolve? Image: Daimler AG, http://5komma6.mercedes-benz-passion.com/wp-content/uploads/2013/06/s-class-lineup.jpg
  • 78.
    RQ 3.1: HowOften Do Changes Occur?
  • 79.
    RQ 3.1: HowOften Do Changes Occur?
  • 80.
    RQ 3.1: HowOften Do Changes Occur? >80% “never”
  • 81.
    RQ 3.2: WhenDo Changes Occur?
  • 82.
    RQ 3.2: WhenDo Changes Occur?
  • 83.
    RQ 3.2: WhenDo Changes Occur? <20% of files
  • 84.
    RQ 3.3: HowBig Are The Changes?
  • 85.
    RQ 3: OpenQuestions
  • 86.
    ● Why do ASATconfigurations not typically evolve? RQ 3: Open Questions
  • 87.
    ● Why do ASATconfigurations not typically evolve? ● How are ASATs used in a CI-environment? RQ 3: Open Questions
  • 88.
    Moritz Beller @Inventitech Analyzing theState of Static Analysis: A Large-Scale Evaluation in Open Source Software
  • 89.
    Moritz Beller @Inventitech Analyzing theState of Static Analysis: A Large-Scale Evaluation in Open Source Software
  • 90.
    Moritz Beller @Inventitech Analyzing theState of Static Analysis: A Large-Scale Evaluation in Open Source Software
  • 91.
    Moritz Beller @Inventitech Analyzing theState of Static Analysis: A Large-Scale Evaluation in Open Source Software