Analyzing the State of Static Analysis:
A Large-Scale Evaluation
in Open Source Software
Analyzing the State of Static Analysis:
A Large-Scale Evaluation
in Open Source Software
Moritz Beller
@Inventitech
Analyzing the State of Static Analysis:
A Large-Scale Evaluation
in Open Source Software
Moritz Beller
@Inventitech
Radjino Bholanath, Andy Zaidman
Analyzing the State of Static Analysis:
A Large-Scale Evaluation
in Open Source Software
Moritz Beller
@Inventitech
Radjino Bholanath, Andy Zaidman
Shane McIntosh
Automatic Static Analysis Tools (ASATs)
Image: https://pixabay.com/static/uploads/photo/2015/06/12/18/31/cute-807306_960_720.png
Automatic Static Analysis Tools (ASATs)
Image: https://pixabay.com/static/uploads/photo/2015/06/12/18/31/cute-807306_960_720.png
Automatic Static Analysis Tools (ASATs)
Image: https://pixabay.com/static/uploads/photo/2015/06/12/18/31/cute-807306_960_720.png
Automatic Static Analysis Tools (ASATs)
Image: https://pixabay.com/static/uploads/photo/2015/06/12/18/31/cute-807306_960_720.png
Automatic Static Analysis Tools (ASATs)
Image: https://pixabay.com/static/uploads/photo/2015/06/12/18/31/cute-807306_960_720.png
Automatic Static Analysis Tools (ASATs)
Image: https://pixabay.com/static/uploads/photo/2015/06/12/18/31/cute-807306_960_720.png
RQ1: How Prevalent Are ASATs?
Image: http://www.valueinvestasia.com/wp-content/uploads/2015/03/odd-one-out.jpg
122 popular OSS projects
RQ1: How Prevalent Are ASATs?
RQ1: How Prevalent Are ASATs?
122
RQ1: How Prevalent Are ASATs?
122
RQ1: How Prevalent Are ASATs?
122
RQ1: How Prevalent Are ASATs?
122
122
RQ1: How Prevalent Are ASATs?
122
122
RQ1: How Prevalent Are ASATs?
122
36
122
RQ1: How Prevalent Are ASATs?
122
36
122
RQ1: How Prevalent Are ASATs?
122
36
122
RQ1: How Prevalent Are ASATs?
Source Amount of Projects Using ASATs Using >1 ASAT Enforcing ASAT
122 59% 23% -
36 77% 36% 36%
RQ1: How Prevalent Are ASATs?
Source Amount of Projects Using ASATs Using >1 ASAT Enforcing ASAT
122 59% 23% -
36 77% 36% 36%
RQ1: How Prevalent Are ASATs?
Source Amount of Projects Using ASATs Using >1 ASAT Enforcing ASAT
122 59% 23% -
36 77% 36% 36%
RQ1: How Prevalent Are ASATs?
Source Amount of Projects Using ASATs Using >1 ASAT Enforcing ASAT
122 59% 23% -
36 77% 36% 36%
RQ1: How Prevalent Are ASATs?
Source Amount of Projects Using ASATs Using >1 ASAT Enforcing ASAT
122 59% 23% -
36 77% 36% 36%
RQ1: How Prevalent Are ASATs?
Source Amount of Projects Using ASATs Using >1 ASAT Enforcing ASAT
122 59% 23% -
36 77% 36% 36%
1) (Automated) investigation of repository information is an
approximation of real ASAT use
RQ1: How Prevalent Are ASATs?
Source Amount of Projects Using ASATs Using >1 ASAT Enforcing ASAT
122 59% 23% -
36 77% 36% 36%
1) (Automated) investigation of repository information is an
approximation of real ASAT use
2) We cannot infer how a project uses ASATs from a repository
analysis alone
RQ1: How Prevalent Are ASATs?
RQ2: How are ASATs configured?
RQ2: How are ASATs configured?
RQ2: How are ASATs configured?
checkstyle.xml
RQ2: How are ASATs configured?
filename
checkstyle.xml
RQ2: How are ASATs configured?
filename
checkstyle.xml
RQ2: How are ASATs configured?
filename
checkstyle.xml
parse rules
RQ2: How are ASATs configured?
filename
checkstyle.xml
enable
parse rules
RQ2: How are ASATs configured?
filename
checkstyle.xml
enable
re-configure
parse rules
RQ2: How are ASATs configured?
filename
checkstyle.xml
enable
re-configure
parse rules
custom
General Defect Classification (GDC)
General Defect Classification (GDC)
General Defect Classification (GDC)
RQ1:
9
General Defect Classification (GDC)
RQ1:
9
Checkstyle, FindBugs, PMD, ESLint, JSCS, JSHint, JSL, PYLint, RuboCop
General Defect Classification (GDC)
1,825
RQ1:
9
Checkstyle, FindBugs, PMD, ESLint, JSCS, JSHint, JSL, PYLint, RuboCop
RQ2: How are ASATs configured?
RQ2: How are ASATs configured?
RQ2: How are ASATs configured?
168,425
RQ2: How are ASATs configured?
168,425
RQ2: How are ASATs configured?
168,425
RQ2: How are ASATs configured?
168,425
RQ2: How are ASATs configured?
RQ2.1: How Popular Are Certain ASATs?
Tool Language Configuration Files
Checkstyle Java 18,785
FindBugs Java 2,090
PMD Java 7,458
ESLint JavaScript 4,435
JSCS JavaScript 11,677
JSHint JavaScript 108,770
JSL JavaScript 862
Pylint Python 4,071
RuboCop Ruby 10,066
Total - 168,405
RQ2.1: How Popular Are Certain ASATs?
Tool Language Configuration Files
Checkstyle Java 18,785
FindBugs Java 2,090
PMD Java 7,458
ESLint JavaScript 4,435
JSCS JavaScript 11,677
JSHint JavaScript 108,770
JSL JavaScript 862
Pylint Python 4,071
RuboCop Ruby 10,066
Total - 168,405
RQ 2.2: Which Rules Do Developers Enable?
RQ 2.2: Which Rules Do Developers Enable?
65%
RQ 2.2: Which Rules Do Developers Enable?
35% 65%
RQ 2.2: Which Rules Do Developers Enable?
35% 65%
ASATs perform poorly at finding
functional defects. Wagner et al.
RQ 2.2: Which Rules Do Developers Enable?
RQ 2.2: Which Rules Do Developers Enable?
0%
00%
00%
00%
00%
00%
00%
00%
00%
00%
00%
Checkstyle ESLint FindBugs JSCS JSHint JSL PMD Pylint RuboCop
100%
90%
80%
70%
60%
50%
40%
30%
20%
10%
0%
0%
00%
00%
00%
00%
00%
00%
00%
00%
00%
00%
Checkstyle ESLint FindBugs JSCS JSHint JSL PMD Pylint RuboCop
RQ 2.2: Which Rules Do Developers Enable?
100%
90%
80%
70%
60%
50%
40%
30%
20%
10%
0%
RQ 2.2: Which Rules Do Developers Enable?
We: This is great!
Image: Phil Skipper, The Potentialist,http://i2.wp.com/thepotentiality.com/assets/media/Kurt-Enthusiasm.jpg
RQ 2.2: Which Rules Do Developers Enable?
We: This is great!
Image: Phil Skipper, The Potentialist,http://i2.wp.com/thepotentiality.com/assets/media/Kurt-Enthusiasm.jpg
RQ 2.2: Which Rules Do Developers Enable?
ASAT Developers*: Don't care.
Image: NiBiS, http://bidab.nibis.de/PICT/traurig.jpg
RQ 2.2: Which Rules Do Developers Enable?
ASAT Developers*: Don't care.
Image: NiBiS, http://bidab.nibis.de/PICT/traurig.jpg
RQ 2.3: How Good Is The Default?
RQ 2.3: How Good Is The Default?
Most ASAT configurations
deviate from the default.
RQ 2.3: How Good Is The Default?
Most ASAT configurations
deviate from the default.
RQ 2.3: How Good Is The Default?
Most ASAT configurations
deviate from the default.
RQ 2.3: How Good Is The Default?
But, typically only have one
change from the default …
Most ASAT configurations
deviate from the default.
RQ 2.3: How Good Is The Default?
But, typically only have one change from the
default …
●
- Addition
Most ASAT configurations
deviate from the default.
RQ 2.3: How Good Is The Default?
But, typically only have one change from the default …
●
- Addition
●
- Deletion
Most ASAT configurations
deviate from the default.
RQ 2.3: How Good Is The Default?
But, typically only have one change from the default …
●
- Addition
●
- Deletion
●
- Re-configuration/Custom analysis
Most ASAT configurations
deviate from the default.
RQ2: Open Questions
●
Why do projects favor certain GDC rule categories from
ASATs?
RQ2: Open Questions
●
Why do projects favor certain GDC rule categories from
ASATs?
●
Can ASAT developers better fit their default configurations to
their users' needs?
RQ2: Open Questions
●
Why do projects favor certain GDC rule categories from ASATs?
●
Can ASAT developers better fit their default configurations to
their users' needs?
●
Do 'dynamic' languages require more ASAT use?
RQ2: Open Questions
●
Why do projects favor certain GDC rule categories from ASATs?
●
Can ASAT developers better fit their default configurations to
their users' needs?
●
Do 'dynamic' languages require more ASAT use?
RQ2: Open Questions
RQ3: How Do ASAT Configurations Evolve?
Image: Daimler AG, http://5komma6.mercedes-benz-passion.com/wp-content/uploads/2013/06/s-class-lineup.jpg
RQ 3.1: How Often Do Changes Occur?
RQ 3.1: How Often Do Changes Occur?
RQ 3.1: How Often Do Changes Occur?
>80%
“never”
RQ 3.2: When Do Changes Occur?
RQ 3.2: When Do Changes Occur?
RQ 3.2: When Do Changes Occur?
<20%
of files
RQ 3.3: How Big Are The Changes?
RQ 3: Open Questions
●
Why do ASAT configurations not typically evolve?
RQ 3: Open Questions
●
Why do ASAT configurations not typically evolve?
●
How are ASATs used in a CI-environment?
RQ 3: Open Questions
Moritz Beller
@Inventitech
Analyzing the State of Static Analysis:
A Large-Scale Evaluation
in Open Source Software
Moritz Beller
@Inventitech
Analyzing the State of Static Analysis:
A Large-Scale Evaluation
in Open Source Software
Moritz Beller
@Inventitech
Analyzing the State of Static Analysis:
A Large-Scale Evaluation
in Open Source Software
Moritz Beller
@Inventitech
Analyzing the State of Static Analysis:
A Large-Scale Evaluation
in Open Source Software

Analyzing the State of Static Analysis: A Large-Scale Evaluation in Open Source Software

  • 1.
    Analyzing the Stateof Static Analysis: A Large-Scale Evaluation in Open Source Software
  • 2.
    Analyzing the Stateof Static Analysis: A Large-Scale Evaluation in Open Source Software Moritz Beller @Inventitech
  • 3.
    Analyzing the Stateof Static Analysis: A Large-Scale Evaluation in Open Source Software Moritz Beller @Inventitech Radjino Bholanath, Andy Zaidman
  • 4.
    Analyzing the Stateof Static Analysis: A Large-Scale Evaluation in Open Source Software Moritz Beller @Inventitech Radjino Bholanath, Andy Zaidman Shane McIntosh
  • 5.
    Automatic Static AnalysisTools (ASATs) Image: https://pixabay.com/static/uploads/photo/2015/06/12/18/31/cute-807306_960_720.png
  • 6.
    Automatic Static AnalysisTools (ASATs) Image: https://pixabay.com/static/uploads/photo/2015/06/12/18/31/cute-807306_960_720.png
  • 7.
    Automatic Static AnalysisTools (ASATs) Image: https://pixabay.com/static/uploads/photo/2015/06/12/18/31/cute-807306_960_720.png
  • 8.
    Automatic Static AnalysisTools (ASATs) Image: https://pixabay.com/static/uploads/photo/2015/06/12/18/31/cute-807306_960_720.png
  • 9.
    Automatic Static AnalysisTools (ASATs) Image: https://pixabay.com/static/uploads/photo/2015/06/12/18/31/cute-807306_960_720.png
  • 10.
    Automatic Static AnalysisTools (ASATs) Image: https://pixabay.com/static/uploads/photo/2015/06/12/18/31/cute-807306_960_720.png
  • 11.
    RQ1: How PrevalentAre ASATs? Image: http://www.valueinvestasia.com/wp-content/uploads/2015/03/odd-one-out.jpg
  • 12.
  • 13.
  • 14.
    RQ1: How PrevalentAre ASATs? 122
  • 15.
    RQ1: How PrevalentAre ASATs? 122
  • 16.
    RQ1: How PrevalentAre ASATs? 122
  • 17.
    RQ1: How PrevalentAre ASATs? 122 122
  • 18.
    RQ1: How PrevalentAre ASATs? 122 122
  • 19.
    RQ1: How PrevalentAre ASATs? 122 36 122
  • 20.
    RQ1: How PrevalentAre ASATs? 122 36 122
  • 21.
    RQ1: How PrevalentAre ASATs? 122 36 122
  • 22.
  • 23.
    Source Amount ofProjects Using ASATs Using >1 ASAT Enforcing ASAT 122 59% 23% - 36 77% 36% 36% RQ1: How Prevalent Are ASATs?
  • 24.
    Source Amount ofProjects Using ASATs Using >1 ASAT Enforcing ASAT 122 59% 23% - 36 77% 36% 36% RQ1: How Prevalent Are ASATs?
  • 25.
    Source Amount ofProjects Using ASATs Using >1 ASAT Enforcing ASAT 122 59% 23% - 36 77% 36% 36% RQ1: How Prevalent Are ASATs?
  • 26.
    Source Amount ofProjects Using ASATs Using >1 ASAT Enforcing ASAT 122 59% 23% - 36 77% 36% 36% RQ1: How Prevalent Are ASATs?
  • 27.
    Source Amount ofProjects Using ASATs Using >1 ASAT Enforcing ASAT 122 59% 23% - 36 77% 36% 36% RQ1: How Prevalent Are ASATs?
  • 28.
    Source Amount ofProjects Using ASATs Using >1 ASAT Enforcing ASAT 122 59% 23% - 36 77% 36% 36% 1) (Automated) investigation of repository information is an approximation of real ASAT use RQ1: How Prevalent Are ASATs?
  • 29.
    Source Amount ofProjects Using ASATs Using >1 ASAT Enforcing ASAT 122 59% 23% - 36 77% 36% 36% 1) (Automated) investigation of repository information is an approximation of real ASAT use 2) We cannot infer how a project uses ASATs from a repository analysis alone RQ1: How Prevalent Are ASATs?
  • 30.
    RQ2: How areASATs configured?
  • 31.
    RQ2: How areASATs configured?
  • 32.
    RQ2: How areASATs configured? checkstyle.xml
  • 33.
    RQ2: How areASATs configured? filename checkstyle.xml
  • 34.
    RQ2: How areASATs configured? filename checkstyle.xml
  • 35.
    RQ2: How areASATs configured? filename checkstyle.xml parse rules
  • 36.
    RQ2: How areASATs configured? filename checkstyle.xml enable parse rules
  • 37.
    RQ2: How areASATs configured? filename checkstyle.xml enable re-configure parse rules
  • 38.
    RQ2: How areASATs configured? filename checkstyle.xml enable re-configure parse rules custom
  • 39.
  • 40.
  • 41.
  • 42.
    General Defect Classification(GDC) RQ1: 9 Checkstyle, FindBugs, PMD, ESLint, JSCS, JSHint, JSL, PYLint, RuboCop
  • 43.
    General Defect Classification(GDC) 1,825 RQ1: 9 Checkstyle, FindBugs, PMD, ESLint, JSCS, JSHint, JSL, PYLint, RuboCop
  • 44.
    RQ2: How areASATs configured?
  • 45.
    RQ2: How areASATs configured?
  • 46.
    RQ2: How areASATs configured?
  • 47.
    168,425 RQ2: How areASATs configured?
  • 48.
    168,425 RQ2: How areASATs configured?
  • 49.
    168,425 RQ2: How areASATs configured?
  • 50.
    168,425 RQ2: How areASATs configured?
  • 51.
    RQ2.1: How PopularAre Certain ASATs? Tool Language Configuration Files Checkstyle Java 18,785 FindBugs Java 2,090 PMD Java 7,458 ESLint JavaScript 4,435 JSCS JavaScript 11,677 JSHint JavaScript 108,770 JSL JavaScript 862 Pylint Python 4,071 RuboCop Ruby 10,066 Total - 168,405
  • 52.
    RQ2.1: How PopularAre Certain ASATs? Tool Language Configuration Files Checkstyle Java 18,785 FindBugs Java 2,090 PMD Java 7,458 ESLint JavaScript 4,435 JSCS JavaScript 11,677 JSHint JavaScript 108,770 JSL JavaScript 862 Pylint Python 4,071 RuboCop Ruby 10,066 Total - 168,405
  • 53.
    RQ 2.2: WhichRules Do Developers Enable?
  • 54.
    RQ 2.2: WhichRules Do Developers Enable?
  • 55.
    65% RQ 2.2: WhichRules Do Developers Enable?
  • 56.
    35% 65% RQ 2.2:Which Rules Do Developers Enable?
  • 57.
    35% 65% ASATs performpoorly at finding functional defects. Wagner et al. RQ 2.2: Which Rules Do Developers Enable?
  • 58.
    RQ 2.2: WhichRules Do Developers Enable? 0% 00% 00% 00% 00% 00% 00% 00% 00% 00% 00% Checkstyle ESLint FindBugs JSCS JSHint JSL PMD Pylint RuboCop 100% 90% 80% 70% 60% 50% 40% 30% 20% 10% 0%
  • 59.
    0% 00% 00% 00% 00% 00% 00% 00% 00% 00% 00% Checkstyle ESLint FindBugsJSCS JSHint JSL PMD Pylint RuboCop RQ 2.2: Which Rules Do Developers Enable? 100% 90% 80% 70% 60% 50% 40% 30% 20% 10% 0%
  • 60.
    RQ 2.2: WhichRules Do Developers Enable? We: This is great! Image: Phil Skipper, The Potentialist,http://i2.wp.com/thepotentiality.com/assets/media/Kurt-Enthusiasm.jpg
  • 61.
    RQ 2.2: WhichRules Do Developers Enable? We: This is great! Image: Phil Skipper, The Potentialist,http://i2.wp.com/thepotentiality.com/assets/media/Kurt-Enthusiasm.jpg
  • 62.
    RQ 2.2: WhichRules Do Developers Enable? ASAT Developers*: Don't care. Image: NiBiS, http://bidab.nibis.de/PICT/traurig.jpg
  • 63.
    RQ 2.2: WhichRules Do Developers Enable? ASAT Developers*: Don't care. Image: NiBiS, http://bidab.nibis.de/PICT/traurig.jpg
  • 64.
    RQ 2.3: HowGood Is The Default?
  • 65.
    RQ 2.3: HowGood Is The Default? Most ASAT configurations deviate from the default.
  • 66.
    RQ 2.3: HowGood Is The Default? Most ASAT configurations deviate from the default.
  • 67.
    RQ 2.3: HowGood Is The Default? Most ASAT configurations deviate from the default.
  • 68.
    RQ 2.3: HowGood Is The Default? But, typically only have one change from the default … Most ASAT configurations deviate from the default.
  • 69.
    RQ 2.3: HowGood Is The Default? But, typically only have one change from the default … ● - Addition Most ASAT configurations deviate from the default.
  • 70.
    RQ 2.3: HowGood Is The Default? But, typically only have one change from the default … ● - Addition ● - Deletion Most ASAT configurations deviate from the default.
  • 71.
    RQ 2.3: HowGood Is The Default? But, typically only have one change from the default … ● - Addition ● - Deletion ● - Re-configuration/Custom analysis Most ASAT configurations deviate from the default.
  • 72.
  • 73.
    ● Why do projectsfavor certain GDC rule categories from ASATs? RQ2: Open Questions
  • 74.
    ● Why do projectsfavor certain GDC rule categories from ASATs? ● Can ASAT developers better fit their default configurations to their users' needs? RQ2: Open Questions
  • 75.
    ● Why do projectsfavor certain GDC rule categories from ASATs? ● Can ASAT developers better fit their default configurations to their users' needs? ● Do 'dynamic' languages require more ASAT use? RQ2: Open Questions
  • 76.
    ● Why do projectsfavor certain GDC rule categories from ASATs? ● Can ASAT developers better fit their default configurations to their users' needs? ● Do 'dynamic' languages require more ASAT use? RQ2: Open Questions
  • 77.
    RQ3: How DoASAT Configurations Evolve? Image: Daimler AG, http://5komma6.mercedes-benz-passion.com/wp-content/uploads/2013/06/s-class-lineup.jpg
  • 78.
    RQ 3.1: HowOften Do Changes Occur?
  • 79.
    RQ 3.1: HowOften Do Changes Occur?
  • 80.
    RQ 3.1: HowOften Do Changes Occur? >80% “never”
  • 81.
    RQ 3.2: WhenDo Changes Occur?
  • 82.
    RQ 3.2: WhenDo Changes Occur?
  • 83.
    RQ 3.2: WhenDo Changes Occur? <20% of files
  • 84.
    RQ 3.3: HowBig Are The Changes?
  • 85.
    RQ 3: OpenQuestions
  • 86.
    ● Why do ASATconfigurations not typically evolve? RQ 3: Open Questions
  • 87.
    ● Why do ASATconfigurations not typically evolve? ● How are ASATs used in a CI-environment? RQ 3: Open Questions
  • 88.
    Moritz Beller @Inventitech Analyzing theState of Static Analysis: A Large-Scale Evaluation in Open Source Software
  • 89.
    Moritz Beller @Inventitech Analyzing theState of Static Analysis: A Large-Scale Evaluation in Open Source Software
  • 90.
    Moritz Beller @Inventitech Analyzing theState of Static Analysis: A Large-Scale Evaluation in Open Source Software
  • 91.
    Moritz Beller @Inventitech Analyzing theState of Static Analysis: A Large-Scale Evaluation in Open Source Software