The document provides an overview of automated static analysis (ASA) and its role in identifying actionable alerts in source code. It discusses a systematic literature review on action alert identification strategies, including research questions, search strategy, and characteristics of studies reviewed. The classification of alerts into actionable and unactionable categories is also highlighted, emphasizing the importance of software artifact characteristics in this process.

1. 1.Introduction
StaticStaticanalysisreferstotheprocesswhichinvolvesevaluationofacomponentor
system basedonitsstructure,form,documentationorcontent(Myers,2009).
AutomatedStaticAnalysis(ASA)candeterminecommonproblemsincodingearly
on in the developmentprocess,using a toolwhich automatessource code
inspection.ASAthenreportspossibleanomaliesinthesourcecode,oftencalled
alerts,whichcomeintheformofbufferoverflows,nullpointerdereferences,aswell
asstyleinconsistencies.Developerswillthenworktowardsinspectingeveryalertin
orordertoidentifywhetherornotanalertisindeedanindicationofaviableanomaly
whichrequirestobefixed(Stan&Fowler,2011).Ifadeveloperindeeddetermines
thatthealertisvalidandfixable,itbecomesan‘actionablealert’.Whenthealert
doesnotprovetobeananomaly,orifitisviewedasunimportanttothedeveloper,a
sourcecodeanomalywhichisinconsequentialtothefunctionalityoftheprogramas
perceivedbythedeveloper,thenthealertistermedasan‘unactionablealert’(Harris,
2012).
2.Overviewofthesystematicliteraturereviewmethod
WeusedthedescribedSLRguidelinesbyKichel(2008)inordertodevelopour
protocol.Thisprotocolisusedinaddressingthedifferentresearchobjectivesas
proposedinthestudy.Itdescribesthequestion,researchstrategyforsearchingfor
relevantstudies,selectedstudiesanalysis,aswellasdatasynthesis.
ASystematicLiteratureReviewonAction
AlertIdenticationStrategiesforthe
AnalysisofAutomatedStaticCode

2. 2.1ResearchQuestions
Wehavederivedourquestionsusedintheresearchdirectlyfrom thelistofSLR
objectives.Wewanttoanswerthefollowingcriteria:
•WhatarethedifferentcategoriesofartifactsthatareusedforAAITinput?
•WhataretheapproachesusedfortheAAIT?
•WhatconclusionscanwegetregardingtheefficacyofAAITsfromtheresults
gatheredinthechosenstudies?
•Whatarethechallengesencounteredduringresearch?
SinceAAITsaredoneafterASA,weareinterestedinfirstunderstandingthe
informationsourcesusedingeneratingtheprioritizationorclassificationofanalert.
Afterwards,wewanttodeterminetheunderlyingalgorithmsinvolvedinprioritizing
orclassifyingalerts(Simmon,2010).
2.2Sea2.2Searchstrategy
Thissectioncoverstheprocessinvolvedingeneratingsearchstrategy,terms,
searcheddatabases,andthedocumentationusedinthesearch.
2.3Searchstrategyandterms
WWehaveidentifiedsomekeytermswhichwereusedforthesearchfromprevious
experienceinthesubjectarea.Themaintermusedforthesearchis‘staticanalysis’
infocusingonsolutionswhichdetermineactionablealertswhenperformingASA
(Roldenson & Waltz,2003).The othersearch terms are classified into two:
techniquesforidentification and descriptivealertnamesgenerated bystatic
analysis.

3. 3.OverviewofStudies
Wehaveidentified23studiesintheliteraturewhichfocusonprioritizingor
classifyingalertsthataregeneratedbytheASA.Aquicklookatthestudiesshow
that,allworkperformedonAAITsweredoneduringoraftertheyear2003,except
one,andmostofthemwerepublishedin2007to2008.(Walter,2010).Ontopofthat,
wehavealsoconsideredthepublicationvenuesforthepapersselected.
4.Softwa4.SoftwareCharacteristics
OnecommoncharacteristicamongAAITsisthattheyuseadditionalinformation
regardingsoftwareartifactswiththepurposeofprioritizingorclassifyingalertsas
eitheractionableorunactionable.Thisadditionalinformationiscalledthesoftware
artifactcharacteristics,servingasanindependentvariablewhenitcomesto
predictingtheso-calledactionablealerts(Mosley,Beuby,&Walter,2008).
5.ClassificationAAITs
TheseTheseclassificationAAITsdividethealertsintotwobatches:thealertswhichare
likely to be actionable,as wellas alerts which are mostlikely to become
unactionable.(Gosby,2010).ForeveryAAIT,wereportedinthepapershowingthe
descriptionoftheAAIT,theinputintheformofusedartifactcharacteristics,theASA
used,AAITtype,programminglanguageused,aswellastheresearchmethodology.
Ifthereisnonameusedintheselectedstudy,wemakeanameaccordingtothefirst
letterofthelastnamesofthefirstthreeauthors,aswellasthelasttwonumbersof
thepublicationthepublicationyear.(Moffat,2010).
References
Gosby,H.A.(2010).Integratingdynamicandstaticanalysisforthedetectionofvulnerabilities.In:The30thAnnualGlobalComputerApplication
Software,Chicago,Illinois,USA.August16–20,2010,pp.34-56.
Harris,J.(2012).Applyingstaticanalysisinmulti-threaded,large-scalejavaprograms.BusinessInsider,32(2),23-25.
Kichel,Y.U.(2008).Rankingsoftwareinspectionoutputusingstaticprofiling.ComputerApplicationsAnalysis,34(3),34-45.
Moffat,P.W.(2010).Useofdataflowanalysisinstaticprofiling.SoftwareBusinessPublication,34(2),23-34.
Mosley,T.,Beuby,W.,&Walter,U.(2008).Correlationexploitation-StatisticalAnalysis.AnalysisSymposiumWorkbook,12(1),234-245.
Myers,E.R.(2009).IEEEStandardforSoftwareAnalysisReviews.SoftwareEngineeringVocabulary,23(1),34-36.
Roldenson,P.O.,&Waltz,E.(2003).Rankingsoftwareinspectionsandprioritizinganalysis.StandardSoftwareConference,23(4),23-36.
Stan,Y.J.,&Fowler,T.(2011).Dynamicallydiscoveringprogram invariantsinsupportingprogram evaluation.TheBusinessJournal,34(2),
123-145.
Simmon,T.(2010).Ameta-analysisforeffectivelyprioritizingerrorsinprogramming.ComputerScienceJournal,23(3),45-67.
WWalter,Y.(2010).Writingdependablecomputerengineeringresearch.ComputerEngineeringJournal,34(4),23-35.