Machine learning-based validation of warnings in an industrial static code analyzer

U. V. Tsiazhkorob^ab, M. V. Belyaev^ac, A. A. Belevancev^ac, V. N. Ignatyev<sup>ac

a</sup> Ivannikov Institute for System Programming of the RAS
^b Moscow Institute of Physics and Technology (National Research University)
^c Lomonosov Moscow State University

Abstract: This paper describes a mechanism for the automatic classification of static analysis warnings using machine learning methods. Static analysis is a tool for detecting potential vulnerabilities and bugs in source code. However, static analyzers often generate a large number of warnings, including both true and false positives. Manually analyzing all the defects found by the analyzer is a labor-intensive and time-consuming task. The developed automatic classification mechanism demonstrated high precision of more than 93% with a recall of about 96% on a set of warnings generated by the industrial static analysis tool Svace during the analysis of real-world projects. The dataset for the machine learning model is generated based on the warnings and source code metrics obtained during the static analysis of the project. The paper explores various approaches to feature selection and processing for the classifier, taking into account the characteristics of different machine learning algorithms. The mechanism’s efficiency and its independence from the programming language allowed it to be integrated into the industrial static analysis tool Svace. Various approaches to integrating the tool were considered, accounting for the specifics of the static analyzer, and the most convenient one was selected.

Keywords: machine learning, static analysis, classification, source code metrics, warnings

DOI: 10.15514/ISPRAS-2025-37(6)-6