Sorald: Automatic Patch Suggestions for SonarQube Static Analysis Violations

Previous work has shown that early resolution of issues detected by static code analyzers can prevent major costs later on. However, developers often ignore such issues for two main reasons. First, many issues should be interpreted to determine if they correspond to actual flaws in the program. Seco...

Full description

Saved in:
Bibliographic Details
Published in:IEEE transactions on dependable and secure computing 2023-07, Vol.20 (4), p.2794-2810
Main Authors: Etemadi, Khashayar, Harrand, Nicolas, Larsen, Simon, Adzemovic, Haris, Phu, Henry Luong, Verma, Ashutosh, Madeiral, Fernanda, Wikstrom, Douglas, Monperrus, Martin
Format: Article
Language:English
Subjects:
Analyzers
automatic program repair
Automatic programs
Code
Codes
Codes (symbols)
Computer bugs
Computer software
Cost analysis
Flaw detection
Java
Java programming language
Maintenance engineering
Meta Programming
metaprogramming
Program debugging
Repair
Software design
Software development management
Static analysis
Static analyzers
Static code analysis
Static codes
Syntactics
Trees (mathematics)
Violations
Citations: Items that this one cites
Items that cite this one
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:Previous work has shown that early resolution of issues detected by static code analyzers can prevent major costs later on. However, developers often ignore such issues for two main reasons. First, many issues should be interpreted to determine if they correspond to actual flaws in the program. Second, static analyzers often do not present the issues in a way that is actionable. To address these problems, we present Sorald : a novel system that uses metaprogramming templates to transform the abstract syntax trees of programs and suggests fixes for static analysis warnings. Thus, the burden on the developer is reduced from interpreting and fixing static issues, to inspecting and approving full fledged solutions. Sorald automatically fixes violations of 10 rules of SonarQube , a single Java static analyzer that is among the mostly used. We evaluate Sorald on a dataset of 161 popular repositories on Github . Our analysis shows the effectiveness of Sorald as it fixes 65% (852/1,307) of the violations that meets the repair preconditions. Overall, our experiments show it is possible to automatically fix notable violations of the static analysis rules produced by the state-of-the-art static analyzer SonarQube .
ISSN:1545-5971
1941-0018
1941-0018
DOI:10.1109/TDSC.2022.3167316