Loading…

Sorald: Automatic Patch Suggestions for SonarQube Static Analysis Violations

Previous work has shown that early resolution of issues detected by static code analyzers can prevent major costs later on. However, developers often ignore such issues for two main reasons. First, many issues should be interpreted to determine if they correspond to actual flaws in the program. Seco...

Full description

Saved in:

Bibliographic Details
Published in:	IEEE transactions on dependable and secure computing 2023-07, Vol.20 (4), p.2794-2810
Main Authors:	Etemadi, Khashayar, Harrand, Nicolas, Larsen, Simon, Adzemovic, Haris, Phu, Henry Luong, Verma, Ashutosh, Madeiral, Fernanda, Wikstrom, Douglas, Monperrus, Martin
Format:	Article
Language:	English
Subjects:	Analyzers automatic program repair Automatic programs Code Codes Codes (symbols) Computer bugs Computer software Cost analysis Flaw detection Java Java programming language Maintenance engineering Meta Programming metaprogramming Program debugging Repair Software design Software development management Static analysis Static analyzers Static code analysis Static codes Syntactics Trees (mathematics) Violations
Citations:	Items that this one cites Items that cite this one
Online Access:	Get full text
Tags:	Add Tag No Tags, Be the first to tag this record!

cited_by	cdi_FETCH-LOGICAL-c374t-fb5ceb5650ef75947b803ba95a728617ee667ae8077e524165cad2de4a29017b3
cites	cdi_FETCH-LOGICAL-c374t-fb5ceb5650ef75947b803ba95a728617ee667ae8077e524165cad2de4a29017b3
container_end_page	2810
container_issue	4
container_start_page	2794
container_title	IEEE transactions on dependable and secure computing
container_volume	20
creator	Etemadi, Khashayar Harrand, Nicolas Larsen, Simon Adzemovic, Haris Phu, Henry Luong Verma, Ashutosh Madeiral, Fernanda Wikstrom, Douglas Monperrus, Martin
description	Previous work has shown that early resolution of issues detected by static code analyzers can prevent major costs later on. However, developers often ignore such issues for two main reasons. First, many issues should be interpreted to determine if they correspond to actual flaws in the program. Second, static analyzers often do not present the issues in a way that is actionable. To address these problems, we present Sorald : a novel system that uses metaprogramming templates to transform the abstract syntax trees of programs and suggests fixes for static analysis warnings. Thus, the burden on the developer is reduced from interpreting and fixing static issues, to inspecting and approving full fledged solutions. Sorald automatically fixes violations of 10 rules of SonarQube , a single Java static analyzer that is among the mostly used. We evaluate Sorald on a dataset of 161 popular repositories on Github . Our analysis shows the effectiveness of Sorald as it fixes 65% (852/1,307) of the violations that meets the repair preconditions. Overall, our experiments show it is possible to automatically fix notable violations of the static analysis rules produced by the state-of-the-art static analyzer SonarQube .
doi_str_mv	10.1109/TDSC.2022.3167316
format	article
fullrecord	<record><control><sourceid>proquest_ieee_</sourceid><recordid>TN_cdi_proquest_journals_2836060579</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><ieee_id>9756950</ieee_id><sourcerecordid>2836060579</sourcerecordid><originalsourceid>FETCH-LOGICAL-c374t-fb5ceb5650ef75947b803ba95a728617ee667ae8077e524165cad2de4a29017b3</originalsourceid><addsrcrecordid>eNo9kMtOwzAQRS0EEqXwAYhNJNYpfjtmF5WnVAlQSreWkzqtS1oX2xHq35M2VRejmcW5o5kDwC2CI4SgfJg-FeMRhhiPCOKiqzMwQJKiFEKUnXczoyxlUqBLcBXCCkJMM0kHYFI4r5v5Y5K30a11tFXyqWO1TIp2sTAhWrcJSe18UriN9l9taZIiHrB8o5tdsCGZWdfoA3gNLmrdBHNz7EPw_fI8Hb-lk4_X93E-SSsiaEzrklWmZJxBUwsmqSgzSEotmRY440gYw7nQJoNCGIYp4qzSczw3VGMJkSjJEKT93vBntm2ptt6utd8pp616srNcOb9QP3GpCCZY0I6_7_mtd79t95VaudZ39weFM8Ihh0zIjkI9VXkXgjf1aS-Cai9Z7SWrvWR1lNxl7vqMNcaceCkYlwySfwfid_8</addsrcrecordid><sourcetype>Open Access Repository</sourcetype><iscdi>true</iscdi><recordtype>article</recordtype><pqid>2836060579</pqid></control><display><type>article</type><title>Sorald: Automatic Patch Suggestions for SonarQube Static Analysis Violations</title><source>IEEE Electronic Library (IEL) Journals</source><creator>Etemadi, Khashayar ; Harrand, Nicolas ; Larsen, Simon ; Adzemovic, Haris ; Phu, Henry Luong ; Verma, Ashutosh ; Madeiral, Fernanda ; Wikstrom, Douglas ; Monperrus, Martin</creator><creatorcontrib>Etemadi, Khashayar ; Harrand, Nicolas ; Larsen, Simon ; Adzemovic, Haris ; Phu, Henry Luong ; Verma, Ashutosh ; Madeiral, Fernanda ; Wikstrom, Douglas ; Monperrus, Martin</creatorcontrib><description>Previous work has shown that early resolution of issues detected by static code analyzers can prevent major costs later on. However, developers often ignore such issues for two main reasons. First, many issues should be interpreted to determine if they correspond to actual flaws in the program. Second, static analyzers often do not present the issues in a way that is actionable. To address these problems, we present Sorald : a novel system that uses metaprogramming templates to transform the abstract syntax trees of programs and suggests fixes for static analysis warnings. Thus, the burden on the developer is reduced from interpreting and fixing static issues, to inspecting and approving full fledged solutions. Sorald automatically fixes violations of 10 rules of SonarQube , a single Java static analyzer that is among the mostly used. We evaluate Sorald on a dataset of 161 popular repositories on Github . Our analysis shows the effectiveness of Sorald as it fixes 65% (852/1,307) of the violations that meets the repair preconditions. Overall, our experiments show it is possible to automatically fix notable violations of the static analysis rules produced by the state-of-the-art static analyzer SonarQube .</description><identifier>ISSN: 1545-5971</identifier><identifier>ISSN: 1941-0018</identifier><identifier>EISSN: 1941-0018</identifier><identifier>DOI: 10.1109/TDSC.2022.3167316</identifier><identifier>CODEN: ITDSCM</identifier><language>eng</language><publisher>Washington: IEEE</publisher><subject>Analyzers ; automatic program repair ; Automatic programs ; Code ; Codes ; Codes (symbols) ; Computer bugs ; Computer software ; Cost analysis ; Flaw detection ; Java ; Java programming language ; Maintenance engineering ; Meta Programming ; metaprogramming ; Program debugging ; Repair ; Software design ; Software development management ; Static analysis ; Static analyzers ; Static code analysis ; Static codes ; Syntactics ; Trees (mathematics) ; Violations</subject><ispartof>IEEE transactions on dependable and secure computing, 2023-07, Vol.20 (4), p.2794-2810</ispartof><rights>Copyright IEEE Computer Society 2023</rights><oa>free_for_read</oa><woscitedreferencessubscribed>false</woscitedreferencessubscribed><citedby>FETCH-LOGICAL-c374t-fb5ceb5650ef75947b803ba95a728617ee667ae8077e524165cad2de4a29017b3</citedby><cites>FETCH-LOGICAL-c374t-fb5ceb5650ef75947b803ba95a728617ee667ae8077e524165cad2de4a29017b3</cites><orcidid>0000-0002-2491-2771 ; 0000-0003-3505-3383 ; 0000-0002-8343-057X ; 0000-0003-2183-9633 ; 0000-0002-8080-1355</orcidid></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><linktohtml>$$Uhttps://ieeexplore.ieee.org/document/9756950$$EHTML$$P50$$Gieee$$Hfree_for_read</linktohtml><link.rule.ids>230,314,780,784,885,27924,27925,54796</link.rule.ids><backlink>$$Uhttps://urn.kb.se/resolve?urn=urn:nbn:se:kth:diva-323274$$DView record from Swedish Publication Index$$Hfree_for_read</backlink></links><search><creatorcontrib>Etemadi, Khashayar</creatorcontrib><creatorcontrib>Harrand, Nicolas</creatorcontrib><creatorcontrib>Larsen, Simon</creatorcontrib><creatorcontrib>Adzemovic, Haris</creatorcontrib><creatorcontrib>Phu, Henry Luong</creatorcontrib><creatorcontrib>Verma, Ashutosh</creatorcontrib><creatorcontrib>Madeiral, Fernanda</creatorcontrib><creatorcontrib>Wikstrom, Douglas</creatorcontrib><creatorcontrib>Monperrus, Martin</creatorcontrib><title>Sorald: Automatic Patch Suggestions for SonarQube Static Analysis Violations</title><title>IEEE transactions on dependable and secure computing</title><addtitle>TDSC</addtitle><description>Previous work has shown that early resolution of issues detected by static code analyzers can prevent major costs later on. However, developers often ignore such issues for two main reasons. First, many issues should be interpreted to determine if they correspond to actual flaws in the program. Second, static analyzers often do not present the issues in a way that is actionable. To address these problems, we present Sorald : a novel system that uses metaprogramming templates to transform the abstract syntax trees of programs and suggests fixes for static analysis warnings. Thus, the burden on the developer is reduced from interpreting and fixing static issues, to inspecting and approving full fledged solutions. Sorald automatically fixes violations of 10 rules of SonarQube , a single Java static analyzer that is among the mostly used. We evaluate Sorald on a dataset of 161 popular repositories on Github . Our analysis shows the effectiveness of Sorald as it fixes 65% (852/1,307) of the violations that meets the repair preconditions. Overall, our experiments show it is possible to automatically fix notable violations of the static analysis rules produced by the state-of-the-art static analyzer SonarQube .</description><subject>Analyzers</subject><subject>automatic program repair</subject><subject>Automatic programs</subject><subject>Code</subject><subject>Codes</subject><subject>Codes (symbols)</subject><subject>Computer bugs</subject><subject>Computer software</subject><subject>Cost analysis</subject><subject>Flaw detection</subject><subject>Java</subject><subject>Java programming language</subject><subject>Maintenance engineering</subject><subject>Meta Programming</subject><subject>metaprogramming</subject><subject>Program debugging</subject><subject>Repair</subject><subject>Software design</subject><subject>Software development management</subject><subject>Static analysis</subject><subject>Static analyzers</subject><subject>Static code analysis</subject><subject>Static codes</subject><subject>Syntactics</subject><subject>Trees (mathematics)</subject><subject>Violations</subject><issn>1545-5971</issn><issn>1941-0018</issn><issn>1941-0018</issn><fulltext>true</fulltext><rsrctype>article</rsrctype><creationdate>2023</creationdate><recordtype>article</recordtype><sourceid>ESBDL</sourceid><recordid>eNo9kMtOwzAQRS0EEqXwAYhNJNYpfjtmF5WnVAlQSreWkzqtS1oX2xHq35M2VRejmcW5o5kDwC2CI4SgfJg-FeMRhhiPCOKiqzMwQJKiFEKUnXczoyxlUqBLcBXCCkJMM0kHYFI4r5v5Y5K30a11tFXyqWO1TIp2sTAhWrcJSe18UriN9l9taZIiHrB8o5tdsCGZWdfoA3gNLmrdBHNz7EPw_fI8Hb-lk4_X93E-SSsiaEzrklWmZJxBUwsmqSgzSEotmRY440gYw7nQJoNCGIYp4qzSczw3VGMJkSjJEKT93vBntm2ptt6utd8pp616srNcOb9QP3GpCCZY0I6_7_mtd79t95VaudZ39weFM8Ihh0zIjkI9VXkXgjf1aS-Cai9Z7SWrvWR1lNxl7vqMNcaceCkYlwySfwfid_8</recordid><startdate>20230701</startdate><enddate>20230701</enddate><creator>Etemadi, Khashayar</creator><creator>Harrand, Nicolas</creator><creator>Larsen, Simon</creator><creator>Adzemovic, Haris</creator><creator>Phu, Henry Luong</creator><creator>Verma, Ashutosh</creator><creator>Madeiral, Fernanda</creator><creator>Wikstrom, Douglas</creator><creator>Monperrus, Martin</creator><general>IEEE</general><general>IEEE Computer Society</general><scope>97E</scope><scope>ESBDL</scope><scope>RIA</scope><scope>RIE</scope><scope>AAYXX</scope><scope>CITATION</scope><scope>JQ2</scope><scope>ADTPV</scope><scope>AFDQA</scope><scope>AOWAS</scope><scope>D8T</scope><scope>D8V</scope><scope>ZZAVC</scope><orcidid>https://orcid.org/0000-0002-2491-2771</orcidid><orcidid>https://orcid.org/0000-0003-3505-3383</orcidid><orcidid>https://orcid.org/0000-0002-8343-057X</orcidid><orcidid>https://orcid.org/0000-0003-2183-9633</orcidid><orcidid>https://orcid.org/0000-0002-8080-1355</orcidid></search><sort><creationdate>20230701</creationdate><title>Sorald: Automatic Patch Suggestions for SonarQube Static Analysis Violations</title><author>Etemadi, Khashayar ; Harrand, Nicolas ; Larsen, Simon ; Adzemovic, Haris ; Phu, Henry Luong ; Verma, Ashutosh ; Madeiral, Fernanda ; Wikstrom, Douglas ; Monperrus, Martin</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-LOGICAL-c374t-fb5ceb5650ef75947b803ba95a728617ee667ae8077e524165cad2de4a29017b3</frbrgroupid><rsrctype>articles</rsrctype><prefilter>articles</prefilter><language>eng</language><creationdate>2023</creationdate><topic>Analyzers</topic><topic>automatic program repair</topic><topic>Automatic programs</topic><topic>Code</topic><topic>Codes</topic><topic>Codes (symbols)</topic><topic>Computer bugs</topic><topic>Computer software</topic><topic>Cost analysis</topic><topic>Flaw detection</topic><topic>Java</topic><topic>Java programming language</topic><topic>Maintenance engineering</topic><topic>Meta Programming</topic><topic>metaprogramming</topic><topic>Program debugging</topic><topic>Repair</topic><topic>Software design</topic><topic>Software development management</topic><topic>Static analysis</topic><topic>Static analyzers</topic><topic>Static code analysis</topic><topic>Static codes</topic><topic>Syntactics</topic><topic>Trees (mathematics)</topic><topic>Violations</topic><toplevel>online_resources</toplevel><creatorcontrib>Etemadi, Khashayar</creatorcontrib><creatorcontrib>Harrand, Nicolas</creatorcontrib><creatorcontrib>Larsen, Simon</creatorcontrib><creatorcontrib>Adzemovic, Haris</creatorcontrib><creatorcontrib>Phu, Henry Luong</creatorcontrib><creatorcontrib>Verma, Ashutosh</creatorcontrib><creatorcontrib>Madeiral, Fernanda</creatorcontrib><creatorcontrib>Wikstrom, Douglas</creatorcontrib><creatorcontrib>Monperrus, Martin</creatorcontrib><collection>IEEE All-Society Periodicals Package (ASPP) 2005-present</collection><collection>IEEE Xplore Open Access Journals</collection><collection>IEEE All-Society Periodicals Package (ASPP) Online</collection><collection>IEEE/IET Electronic Library</collection><collection>CrossRef</collection><collection>ProQuest Computer Science Collection</collection><collection>SwePub</collection><collection>SWEPUB Kungliga Tekniska Högskolan full text</collection><collection>SwePub Articles</collection><collection>SWEPUB Freely available online</collection><collection>SWEPUB Kungliga Tekniska Högskolan</collection><collection>SwePub Articles full text</collection><jtitle>IEEE transactions on dependable and secure computing</jtitle></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext</fulltext></delivery><addata><au>Etemadi, Khashayar</au><au>Harrand, Nicolas</au><au>Larsen, Simon</au><au>Adzemovic, Haris</au><au>Phu, Henry Luong</au><au>Verma, Ashutosh</au><au>Madeiral, Fernanda</au><au>Wikstrom, Douglas</au><au>Monperrus, Martin</au><format>journal</format><genre>article</genre><ristype>JOUR</ristype><atitle>Sorald: Automatic Patch Suggestions for SonarQube Static Analysis Violations</atitle><jtitle>IEEE transactions on dependable and secure computing</jtitle><stitle>TDSC</stitle><date>2023-07-01</date><risdate>2023</risdate><volume>20</volume><issue>4</issue><spage>2794</spage><epage>2810</epage><pages>2794-2810</pages><issn>1545-5971</issn><issn>1941-0018</issn><eissn>1941-0018</eissn><coden>ITDSCM</coden><abstract>Previous work has shown that early resolution of issues detected by static code analyzers can prevent major costs later on. However, developers often ignore such issues for two main reasons. First, many issues should be interpreted to determine if they correspond to actual flaws in the program. Second, static analyzers often do not present the issues in a way that is actionable. To address these problems, we present Sorald : a novel system that uses metaprogramming templates to transform the abstract syntax trees of programs and suggests fixes for static analysis warnings. Thus, the burden on the developer is reduced from interpreting and fixing static issues, to inspecting and approving full fledged solutions. Sorald automatically fixes violations of 10 rules of SonarQube , a single Java static analyzer that is among the mostly used. We evaluate Sorald on a dataset of 161 popular repositories on Github . Our analysis shows the effectiveness of Sorald as it fixes 65% (852/1,307) of the violations that meets the repair preconditions. Overall, our experiments show it is possible to automatically fix notable violations of the static analysis rules produced by the state-of-the-art static analyzer SonarQube .</abstract><cop>Washington</cop><pub>IEEE</pub><doi>10.1109/TDSC.2022.3167316</doi><tpages>17</tpages><orcidid>https://orcid.org/0000-0002-2491-2771</orcidid><orcidid>https://orcid.org/0000-0003-3505-3383</orcidid><orcidid>https://orcid.org/0000-0002-8343-057X</orcidid><orcidid>https://orcid.org/0000-0003-2183-9633</orcidid><orcidid>https://orcid.org/0000-0002-8080-1355</orcidid><oa>free_for_read</oa></addata></record>
fulltext	fulltext
identifier	ISSN: 1545-5971
ispartof	IEEE transactions on dependable and secure computing, 2023-07, Vol.20 (4), p.2794-2810
issn	1545-5971 1941-0018 1941-0018
language	eng
recordid	cdi_proquest_journals_2836060579
source	IEEE Electronic Library (IEL) Journals
subjects	Analyzers automatic program repair Automatic programs Code Codes Codes (symbols) Computer bugs Computer software Cost analysis Flaw detection Java Java programming language Maintenance engineering Meta Programming metaprogramming Program debugging Repair Software design Software development management Static analysis Static analyzers Static code analysis Static codes Syntactics Trees (mathematics) Violations
title	Sorald: Automatic Patch Suggestions for SonarQube Static Analysis Violations
url	http://sfxeu10.hosted.exlibrisgroup.com/loughborough?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2025-01-06T02%3A31%3A51IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-proquest_ieee_&rft_val_fmt=info:ofi/fmt:kev:mtx:journal&rft.genre=article&rft.atitle=Sorald:%20Automatic%20Patch%20Suggestions%20for%20SonarQube%20Static%20Analysis%20Violations&rft.jtitle=IEEE%20transactions%20on%20dependable%20and%20secure%20computing&rft.au=Etemadi,%20Khashayar&rft.date=2023-07-01&rft.volume=20&rft.issue=4&rft.spage=2794&rft.epage=2810&rft.pages=2794-2810&rft.issn=1545-5971&rft.eissn=1941-0018&rft.coden=ITDSCM&rft_id=info:doi/10.1109/TDSC.2022.3167316&rft_dat=%3Cproquest_ieee_%3E2836060579%3C/proquest_ieee_%3E%3Cgrp_id%3Ecdi_FETCH-LOGICAL-c374t-fb5ceb5650ef75947b803ba95a728617ee667ae8077e524165cad2de4a29017b3%3C/grp_id%3E%3Coa%3E%3C/oa%3E%3Curl%3E%3C/url%3E&rft_id=info:oai/&rft_pqid=2836060579&rft_id=info:pmid/&rft_ieee_id=9756950&rfr_iscdi=true