Automated Code Repair for C/C++ Static Analysis Alerts

📅 2025-08-04
📈 Citations: 0
Influential: 0
📄 PDF

career value

136K/year
🤖 AI Summary
Static analysis tools for C/C++ frequently generate excessive false positives, imposing substantial manual review overhead. This paper proposes a repairability-guided defect filtering approach targeting three prevalent defect categories. Leveraging automated program repair (APR) techniques, it performs localized, semantics-preserving fixes on static analysis alerts. Key contributions include: (1) driving updates to the CERT coding standard by introducing repairability-oriented metrics; (2) releasing the first publicly available dataset of static analysis alerts paired with validated repairs; and (3) open-sourcing a high-fidelity, developer-acceptable repair tool. Evaluation on real-world codebases—including sqlite3.c—demonstrates that 8,718 of 9,234 alerts (over 80%) were either successfully repaired or confidently dismissed. Post-repair performance remains statistically unchanged, and no new alerts were introduced—except in sqlite3.c, where minor regressions occurred. The approach significantly reduces human verification effort while preserving correctness and maintainability.

Technology Category

Application Category

📝 Abstract
(Note: This work is a preprint.) Static analysis (SA) tools produce many diagnostic alerts indicating that source code in C or C++ may be defective and potentially vulnerable to security exploits. Many of these alerts are false positives. Identifying the true-positive alerts and repairing the defects in the associated code are huge efforts that automated program repair (APR) tools can help with. Our experience showed us that APR can reduce the number of SA alerts significantly and reduce the manual effort of analysts to review code. This engineering experience paper details the application of design, development, and performance testing to an APR tool we built that repairs C/C++ code associated with 3 categories of alerts produced by multiple SA tools. Its repairs are simple and local. Furthermore, our findings convinced the maintainers of the CERT Coding Standards to re-assess and update the metrics used to assess when violations of guidelines are detectable or repairable. We discuss engineering design choices made to support goals of trustworthiness and acceptability to developers. Our APR tool repaired 8718 out of 9234 alerts produced by one SA tool on one codebase. It can repair 3 flaw categories. For 2 flaw categories, 2 SA tools, and 2 codebases, our tool repaired or dismissed as false positives over 80% of alerts, on average. Tests showed repairs did not appreciably degrade the performance of the code or cause new alerts to appear (with the possible exception of sqlite3.c). This paper describes unique contributions that include a new empirical analysis of SA data, our selection method for flaw categories to repair, publication of our APR tool, and a dataset of SA alerts from open-source SA tools run on open-source codebases. It discusses positive and negative results and lessons learned.
Problem

Research questions and friction points this paper is trying to address.

Reducing false positives in C/C++ static analysis alerts
Automating repair of code defects for security vulnerabilities
Improving trustworthiness and acceptability of automated repair tools
Innovation

Methods, ideas, or system contributions that make the work stand out.

Automated repair for C/C++ static analysis alerts
Simple and local code fixes for 3 flaw categories
Reduces false positives and manual review effort
🔎 Similar Papers
David Svoboda
David Svoboda
Masaryk university
biomedical image synthesis
L
Lori Flynn
Software Engineering Institute, Carnegie Mellon University, Pittsburgh, PA
W
William Klieber
Software Engineering Institute, Carnegie Mellon University, Pittsburgh, PA
M
Michael Duggan
Software Engineering Institute, Carnegie Mellon University, Pittsburgh, PA
N
Nicholas Reimer
Software Engineering Institute, Carnegie Mellon University, Pittsburgh, PA
J
Joseph Sible
Software Engineering Institute, Carnegie Mellon University, Pittsburgh, PA