Static Analysis-Targeted Automated Repair: Securing Code and Reducing Effort

Static analysis tools often produce too many alerts to audit them all. Even if we knew which alerts were true positives, there are still too many true positives to repair all of them manually.

Our tool, Redemption, automatically repaired source code for 100% of static analysis alerts for two types of code flaws—EXP34-C/CWE-476 and EXP33-C/CWE-908—even if the alert was a false positive, in a way that preserves soundness and resolves the alert. It can also repair MSC12-C/CWE-561.