Static analysis (SA) tools analyze source code for security defects and alert users to issues requiring repair. While invaluable, SA tools tend to produce many alerts (many of which are false positives), making it difficult to separate signal from noise and repair critical security defects. Our analysis suggests that manually auditing and repairing all SA alerts from one daily snapshot of the average mature codebase (approximately 2 million lines of C/C++ code) requires three and a half person-years of effort in software sustainment. Consequently, the cost of assessing and mitigating true positives represents a significant barrier to adoption of this key technology.

Our project will research the integration of SA alerts with automated code repair (ACR) technology. Recent advancements in ACR suggest that it could automatically repair more than half of all C/C++ defects identified by SA alerts. We handle false positives by repairing them, just like true positives. This approach will eliminate the audit effort, and repairing these alerts will make the code more resilient. Integration of ACR into a continuous integration (CI) pipeline will also make future development more resilient by potentially preventing successful software builds from introducing new vulnerabilities.

While ACR shows promise, it needs help to determine which repairs are necessary in a codebase. Our project intends to identify several categories of alerts as automatically repairable without the need for a manual code audit. We first aim to develop a prototype tool that can automatically repair 80% of SA alerts in three different security-relevant defect categories. We will then work to expand our scope to ten categories. This tool will examine a list of SA tool alerts and a source codebase, then repair all the alerts that it can. Finally, the tool will output a log of which alerts it could and could not repair.

This work will leverage the CMU SEI’s expertise in code repair and static analysis to significantly decrease the cost of finding and repairing insecure code, thereby increasing the trustworthiness of fielded software. If we can automatically halve the number of SA alerts, then groups that use our tool would halve the effort of auditing and fixing their code, and groups that do not currently use SA can start to halve the auditing effort required for older projects. If our tool can fix 54% of alerts on a moderately large codebase, we estimate a savings of 1 3/4 person-years of auditing and coding effort.