ID Article Title Author(s) Advantages (RQ1) Disadvantages (RQ2) Static tools (RQ3) Solutions (RQ4) 1 STATIC CODE ANALYSIS Stefanović, Darko Manual code review is time- Defects must be visible in the Cppcheck, FindBugs, Splint, Range of programming languages TOOLS: A SYSTEMATIC Nikolić, Danilo consuming. Optimizing the operation . Not all programming SonarQube, PMD, Flawfinder supported is continuously expanding. Dakić, Dušanka of the compiler. Detecting languages are supported. A single Combining tools can help detect all LITERATURE REVIEW. Spasojević, Ivana irregularities. Help understand the tool might not be able to detect all defects. Ristić, Sonja behaviour of a program without defects. execution. 2 Probing into code analysis tools: A Shaukat, Rida Saves enourmous amount of time Tool can give vague explanations FxCop, NDepend, Nitriq, Correct tools have technical and comparison of # supporting static Shahoor, Arooba and money in a development and unwanted checks. High ReSharper, Coverity Scan, accurate descriptions. Some tools can code analyzers Urooj, Aniqa process. Some tools are highly memory consumption (ReSharper, PVS-studio, Parasoft dotTest, be customized to fix vague problems. customizable. Parasoft). Visual Code Grepper 3 A Comparison of Open-Source Arusoaie, Andrei Some tools do not detect all defects. Clang, Frama-C, Oclint, Certain tools are better at detecting Static Analysis Tools for Ciobaca, Stefan Difficult on install/compile some Cppcheck, Splint, Infer, Uno, certain defect types than others. Vulnerability Detection in C/C++ Craciun, Vlad tools because they rely on older Flawfinder, Sparse, Flint++ Code Gavrilut, Dragos versions of libraries of compilers. Lucanu, Dorel For some defect types there is no good tool. 4 How Open Source Projects Use Zampetti, F. Early detection of potential faults, CheckStyle, FindBugs, PMD, Static Code Analysis Tools in Scalabrino, S. vulnerabilitues, code smells. Apache-rat, Clirr, jDepend Continuous Integration Pipelines Oliveto, R. Canfora, G. Di Penta, M. 5 Static Code Analysis Tools with the Maskur, Achmad Tools help with the quality of the Some vulnerabilities are not found. Detecting vulnerabilites using taint Taint Analysis Method for Detecting Fahrurrozi code as an engineer might not know False negatives. analysis can be improved by Web Application Vulnerability Dwi Wardhana the best methods (especially supporting OOP. Tools are to be Asnar, Yudistira security-wise) and therefore also improved based on false negatives give insight to the user. and manually discovered defects that Vulnerabilities can be found without were unfound by a tool. executing. 6 Using Machine Learning Alikhashashneh, Examine code without execution. False positives. False negatives. Machine learning (particularily Techniques to Classify and Predict Enas A. Random Forests technique) can help Static Code Analysis Tool Raje, Rajeev R. reduce false positives. Also Warnings Hill, James H. techniques like KNN, SVM and RIPPER. False pos/neg can also be avoided if developers rewrite their code in a way that reduces source code complexity, coupling and usage of global variables. 7 Comparative study on static code Fatima, Anum Efficient system to check on No tool can give 100% surety that FlawFinder, VCG, CppCheck, Tools can be improved as lacking analysis tools for C/C++ Bibi, Shazia software coding scheme. Defects software will never halt, crash, Splint, Polyspace, CSTAT (was functionality is discovered. Tools can Hanif, Rida (safety, security bugs, quality misperform. False negatives. Some the best of this bunch), QAC, be used together to cover all important standards, dereferences, buffer tools are too specific and lack basic Coverty, Astree, Klocwork, code vulnerabilities. overruns, injection problems, checks, others are just too basic. Parasoft, , Sparse, ITS4, memory leaks, dataflow problems, Goanna, RATS language implementation errors, inconsistencies) are detected without execution. Helps build long- lasting software without bugs and vulnerabilites. 8 Evaluating how static analysis tools Singh, Devarshi Tools can help to reduce code False positives. PMD, FindBugs, CheckStyle Often the best tools (etc PMD) do not can reduce code review effort Sekar, Varun review effort. Code reviewer or have high amount of false positives. Ramachandra developer does not need to know For the remaining false positives, Stolee, Kathryn T. the best practice patterns. Tools configuring a tool's (PMD's) ruleset Johnson, Brittany automatically find defects and style can limit the warnings. issues. No need for reviewers to use comments -> less noise. 9 Identifying and Documenting False Reynolds, Z.P. Tools help can help developers find False positives. False negatives. CAT.NET, FindBugs Static code analysis tools can be Positive Patterns Generated by Jayanth, A.B. defects automatically. Manual code integrated into frameworks for Static Code Analysis Tools Koc, U. analysis is time-consuming. evaluating the tools which can help Porter, A.A. identify potential false positives. Raje, R.R. Reduce usage of some techniques Hill, J.H. like global variables to avoid some false positives. False positives can still be "fixed". False positive patterns can be studied and fixed. Multiple tools can be used together. 10 A Novel Memory Leak Zhang, Sen Tools can detect memory leaks. Difficult to design a tool that can Cppcheck, Clang Static Choosing the correct tool for your Classification for Evaluating the Zhu, Jingwen detect all kinds of memory leaks. Analyzer, Sourceinsightscan situation can improve performance. Applicability of Static Liu, Ao Complex problems are unfound by Wang, Weijing even the best tools. Hard to find the Guo, Chenkai absolute best tool as all tools have Xu, Jing advantages over others. 11 Prioritizing Alerts from Multiple Flynn, Lori Tools can help determine flaws False positives. False negatives. Machine learning can help with false Static Analysis Tools, Using Snavely, William without executing the code. Complex control flow or data flow positives. Tools can be used together Classification Models Svoboda, David constructs significantly reduce tools' for improved efficiency. VanHoudnos, success rate. Nathan Qin, Richard Burns, Jennifer Zubrow, David Stoddard, Robert Marce-Santurio, Guillermo 12 Software quality through the eyes Kamonphop The analysis tools can reveal PMD, FindBugs, SonarQube of the end-user and static analysis Srisopha, Reem possible vulnerabilities, defects, or tools Alfayez design issues at an early stage in the development phase 13 Scientific Developers v/s Static Rohan They help identify defects and code High false positives rates, low Analysis Tools: Krishnamurthy, smells or enforce common coding comprehensibility of analysis Vision and Position Paper Thomas S. Heinze, standards. results, and missing process Carina Haupt, integration restrain the use and Andreas Schreiber, acceptance of static analysis tools. and Michael Meinel 14 A Practical Approach for Ranking Binh Hy Dang The problem of using multiple bugs FindBugs, PMD, Cppcheck, Static analysis warnings can be Software Warnings from Multiple finding tools is they not only detect Understand prioritized by using a data fusion Static Code Analysis Reports similar software defects but also technique that merges warnings from generate new warning messages. different tools and reports them in a The excessive warnings make code universal format or using PCA to analysis time consuming and develop an analytical model and rank expensive. High number of false the alerts. positive. 15 Automatically Generating Fix Diego Marcilio, Using these tools can help They report warnings that may SonarQube, FindBugs, If these analysis tools could Suggestions in Response to Static Carlo A. Furia, developers monitor and improve always not correspond to an actual SpotBugs automatically provide suggestions on Code Analysis Warnings Rodrigo Bonifácio, software code quality mistake. Developers normally fix how to fix the issues that trigger some Gustavo Pinto only a small fraction (typically, less of the warnings, their feedback would than 10%) of the reported issues. become more actionable and more directly useful to developers 16 Source Code Analysis for Secure Christian Barrientes Static analysis of source code can FindBugs, Find Security Bugs Programming Practices , Jeong Yang , help mitigate the common coding Joshua Sanchez , errors such as buffer overflow, and Young Rae Kim memory leaks, unused variables, and various race conditions 17 Challenges with Responding to Nasif Imtiaz, Akond Help developers detect potential False positive alerts, the way in FindBugs Alert messages should be more Static Analysis Tool Alerts Rahman, Effat defects in the code early in the which the alerts are presented, effective in helping the developers act Farhana, and Laurie development cycle incomprehensible and untrustworthy on the alert Williams alerts and a lack of customizability 18 An Empirical Assessment of Ugur Koc, Shiyi Wei, High false positive rates FindSecBugs Machine learning techniques have Machine Learning Approaches for Jeffrey S. Foster, been proposed for false positive Triaging Reports of a Java Static Marine Carpuat, detection: hand-engineered features, Analysis Tool Adam A. Porter bag of words, recurrent neural networks, and graph neural networks, for classifying false positives 19 How Developers Diagnose Justin Smith , These tools locate and report on Researchers cite several related Find Security Bugs Most broadly, tools should support Potential Security Vulnerabilities Brittany Johnson, potential software security reasons why these tools do not help effective strategies and provide with a Static Analysis Tool Emerson Murphy- vulnerabilities, such as SQL injection developers resolve defects, for information that aligns with the Hill , Bill Chu, and and cross-site scripting even before instance, the tools: “may not give information needs we have identified. Heather Richter the code executes. enough information”; produce “bad Tools should help developers, among Lipford warning messages”; and other things, search for relevant web “miscommunicate” with developers. resources. 20 The Use and Limitations of Static- Paul Anderson The latest static analysis tools are There are path limitations, most Tools should be used only to Analysis Tools to Improve Software capable of finding serious errors in tools ignore recursive calls and compliment other review and testing Quality programs such as null-pointer de- functioncalls that are made through techniques. references, buffer overruns, race function pointers. Tool's won't give conditions, resource leaks, and other accurate results when parts of the errors. Static analysis can be used source code are missing or where very early in the development cycle, the fundamental rules of the its use can reduce the cost of language aren't being violated development. They also make it easier to achieve full code coverage. 21 Static Analysis Techniques and Vinícius Rafael Lobo Static analysis tools are very useful The main disadvantage of static FindBugs, PMD, CheckStyle, Static analysis tools should be Tools: A Systematic Mapping Study de Mendonça, for carrying out initial verification and analysis tools is their high false SonarQube combined together or with dynamic Cássio Leonardo validation activities compared to positive rates.False positive alerts tool to reduce false positive rates. Rodrigues, Fabrízzio other quality assurance procedures, lead to an increase in process Another way would be assigning a Alphonsus A. de M. especially due to their low costs, because their detection is weight or priority for each type of false N. Soares, Auri implementation cost. usually done by human intervention. positive and so bugs with higher Marcelo Rizzo This consumes precious time that priority would be given greater Vincenzi could be used for the correction of attention. real faults. 22 A Critical Comparison on Six Static Valentina There is a wide range of tools today Precision is quite low on average SonarQube, Better Code Hub, Different tools should be combined to Analysis Tools: Detection, Lenarduzzi, to choose from and they are Coverity Scan, Findbugs, PMD, achieve better coverage. Most Agreement, and Precision Savanna Lujan, becoming increasingly easier to use, and CheckStyle problems related to static code Nyyti Saarimäki, especially in continuous integration analysis tools could be avoided if Fabio Palomba pipelines current tools would be complemented with effective tools targeting automated refactoring and automatic test case generation. 23 Taxonomy of Static Code Analysis Jernej Novak, The tools are fast, the code can be A tool will never find any error if this StyleCop, Gendarme, They should be used in correlation Tools Andrej Krajnc, Rok inspected much more frequently and behavior has not been specified CheckStyle, FindBugs with manual code analysis and other Žontar they can contain the same level of with rules or patterns. They cannot review tools. knowledge as a human reviewer. verify the design, architectural They can help us find common errors, poorly made cryptographic software errors such as memory libraries, inappropriately selected overruns, cross-site scripting algorithms, design problems which attacks, injections and various other cause confusion. They can't find boundary cases passwords or magic numbers in the code. They are prone to false positives. They are only as good as the rules they are using to scan with.

· RQ1: What are the main advantages to the usage of static tool analysers

· RQ2: What are the main disadvantages to the usage of static tool analysers

· RQ3: Which static analysis tools are more used in studies in the last 10 years

· RQ4: How can the problems related to the static tool analysers be minimized