Usable and Sound Static Analysis through its Integration into Automated and Interactive Workflows
Name
Lembit Valgma
Abstract
Static analysis allows software developers to detect and fix many types of errors in code
before it is submitted to a production environment. Despite the availability of sophisticated
analysis techniques, many preventable bugs still cause security vulnerabilities
that allow hackers to steal private information. Studies have shown that even though
developers recognize the benefits of static analysis there are many practical usability
problems preventing higher adoption rates.
The challenge is even greater with sound analyzers that could potentially verify the
total absence of specific types of bugs, but at the cost of rejecting some correct programs.
This thesis investigates the current situation of adopting static analyzers in the industry
and proposes an approach of integrating an analysis into the IDE and build system. The
seamless integration of both interactive and automated analysis may enable developers
to adopt sound analysis tools.
A prototype implementation of that static analysis workflow for tainting analysis
in IntelliJ and Gradle is presented. The integration proposed works well for tainting
analysis used in the prototype, but many challenges remain to generalize this to more
complex analyses. The prototype has enabled the exploration of different approaches
to usability and is a useful first step in a larger project aimed at building a user-friendly
sound static analysis framework.
before it is submitted to a production environment. Despite the availability of sophisticated
analysis techniques, many preventable bugs still cause security vulnerabilities
that allow hackers to steal private information. Studies have shown that even though
developers recognize the benefits of static analysis there are many practical usability
problems preventing higher adoption rates.
The challenge is even greater with sound analyzers that could potentially verify the
total absence of specific types of bugs, but at the cost of rejecting some correct programs.
This thesis investigates the current situation of adopting static analyzers in the industry
and proposes an approach of integrating an analysis into the IDE and build system. The
seamless integration of both interactive and automated analysis may enable developers
to adopt sound analysis tools.
A prototype implementation of that static analysis workflow for tainting analysis
in IntelliJ and Gradle is presented. The integration proposed works well for tainting
analysis used in the prototype, but many challenges remain to generalize this to more
complex analyses. The prototype has enabled the exploration of different approaches
to usability and is a useful first step in a larger project aimed at building a user-friendly
sound static analysis framework.
Graduation Thesis language
English
Graduation Thesis type
Master - Computer Science
Supervisor(s)
Vesal Vojdani
Defence year
2018