What is kiskadee?
=================

Static analyzers are computer programs that analyze other computer programs.
This is generally done by checking source code through static analysis methods.
This is a good means to support software assurance, since static analysis can
in theory enumerate all possible interactions in a program, having the
potential to find rare occurrences that would be harder to find with automated
testing.

The fundamental problems of static analysis are undecidable, so approximations
must be done, leading static analyzers to generate false alarms. False
positives are produced when the static analyzer processes bug-free code and
reports it as buggy code. A tool may also miss actual bugs (false negatives),
when it processes buggy code and reports it as bug-free code.

The high amount of information generated and the fact that some of that
information are false alarms hinder the inclusion of static analyzers in the
software development cycle. Also, false positives require manual inspection,
which increases the effort of analyzing tool reports. False positives and the
way warnings are presented are some of the reasons why static analyzers are
underused, and that improving the integration of these tools to the development
process could help increase their adoption.

Thus, decreasing the number of false alarms and the amount of information
generated by static analysis would smooth the process of manually verifying an
analyzer's report, favoring the inclusion of static analysis in software
development cycles.

kiskadee is a system designed to support continuous static analysis in software
repositories using different static analyzers and to store this information in
a database. Based on such database information, kiskadee will rank warnings
reported by the different static analyzers, where warnings with the highest
rank are more likely to indicate real and more critical software flaws, while
warnings with the lowest rank are more likely to be false positives. In this
context, a warning is a single issue produced by a static analyzer. Finally,
kiskadee maps software flaws inserted in specific software versions, providing
developers with a relatively small list of warnings to be investigated in a
suggested order.

Common static analysis report notation
----------------------------------------

Since we want to compare and rank static analysis warnings, we want to store
our static analysis reports in the same notation for each single static
analyzer we run in a software package. Thus, kiskadee uses `firehose
<https://github.com/fedora-static-analysis/firehose>`_. All reports stored in
kiskadee database are in firehose JSON format and each static analyzer run by
kiskadee must have a parser included in firehose upstream.