What is kiskadee?¶
Static analyzers are computer programs that analyze other computer programs. This is generally done by checking source code through static analysis methods. This is a good means to support software assurance, since static analysis can in theory enumerate all possible interactions in a program, having the potential to find rare occurrences that would be harder to find with automated testing.
The fundamental problems of static analysis are undecidable, so approximations must be done, leading static analyzers to generate false alarms. False positives are produced when the static analyzer processes bug-free code and reports it as buggy code. A tool may also miss actual bugs (false negatives), when it processes buggy code and reports it as bug-free code.
The high amount of information generated and the fact that some of that information are false alarms hinder the inclusion of static analyzers in the software development cycle. Also, false positives require manual inspection, which increases the effort of analyzing tool reports. False positives and the way warnings are presented are some of the reasons why static analyzers are underused, and that improving the integration of these tools to the development process could help increase their adoption.
Thus, decreasing the number of false alarms and the amount of information generated by static analysis would smooth the process of manually verifying an analyzer’s report, favoring the inclusion of static analysis in software development cycles.
kiskadee is a system designed to support continuous static analysis in software repositories using different static analyzers and to store this information in a database. Based on such database information, kiskadee will rank warnings reported by the different static analyzers, where warnings with the highest rank are more likely to indicate real and more critical software flaws, while warnings with the lowest rank are more likely to be false positives. In this context, a warning is a single issue produced by a static analyzer. Finally, kiskadee maps software flaws inserted in specific software versions, providing developers with a relatively small list of warnings to be investigated in a suggested order.
Common static analysis report notation¶
Since we want to compare and rank static analysis warnings, we want to store our static analysis reports in the same notation for each single static analyzer we run in a software package. Thus, kiskadee uses firehose. All reports stored in kiskadee database are in firehose JSON format and each static analyzer run by kiskadee must have a parser included in firehose upstream.