Hands-On Tutorial: Auditing Static Analysis Alerts Using a Lexicon & Rules

This hands-on tutorial teaches participants how to audit static analysis alerts, using an auditing lexicon and rules. There is no widely-accepted lexicon or standard set of rules for auditing static analysis alerts in the software engineering community. Auditing rules and a lexicon should guide different auditors to make the same determination for an alert. Standard terms and processes are necessary so that initial determinations are correctly interpreted, which helps organizations reduce code flaws. They are also needed to improve the quality of audit data to benefit research on alert prioritization. This tutorial teaches a suggested set of auditing rules and a lexicon, briefly detailing rationales based on modern software engineering practices for each rule and each lexicon term. The majority of time in the tutorial will be spent by participants working with provided small programs and associated static analysis alerts, examining them using the lexicon and rules to make a determination, separately and as a group. These hands-on activities will be interspersed with presenting the auditing rules, so participants immediately put what was taught into practice on relevant code and alerts. We hope that the auditing rules and lexicon taught will be immediately useful for participants to adopt (partially or in full) in their workplace, and that learning about them will motivate community discussion leading to agreed-upon standards.