Rapid Adjudication of Static Analysis Alerts During Continuous Integration
November 2021 • Presentation
This project developed algorithms and a static analysis classification system for use with continuous integration, enabling more secure software with less effort.
Software Engineering Institute
The DoD has directed a shift toward continuous integration/continuous deployment (CI/CD) to maintain a competitive edge. CI/CD development efforts typically run automated unit, integration, and stress tests during CI builds, but static analysis (SA) tools are not always part of builds because CI time frames are too short. SA tools could detect code flaws that are cheaper to fix earlier in the development process during CI builds. However, current SA tools produce some false-positive warnings; thus, humans must inspect the code and manually adjudicate SA results as true or false. If SA is used within CI, alerts could stop a build and force human adjudication of true-positive and false-positive SA results. Furthermore, many previously adjudicated true- and false-positive SA results reappear each time an SA tool is run on a subsequent code version. This research project used machine learning during CI/CD to reduce the number of meta-alerts requiring human adjudication, with a goal of reducing manual effort by 50% without slowing the development process. This project will improve the state of the art in reducing manual effort adjudicating static analysis and in integrating SA tools into CI/CD processes.