search menu icon-carat-right cmu-wordmark

Rapid Adjudication of Static Analysis Alerts During Continuous Integration

November 2021 Presentation
Lori Flynn

This project developed algorithms and a static analysis classification system for use with continuous integration, enabling more secure software with less effort.

Publisher:

Software Engineering Institute

Abstract

The DoD has directed a shift toward continuous integration/continuous deployment (CI/CD) to maintain a competitive edge. CI/CD development efforts typically run automated unit, integration, and stress tests during CI builds, but static analysis (SA) tools are not always part of builds because CI time frames are too short. SA tools could detect code flaws that are cheaper to fix earlier in the development process during CI builds. However, current SA tools produce some false-positive warnings; thus, humans must inspect the code and manually adjudicate SA results as true or false. If SA is used within CI, alerts could stop a build and force human adjudication of true-positive and false-positive SA results. Furthermore, many previously adjudicated true- and false-positive SA results reappear each time an SA tool is run on a subsequent code version. This research project used machine learning during CI/CD to reduce the number of meta-alerts requiring human adjudication, with a goal of reducing manual effort by 50% without slowing the development process. This project will improve the state of the art in reducing manual effort adjudicating static analysis and in integrating SA tools into CI/CD processes.