A synopsis of static analysis alerts on open source software

Static application security testing (SAST) tools detect potential code defects (alerts) without having to execute the code. SASTs are now widely used in practice by both commercial and open source software (OSS). Prior work found that half of the state-of-the-art OSS projects have already employed automated static analysis [1]. However, little public information is available regarding the actionability (important to developers to act upon) of SAST alerts.