FineWAVE: Fine-Grained Warning Verification of Bugs for Automated Static Analysis Tools

The continual expansion of software size and complexity has led to an increased focus on reducing defects and bugs during development. Although Automated Static Analysis Tools (ASATs) offer help, in practice, the significant number of false positives can impede developers' productivity and confidence in the tools. Therefore, previous research efforts have explored learning-based methods to validate the reported warnings. Nevertheless, there are still some limitations. (1) The granularity of prior research is coarse, as it focuses on identifying either actionable warnings throughout extensive development histories or potential true warnings at the function level. These approaches lack specificity regarding individual bugs and warnings. (2) Machine learning-based approaches need much manual effort for feature engineering while existing deep learning-based approaches ignore key semantics between source code and warnings. (3) The small number of selected projects hinders the comprehensive evaluation of these approaches. In this paper, we proposed a fine-grained warning verification approach that is sensitive to bugs for improving the results of ASATs, namely . Specifically, we design a novel LSTM-based model that captures both fine-grained semantics of source code and warnings from ASATs and highlights their correlations with cross-attention. To tackle the data scarcity of training and evaluation, we collected a large-scale dataset of 280,273 warnings, namely FineWA. It is ten times larger than the existing largest dataset. Then, we conducted extensive experiments on the dataset to evaluate FineWAVE. The experimental results demonstrate the effectiveness of our approach, with an F1-score of 97.79 alarms and 67.06 outperforms all baselines.