程序静态分析报告处理方法综述  

作　　者：黄松 龚士豪 HUANG Song;GONG Shi-hao(School of Command&Control Engineering,Army Engineering University of PLA,Nanjing 210007,China)

机构地区：[1]陆军工程大学指挥控制工程学院,江苏南京210007

出　　处：《计算机技术与发展》2023年第1期14-20,共7页Computer Technology and Development

基　　金：国家重点研发计划重点专项项目(2018YFB1403400);陆军工程大学基础前沿科技创新工程前沿创新项目(KYZYJQZL2203)。

摘　　要：在软件测试过程中,使用静态分析工具自动化扫描程序是发现程序中缺陷和漏洞的有效方法之一。然而,分析工具自身的局限性会导致分析报告中存在大量误报,进而致使审核分析报告成本过高,这不仅降低了工具的实用性,也大大延长了测试周期。为了减轻测试人员审核分析报告的工作量并提高工具的可用性,国内外研究人员提出了多种静态分析报告处理方法。对近些年来国内外研究人员在静态分析报告处理方面的研究工作进行综述。首先,对静态分析技术与静态分析报告处理进行简要介绍,基于处理方法的基本思想给出了方法的分类。接着,依次总结了各类处理方法的研究成果,并在方法之间进行横向对比,全面分析了当前主流方法的优缺点。最后,详细指出了该领域目前存在的问题,并给出了相应的研究建议,为相关研究人员全面深入了解程序静态分析报告处理方法提供了基础性参考。During software testing, automated scanning of programs using static analysis tools is one of the effective ways to find bugs and vulnerabilities in programs. However, the limitations of the analysis tool itself will lead to a large number of false positives in the analysis report, and then the cost of reviewing the analysis report is too high, which not only reduces the usefulness of the tool, but also greatly prolongs the testing period. In order to reduce the workload of testers reviewing analysis reports and improve the usability of tools, researchers at home and abroad have proposed a variety of static analysis report processing methods. We review the research work of domestic and foreign researchers on static analysis report processing in recent years. Firstly, the static analysis technology and static analysis report processing are briefly introduced, and the classification of methods is given according to the basic idea of processing methods. Then, the research results of various processing methods is summarized in turn, a horizontal comparison between the methods is made, and the advantages and disadvantages of the current mainstream methods are analyzed comprehensively. Finally, the existing problems in this field are pointed out in detail, and corresponding research suggestions are given, which provides a basic reference for relevant researchers to comprehensively and deeply understand the processing method of program static analysis report.

关 键 词：静态分析 警报 融合 分类 排序 

分 类 号：TP311[自动化与计算机技术—计算机软件与理论]