Litcius/Paper detail

Comprehensive Evaluation of Static Analysis Tools for Their Performance in Finding Vulnerabilities in Java Code

Midya Alqaradaghi, Tamás Kozsik

2024IEEE Access18 citationsDOIOpen Access PDF

Abstract

Various static code analysis tools have been designed with the aim of detecting software faults and security vulnerabilities automatically. This paper aims to 1) Conduct an empirical evaluation to assess the performance of five free and state-of-the-art static analysis tools in detecting Java security vulnerabilities using a well-defined and repeatable approach. 2) Report on the vulnerabilities that are best andworst detected by static Java analyzers. We used the Juliet benchmark test suite in a controlled experiment to assess the effectiveness of five widely used Java static analysis tools. The vulnerabilities were successfully detected by one, two, or three tools. Only one vulnerability has been detected by four tools. The tools missed 13% of the Java vulnerability categories appearing in our experiment. More critically, none of the five tools could identify all the vulnerabilities in our experiment. We conclude that, despite recent improvements in their methodologies, current state-of-the-art static analysis tools are still ineffective for identifying the security vulnerabilities occurring in a small-scale, artificial test suite.

Topics & Concepts

Computer scienceJavaStatic analysisSecure codingTest suiteSuiteBenchmark (surveying)Vulnerability (computing)Static program analysisSoftware security assuranceCode (set theory)Vulnerability assessmentTaint checkingSoftwareSoftware engineeringTest caseProgramming languageComputer securitySoftware developmentInformation securityMachine learningSecurity serviceGeodesyPsychological resilienceRegression analysisSet (abstract data type)ArchaeologyPsychotherapistGeographyPsychologyHistorySoftware Engineering ResearchSoftware Reliability and Analysis ResearchAdvanced Malware Detection Techniques