research-article

Comparison and Evaluation on Static Application Security Testing (SAST) Tools for Java

Authors:
Kaixuan Li

East China Normal University, Shanghai, China

East China Normal University, Shanghai, China
View Profile

,
Sen Chen

Tianjin University, Tianjin, China

Tianjin University, Tianjin, China
View Profile

,
Lingling Fan

Nankai University, Tianjin, China

Nankai University, Tianjin, China
View Profile

,
Ruitao Feng

University of New South Wales, Sydney, Australia

University of New South Wales, Sydney, Australia
View Profile

,
Han Liu

East China Normal University, Shanghai, China

East China Normal University, Shanghai, China
View Profile

,
Chengwei Liu

Nanyang Technological University, Singapore, Singapore

Nanyang Technological University, Singapore, Singapore
View Profile

,
Yang Liu

Nanyang Technological University, Singapore, Singapore

Nanyang Technological University, Singapore, Singapore
View Profile

,
Yixiang Chen

East China Normal University, Shanghai, China

East China Normal University, Shanghai, China
View Profile

ESEC/FSE 2023: Proceedings of the 31st ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software EngineeringNovember 2023Pages 921–933https://doi.org/10.1145/3611643.3616262

Published:30 November 2023Publication History

ESEC/FSE 2023: Proceedings of the 31st ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering

Pages 921–933

ABSTRACT

Static application security testing (SAST) takes a significant role in the software development life cycle (SDLC). However, it is challenging to comprehensively evaluate the effectiveness of SAST tools to determine which is the better one for detecting vulnerabilities. In this paper, based on well-defined criteria, we first selected seven free or open-source SAST tools from 161 existing tools for further evaluation. Owing to the synthetic and newly-constructed real-world benchmarks, we evaluated and compared these SAST tools from different and comprehensive perspectives such as effectiveness, consistency, and performance. While SAST tools perform well on synthetic benchmarks, our results indicate that only 12.7% of real-world vulnerabilities can be detected by the selected tools. Even combining the detection capability of all tools, most vulnerabilities (70.9%) remain undetected, especially those beyond resource control and insufficiently neutralized input/output vulnerabilities. The fact is that although they have already built the corresponding detecting rules and integrated them into their capabilities, the detection result still did not meet the expectations. All useful findings unveiled in our comprehensive study indeed help to provide guidance on tool development, improvement, evaluation, and selection for developers, researchers, and potential users.

References

Bushra Aloraini, Meiyappan Nagappan, Daniel M. German, Shinpei Hayashi, and Yoshiki Higo. 2019. An empirical study of security warnings from static application security testing tools. Journal of Systems and Software, 158 (2019), 110427. issn:0164-1212 https://doi.org/10.1016/j.jss.2019.110427 Google ScholarDigital Library
Midya Alqaradaghi, Gregory Morse, and Tamás Kozsik. 2022. Detecting security vulnerabilities with static analysis - A case study. Pollack Periodica, 17, 2 (2022), 1–7. https://doi.org/10.1556/606.2021.00454 Google ScholarCross Ref
Apache. 2023. Home - Apache Qpid. https://qpid.apache.org/index.html (Accessed on 31/01/2023) Google Scholar
Christel Baier and Joost-Pieter Katoen. 2008. Principles of model checking. MIT press. Google ScholarDigital Library
Sindre Beba and Magnus Melseth Karlsen. 2019. Implementation analysis of open-source Static analysis tools for detecting security vulnerabilities. Master’s thesis. NTNU. Google Scholar
Alexandre Braga, Ricardo Dahab, Nuno Antunes, Nuno Laranjeiro, and Marco Vieira. 2019. Understanding How to Use Static Analysis Tools for Detecting Cryptography Misuse in Software. IEEE Transactions on Reliability, 68, 4 (2019), 1384–1403. https://doi.org/10.1109/TR.2019.2937214 Google ScholarCross Ref
Tiago Brito, Mafalda Ferreira, Miguel Monteiro, Pedro Lopes, Miguel Barros, José Fragoso Santos, and Nuno Santos. 2023. Study of JavaScript Static Analysis Tools for Vulnerability Detection in Node. js Packages. arXiv preprint arXiv:2301.05097. Google Scholar
Joshua Bundt, Andrew Fasano, Brendan Dolan-Gavitt, William Robertson, and Tim Leek. 2021. Evaluating Synthetic Bugs. In Proceedings of the 2021 ACM Asia Conference on Computer and Communications Security (ASIA CCS ’21). Association for Computing Machinery, New York, NY, USA. 716–730. isbn:9781450382878 https://doi.org/10.1145/3433210.3453096 Google ScholarDigital Library
Checkstyle. 2022. checkstyle – Checkstyle 10.6.0. https://checkstyle.sourceforge.io/ (Accessed on 31/01/2023) Google Scholar
Sen Chen, Lingling Fan, Guozhu Meng, Ting Su, Minhui Xue, Yinxing Xue, Yang Liu, and Lihua Xu. 2020. An empirical assessment of security risks of global Android banking apps. In Proceedings of the ACM/IEEE 42nd International Conference on Software Engineering. 1310–1322. Google ScholarDigital Library
Sen Chen, Ting Su, Lingling Fan, Guozhu Meng, Minhui Xue, Yang Liu, and Lihua Xu. 2018. Are mobile banking apps secure? what can be improved? In Proceedings of the 2018 26th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering. 797–802. Google ScholarDigital Library
Sen Chen, Yuxin Zhang, Lingling Fan, Jiaming Li, and Yang Liu. 2022. Ausera: Automated security vulnerability detection for Android apps. In Proceedings of the 37th IEEE/ACM International Conference on Automated Software Engineering. 1–5. Google ScholarDigital Library
CodeQL. 2022. CodeQL. https://codeql.github.com/docs/codeql-overview/about-codeql/ (Accessed on 31/01/2023) Google Scholar
MITRE corporation. 2023. Common Vulnerabilities and Exposures. https://cve.mitre.org/ (Accessed on 31/01/2023) Google Scholar
Ctags. 2023. Universal Ctags. https://ctags.io/ (Accessed on 31/01/2023) Google Scholar
CVSS V2. 2023. CVSS v2 Complete Documentation. https://www.first.org/cvss/v2/guide (Accessed on 16/06/2023) Google Scholar
CVSS V3. 2023. CVSS v3.0 User Guide. https://www.first.org/cvss/v3.0/user-guide (Accessed on 16/06/2023) Google Scholar
CWE. 2022. CVE-CWE mapping guidance. https://cwe.mitre.org/documents/cwe_usage/guidance.html (Accessed on 31/01/2023) Google Scholar
CWE. 2022. CWE-1000: Research Concepts. https://cwe.mitre.org/data/definitions/1000.html (Accessed on 31/01/2023) Google Scholar
CWE. 2022. CWE-Compatible Products and Services. https://cwe.mitre.org/compatible/compatible.html (Accessed on 31/01/2023) Google Scholar
CWE. 2023. CWE-View - CWE Glossary. https://cwe.mitre.org/documents/glossary/index.html#View (Accessed on 31/01/2023) Google Scholar
CWE. 2023. Pillar WeaknessCWE Glossary. https://cwe.mitre.org/documents/glossary/index.html (Accessed on 31/01/2023) Google Scholar
José D’Abruzzo Pereira and Marco Vieira. 2020. On the Use of Open-Source C/C++ Static Analysis Tools in Large Projects. In 2020 16th European Dependable Computing Conference (EDCC). 97–102. Google ScholarCross Ref
Debian. 2023. Debian – The Universal Operating System. https://www.debian.org/ (Accessed on 31/01/2023) Google Scholar
Common Weakness Enumeration. 2022. Common Weakness Enumeration. https://cwe.mitre.org/index.html (Accessed on 31/01/2023) Google Scholar
Lingling Fan, Ting Su, Sen Chen, Guozhu Meng, Yang Liu, Lihua Xu, Geguang Pu, and Zhendong Su. 2018. Large-scale analysis of framework-specific exceptions in Android apps. In Proceedings of the 40th International Conference on Software Engineering. 408–419. Google ScholarDigital Library
FasterXML. 2020. jackson-dataformats-binary. https://mvnrepository.com/artifact/com.fasterxml.jackson.dataformat/jackson-dataformats-binary (Accessed on 31/01/2023) Google Scholar
Forum of Incident Response and Security Teams. 2023. Common Vulnerability Scoring System SIG. https://www.first.org/cvss/ (Accessed on 12/06/2023) Google Scholar
The Apache Software Foundation. 2023. Maven – Welcome to Apache Maven. https://maven.apache.org/ (Accessed on 31/01/2023) Google Scholar
The OWASP Foundation. 2020. OWASP-Top-Ten-Benchmark, 2020. https://github.com/jrbermh/OWASP-Top-Ten-Benchmark (Accessed on 31/01/2023) Google Scholar
The OWASP Foundation. 2022. OWASP Benchmark. https://owasp.org/www-project-benchmark/ (Accessed on 31/01/2023) Google Scholar
The OWASP Foundation. 2023. OWASP Dependency-Check. https://owasp.org/www-project-dependency-check/ (Accessed on 31/01/2023) Google Scholar
The OWASP Foundation. 2023. Software Component Analysis. https://owasp.org/www-community/Component_Analysis (Accessed on 31/01/2023) Google Scholar
GitHub. 2022. Awesome static analysis. https://github.com/mre/awesome-static-analysis#multiple-languages-1 (Accessed on 22/08/2022) Google Scholar
GitHub. 2022. GitHub-analysis-tools-dev. https://github.com/analysis-tools-dev/static-analysis#java (Accessed on 22/08/2022) Google Scholar
GitHub. 2023. GitHub code scanning. https://github.blog/2022-08-15-the-next-step-for-lgtm-com-github-code-scanning/ (Accessed on 31/01/2023) Google Scholar
GitHub. 2023. Gitleaks. https://gitleaks.io/ (Accessed on 31/01/2023) Google Scholar
Google. 2022. Error Prone. https://errorprone.info/ (Accessed on 31/01/2023) Google Scholar
Google. 2023. Google-java-format.. https://github.com/google/google-java-format (Accessed on 31/01/2023) Google Scholar
Katerina Goseva-Popstojanova and Andrei Perhinschi. 2015. On the capability of static code analysis to detect security vulnerabilities. Information and Software Technology, 68 (2015), 18–33. issn:0950-5849 https://doi.org/10.1016/j.infsof.2015.08.002 Google ScholarDigital Library
Andrew Habib and Michael Pradel. 2018. How Many of All Bugs Do We Find? A Study of Static Bug Detectors. In Proceedings of the 33rd ACM/IEEE International Conference on Automated Software Engineering (ASE 2018). Association for Computing Machinery, New York, NY, USA. 317–328. isbn:9781450359375 https://doi.org/10.1145/3238147.3238213 Google ScholarDigital Library
HCL. 2023. HCL AppScan CodeSweep. https://marketplace.visualstudio.com/items?itemName=HCLTechnologies.hclappscancodesweep (Accessed on 31/01/2023) Google Scholar
Jerónimo Hernández-González, Daniel Rodriguez, Inaki Inza, Rachel Harrison, and Jose A Lozano. 2018. Learning to classify software defects from crowds: a novel approach. Applied Soft Computing, 62 (2018), 579–591. Google ScholarCross Ref
Insidersec. 2022. Insider. https://github.com/insidersec/insider (Accessed on 31/01/2023) Google Scholar
Hong Jin Kang, Khai Loong Aw, and David Lo. 2022. Detecting False Alarms from Automatic Static Analysis Tools: How Far Are We? In Proceedings of the 44th International Conference on Software Engineering (ICSE ’22). Association for Computing Machinery, New York, NY, USA. 698-709. isbn:9781450392211 Google ScholarDigital Library
Arvinder Kaur and Ruchikaa Nayyar. 2020. A Comparative Study of Static Code Analysis tools for Vulnerability Detection in C/C++ and JAVA Source Code. Procedia Computer Science, 171 (2020), 2023–2029. issn:1877-0509 Third International Conference on Computing and Network Communications (CoCoNet’19) Google ScholarCross Ref
William Landi. 1992. Undecidability of static analysis. ACM Letters on Programming Languages and Systems (LOPLAS), 1, 4 (1992), 323–337. Google ScholarDigital Library
Valentina Lenarduzzi, Fabiano Pecorelli, Nyyti Saarimaki, Savanna Lujan, and Fabio Palomba. 2023. A critical comparison on six static analysis tools: Detection, agreement, and precision. Journal of Systems and Software, 198 (2023), 111575. Google ScholarDigital Library
Jingyue Li, Sindre Beba, and Magnus Melseth Karlsen. 2019. Evaluation of open-source IDE plugins for detecting security vulnerabilities. In Proceedings of the Evaluation and Assessment on Software Engineering. 200–209. Google ScholarDigital Library
Stephan Lipp, Sebastian Banescu, and Alexander Pretschner. 2022. An Empirical Study on the Effectiveness of Static C Code Analyzers for Vulnerability Detection. In Proceedings of the 31st ACM SIGSOFT International Symposium on Software Testing and Analysis (ISSTA 2022). Association for Computing Machinery, New York, NY, USA. 544-555. isbn:9781450393799 https://doi.org/10.1145/3533767.3534380 Google ScholarDigital Library
Han Liu, Sen Chen, Ruitao Feng, Chengwei Liu, Kaixuan Li, Zhengzi Xu, Liming Nie, Yang Liu, and Yixiang Chen. 2023. A Comprehensive Study on Quality Assurance Tools for Java. In Proceedings of the 32st ACM SIGSOFT International Symposium on Software Testing and Analysis (ISSTA 2023). Association for Computing Machinery, New York, NY, USA. isbn:9781450393799 Google ScholarDigital Library
Linghui Luo, Felix Pauck, Goran Piskachev, Manuel Benz, Ivan Pashchenko, Martin Mory, Eric Bodden, Ben Hermann, and Fabio Massacci. 2022. TaintBench: Automatic real-world malware benchmarking of Android taint analyses. Empirical Software Engineering, 27 (2022), 1–41. Google ScholarDigital Library
Maven. 2023. Jackson Databind. https://mvnrepository.com/artifact/com.fasterxml.jackson.core/jackson-databind (Accessed on 16/06/2023) Google Scholar
Meta. 2023. Infer Static Analyzer. https://fbinfer.com/ (Accessed on 1/06/2023) Google Scholar
Austin Mordahl and Shiyi Wei. 2021. The impact of tool configuration spaces on the evaluation of configurable taint analysis for android. In Proceedings of the 30th ACM SIGSOFT International Symposium on Software Testing and Analysis. 466–477. Google ScholarDigital Library
Marcus Nachtigall, Michael Schlichtig, and Eric Bodden. 2022. A Large-Scale Study of Usability Criteria Addressed by Static Analysis Tools. In Proceedings of the 31st ACM SIGSOFT International Symposium on Software Testing and Analysis (ISSTA 2022). Association for Computing Machinery, New York, NY, USA. 532-543. isbn:9781450393799 https://doi.org/10.1145/3533767.3534374 Google ScholarDigital Library
National Vulnerability Database. 2023. NVD-Home. https://nvd.nist.gov/ (Accessed on 31/01/2023) Google Scholar
Anh Nguyen-Duc, Manh Viet Do, Quan Luong Hong, Kiem Nguyen Khac, and Anh Nguyen Quang. 2021. On the adoption of static analysis for software security assessment-A case study of an open-source e-government project. Computers & Security, 111 (2021), 102470. issn:0167-4048 Google ScholarDigital Library
Flemming Nielson, Hanne R Nielson, and Chris Hankin. 2015. Principles of program analysis. springer. Google Scholar
Paulo Nunes, Ibéria Medeiros, José Fonseca, Nuno Neves, Miguel Correia, and Marco Vieira. 2019. An empirical study on combining diverse static analysis tools for web security vulnerabilities based on development scenarios. Computing, 101 (2019), 161–185. Google ScholarDigital Library
NVD. 2014. CVE-2014-3651. https://nvd.nist.gov/vuln/detail/CVE-2014-3651 (Accessed on 31/01/2023) Google Scholar
NVD. 2015. CVE-2015-2913. https://nvd.nist.gov/vuln/detail/CVE-2015-2913 (Accessed on 31/01/2023) Google Scholar
NVD. 2018. CVE-2018-17187. https://nvd.nist.gov/vuln/detail/CVE-2018-17187 (Accessed on 31/01/2023) Google Scholar
NVD. 2018. CVE-2018-20227. https://nvd.nist.gov/vuln/detail/CVE-2018-20227 (Accessed on 31/01/2023) Google Scholar
NVD. 2019. CVE-2019-18393. https://nvd.nist.gov/vuln/detail/CVE-2019-18393 (Accessed on 31/01/2023) Google Scholar
NVD. 2021. Log4Shell: CVE-2021-44228. https://nvd.nist.gov/vuln/detail/CVE-2021-44228 (Accessed on 31/01/2023) Google Scholar
NVD. 2022. Spring4Shell: CVE-2022-22965. https://nvd.nist.gov/vuln/detail/cve-2022-22965 (Accessed on 31/01/2023) Google Scholar
The University of Maryland. 2022. FindBugs. http://findbugs.sourceforge.net/ (Accessed on 31/01/2023) Google Scholar
The University of Maryland. 2022. FindSecurityBugs. https://find-sec-bugs.github.io/ (Accessed on 31/01/2023) Google Scholar
The University of Maryland. 2022. SpotBugs. https://spotbugs.github.io/ (Accessed on 31/01/2023) Google Scholar
National Institute of Standards and Technology. 2017. Juliet Test Suite. https://samate.nist.gov/SARD/test-suites (Accessed on 31/01/2023) Google Scholar
National Institute of Standards and Technology. 2022. NIST: Free for Open Source Application Security Tools. https://www.nist.gov/itl/ssd/software-quality-group/source-code-security-analyzers (Accessed on 22/08/2022) Google Scholar
National Institute of Standards and Technology. 2022. SAMATE: Source Code Security Analyzers. https://www.nist.gov/itl/ssd/software-quality-group/source-code-security-analyzers (Accessed on 22/08/2022) Google Scholar
Opensecurity. 2022. NodeJSScan. https://github.com/ajinabraham/nodejsscan (Accessed on 31/01/2023) Google Scholar
OpenSSF. 2020. OpenSSF CVE Benchmark. https://github.com/ossf-cve-benchmark/ossf-cve-benchmark (Accessed on 31/01/2023) Google Scholar
OpenSSF. 2022. Open Source Security Foundation. https://openssf.org/ (Accessed on 31/01/2023) Google Scholar
OWASP. 2022. Free for Open Source Application Security Tools. https://owasp.org/www-community/Free_for_Open_Source_Application_Security_Tools (Accessed on 22/08/2022) Google Scholar
OWASP. 2022. Source Code Analysis Tools. https://owasp.org/www-community/Source_Code_Analysis_Tools (Accessed on 22/08/2022) Google Scholar
oxsecurity. 2023. Megalinter. https://github.com/oxsecurity/megalinter (Accessed on 31/01/2023) Google Scholar
Tosin Daniel Oyetoyan, Bisera Milosheska, Mari Grini, and Daniela Soares Cruzes. 2018. Myths and Facts About Static Application Security Testing Tools: An Action Research at Telenor Digital. In Agile Processes in Software Engineering and Extreme Programming, Juan Garbajosa, Xiaofeng Wang, and Ademar Aguiar (Eds.). Springer International Publishing, Cham. 86–103. isbn:978-3-319-91602-6 Google Scholar
Yuanyuan Pan. 2019. Interactive application security testing. In 2019 International Conference on Smart Grid and Electrical Automation (ICSGEA). 558–561. Google ScholarCross Ref
Felix Pauck, Eric Bodden, and Heike Wehrheim. 2018. Do Android Taint Analysis Tools Keep Their Promises? In Proceedings of the 2018 26th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering (ESEC/FSE 2018). Association for Computing Machinery, New York, NY, USA. 331–341. isbn:9781450355735 Google ScholarDigital Library
PMD. 2023. PMD. https://pmd.github.io/ (Accessed on 31/01/2023) Google Scholar
Lina Qiu, Yingying Wang, and Julia Rubin. 2018. Analyzing the analyzers: Flowdroid/iccta, amandroid, and droidsafe. In Proceedings of the 27th ACM SIGSOFT International Symposium on Software Testing and Analysis. 176–186. Google ScholarDigital Library
R2C. 2022. Semgrep. https://www.semgrep.dev/ (Accessed on 31/01/2023) Google Scholar
RedHat. 2018. What is DevSecOps? https://www.redhat.com/en/topics/devops/what-is-devsecops (Accessed on 31/01/2023) Google Scholar
RedHat. 2023. Red Hat Bugzilla Main Page. https://bugzilla.redhat.com/ (Accessed on 31/05/2023) Google Scholar
Reshift. 2023. Reshift. https://www.softwaresecured.com/ (Accessed on 31/01/2023) Google Scholar
Aqua Security. 2023. Trivy. https://trivy.dev/ (Accessed on 31/01/2023) Google Scholar
Contrast Security. 2022. Contrast Security. https://www.contrastsecurity.com/ (Accessed on 31/01/2023) Google Scholar
Jacek Śliwerski, Thomas Zimmermann, and Andreas Zeller. 2005. When do changes induce fixes? ACM sigsoft software engineering notes, 30, 4 (2005), 1–5. Google Scholar
Justin Smith, Lisa Nguyen Quang Do, and Emerson Murphy-Hill. 2020. Why Can’t Johnny Fix Vulnerabilities: A Usability Evaluation of Static Analysis Tools for Security. In Proceedings of the Sixteenth USENIX Conference on Usable Privacy and Security (SOUPS’20). USENIX Association, USA. Article 13, 18 pages. isbn:978-1-939133-16-8 Google Scholar
SonarSource. 2022. SonarQube. https://www.sonarqube.org/ (Accessed on 31/01/2023) Google Scholar
Spark. 2018. spark/src/main/java/spark/resource/ClassPathResource.java at 27236534e90bd2bfe339fd65fe6ddd6a9f0304e1. https://github.com/perwendel/spark/blob/030e9d00125cbd1ad759668f85488aba1019c668 1/src/main/java/spark/resource/ClassPathResource.java (Accessed on 31/01/2023) Google Scholar
Martin R Stytz and Sheila B Banks. 2006. Dynamic software security testing. IEEE security & privacy, 4, 3 (2006), 77–79. Google ScholarDigital Library
Ting Su, Lingling Fan, Sen Chen, Yang Liu, Lihua Xu, Geguang Pu, and Zhendong Su. 2020. Why my app crashes? understanding and benchmarking framework-specific exceptions of Android apps. IEEE Transactions on Software Engineering, 48, 4 (2020), 1115–1137. Google ScholarCross Ref
Ferdian Thung, David Lo, Lingxiao Jiang, Foyzur Rahman, and Premkumar T Devanbu. 2015. To what extent could we detect field defects? An extended empirical study of false negatives in static bug-finding tools. Automated Software Engineering, 22 (2015), 561–602. https://doi.org/10.1007/s10515-014-0169-8 Google ScholarDigital Library
Ferdian Thung, Lucia, David Lo, Lingxiao Jiang, Foyzur Rahman, and Premkumar T. Devanbu. 2012. To What Extent Could We Detect Field Defects? An Empirical Study of False Negatives in Static Bug Finding Tools. In Proceedings of the 27th IEEE/ACM International Conference on Automated Software Engineering (ASE 2012). Association for Computing Machinery, New York, NY, USA. 50–59. isbn:9781450312042 https://doi.org/10.1145/2351676.2351685 Google ScholarDigital Library
TIOBE. 2023. The Java Programming Language-TIOBE. https://www.tiobe.com/tiobe-index/java/ (Accessed on 31/01/2023) Google Scholar
David A. Tomassi. 2018. Bugs in the Wild: Examining the Effectiveness of Static Analyzers at Finding Real-World Bugs. In Proceedings of the 2018 26th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering (ESEC/FSE 2018). Association for Computing Machinery, New York, NY, USA. 980–982. isbn:9781450355735 https://doi.org/10.1145/3236024.3275439 Google ScholarDigital Library
Andreas Wagner. and Johannes Sametinger.. 2014. Using the Juliet Test Suite to Compare Static Security Scanners. In Proceedings of the 11th International Conference on Security and Cryptography - SECRYPT, (ICETE 2014). SciTePress, 244–252. isbn:978-989-758-045-1 issn:2184-2825 https://doi.org/10.5220/0005032902440252 Google ScholarDigital Library
Website of This Study. 2023. Comparison and Evaluation on Static Application Security Testing (SAST) Tools for Java. https://sites.google.com/view/java-sast-study/home (Accessed on 31/01/2023) Google Scholar
Website of This Study. 2023. Tools Selection. https://sites.google.com/view/java-sast-study/tool-selection (Accessed on 31/01/2023) Google Scholar
Wikipedia. 2022. List of tools for static code analysis. https://en.wikipedia.org/wiki/List_of_tools_for_static_code_analysis (Accessed on 22/08/2022) Google Scholar
Wikipedia. 2023. Linter-Wikipedia. https://en.wikipedia.org/wiki/Lint_(software) (Accessed on 22/06/2023) Google Scholar
J. Zheng, L. Williams, N. Nagappan, W. Snipes, J.P. Hudepohl, and M.A. Vouk. 2006. On the value of static analysis for fault detection in software. IEEE Transactions on Software Engineering, 32, 4 (2006), 240–253. Google ScholarDigital Library
Zupit. 2022. Horusec. https://docs.horusec.io/docs/overview/ (Accessed on 31/01/2023) Google Scholar

Index Terms

Comparison and Evaluation on Static Application Security Testing (SAST) Tools for Java

Recommendations

A Comprehensive Java Benchmark Study on Memory and Garbage Collection Behavior of DaCapo, DaCapo Scala, and SPECjvm2008
ICPE '17: Proceedings of the 8th ACM/SPEC on International Conference on Performance Engineering

Benchmark suites are an indispensable part of scientific research to compare different approaches against each another. The diversity of benchmarks is an important asset to evaluate novel approaches for effectiveness and weaknesses. In this paper, we ...
Read More
Large System Performance of SPEC OMP2001 Benchmarks
ISHPC '02: Proceedings of the 4th International Symposium on High Performance Computing

Performance characteristics of application programs on large-scale systems are often significantly different from those on smaller systems. SPEC OMP2001 is a benchmark suite intended for measuring performance of modern shared memory parallel systems. ...
Read More
A real-time benchmark for Java™
JTRES '07: Proceedings of the 5th international workshop on Java technologies for real-time and embedded systems

The introduction of pause time sensitive garbage collectors in various Java™ Standard Edition runtime implementations and the availability of real-time Java implementations based on Real-Time Specification for Java (RTSJ, aka JSR-1) has opened the door ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
ESEC/FSE 2023: Proceedings of the 31st ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering
November 2023
2215 pages
ISBN:9798400703270
DOI:10.1145/3611643
General Chair:
Satish Chandra
Google, USA
,
Program Chairs:
Kelly Blincoe
University of Auckland, New Zealand
,
Paolo Tonella
USI Lugano, Switzerland
Copyright © 2023 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 30 November 2023
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
Benchmarks
Empirical study
Static application security testing
Qualifiers
- research-article
Conference

Acceptance Rates
Overall Acceptance Rate112of543submissions,21%
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 0
  Total Citations
  View Citations
- 231
  Total Downloads
- Downloads (Last 12 months)231
- Downloads (Last 6 weeks)57
Other Metrics
View Author Metrics
Cited By
This publication has not been cited yet

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Comparison and Evaluation on Static Application Security Testing (SAST) Tools for Java

ESEC/FSE 2023: Proceedings of the 31st ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering

ABSTRACT

References

Cited By

Index Terms

Recommendations

A Comprehensive Java Benchmark Study on Memory and Garbage Collection Behavior of DaCapo, DaCapo Scala, and SPECjvm2008

Large System Performance of SPEC OMP2001 Benchmarks

A real-time benchmark for Java™