Alert Type Frequency Assessment of Open-Source Static Analysis Tools and Codebases

This includes all data needed to replicate and validate our frequency analysis of static analysis (SA) alerts produced using open-source SA tools on several OSS codebases. It includes instructions how to get and run the SA tools, a Dockerfile to conveniently get and use the SA tools, raw SA tool output, some python scripts to parse that output, parsed SA data and aggregate analyses, and SA data augmented with CERT coding rule and CWE data.   The SA tools used: clang-tidy version 15.07    cppcheck version 2.9    CERT Rosecheckers    The codebases analyzed: zeek version 5.1.1 git version 2.39.0 dos2unix version 7.4.3

本数据集涵盖复现与验证我们针对多套开源代码库上使用开源静态分析（Static Analysis, SA）工具生成的静态分析告警开展频次分析所需的全部数据。其中包含获取并运行此类静态分析工具的操作指南、用于便捷部署与使用这些工具的Dockerfile、原始静态分析工具输出结果、用于解析该输出的若干Python脚本、解析后的静态分析数据与聚合分析结果，以及补充了CERT编码规则与通用弱点枚举（Common Weakness Enumeration, CWE）数据的静态分析数据集。 本次研究使用的静态分析工具如下： clang-tidy 15.07 cppcheck 2.9 CERT Rosecheckers 本次分析的开源代码库如下： zeek 5.1.1 git 2.39.0 dos2unix 7.4.3