How Open Source Projects use Static Code Analysis Tools in Continuous Integration Pipelines

TitleHow Open Source Projects use Static Code Analysis Tools in Continuous Integration Pipelines
Publication TypeConference Proceedings
Year of Publication2017
AuthorsZampetti, Fiorella, Scalabrino Simone, Oliveto Rocco, Canfora Gerardo, and Di Penta Massimiliano
Secondary Title2017 IEEE/ACM 14th International Conference on Mining Software Repositories (MSR)
Pagination334-344
Date Published05/2017
Keywordscontinuous integration, empirical study, static analysis
Abstract

Static analysis tools are often used by software developers
to entail early detection of potential faults, vulnerabilities,
code smells, or to assess the source code adherence to coding
standards and guidelines. Also, their adoption within Continuous
Integration (CI) pipelines has been advocated by researchers and
practitioners. This paper studies the usage of static analysis tools
in 20 Java open source projects hosted on GitHub and using
Travis CI as continuous integration infrastructure. Specifically,
we investigate (i) which tools are being used and how they are
configured for the CI, (ii) what types of issues make the build fail
or raise warnings, and (iii) whether, how, and after how long are
broken builds and warnings resolved. Results indicate that in the
analyzed projects build breakages due to static analysis tools are
mainly related to adherence to coding standards, and there is also
some attention to missing licenses. Build failures related to tools
identifying potential bugs or vulnerabilities occur less frequently,
and in some cases such tools are activated in a “softer” mode,
without making the build fail. Also, the study reveals that build
breakages due to static analysis tools are quickly fixed by actually
solving the problem, rather than by disabling the warning, and
are often properly documented.

Notes

Data: the paper studies the use of ASCATs (Automated Static Code Analysis Tools) within CI pipelines of 20 popular Java open source projects hosted on GitHub and using Travis CI to support CI activities

DOI10.1109/MSR.2017.2