How Open Source Projects use Static Code Analysis Tools in Continuous Integration Pipelines

Static analysis tools are often used by software developers
to entail early detection of potential faults, vulnerabilities,
code smells, or to assess the source code adherence to coding
standards and guidelines. Also, their adoption within Continuous
Integration (CI) pipelines has been advocated by researchers and
practitioners. This paper studies the usage of static analysis tools
in 20 Java open source projects hosted on GitHub and using
Travis CI as continuous integration infrastructure. Specifically,
we investigate (i) which tools are being used and how they are
configured for the CI, (ii) what types of issues make the build fail
or raise warnings, and (iii) whether, how, and after how long are
broken builds and warnings resolved. Results indicate that in the
analyzed projects build breakages due to static analysis tools are
mainly related to adherence to coding standards, and there is also
some attention to missing licenses. Build failures related to tools
identifying potential bugs or vulnerabilities occur less frequently,
and in some cases such tools are activated in a “softer” mode,
without making the build fail. Also, the study reveals that build
breakages due to static analysis tools are quickly fixed by actually
solving the problem, rather than by disabling the warning, and
are often properly documented.