Learn what's new in MISRA C:2012 AMD3 & how to get the MOST EXTENSIVE coverage with C/C++test 2022.2! Watch on Demand >>

Can AI/ML Encourage Devs to Adopt Static Analysis Testing?

By Igor Kirilenko

December 1, 2022

6  min read

Learn about ways that machine learning for artificial intelligence empowers developers to adopt static analysis testing techniques for maximum benefit.

Testing acceleration goes hand in hand with artificial intelligence and machine learning. This isn’t about androids doing our laundry. It’s about programs that learn over time to enhance processes already in place. For instance, say you order from three different restaurants on a food delivery app in one week after searching for them specifically. The next time you log in to that app, it may now recommend you reorder from those same restaurants because you ordered from them previously.

This process of learning and adapting to the user is exactly how AI and machine learning for static analysis works. It just involves identifying and prioritizing code violations as opposed to ordering your favorite shawarma.

Pro-tip: AI with machine learning for static analysis will make the process simpler and less stressful. So, here’s exactly how to do that by answering the following questions:

  1. What are the challenges of adopting static analysis?
  2. Can static analysis be automated?
  3. Why does the adoption of static analysis seem difficult and expensive?
  4. How does machine learning help static analysis testing?
  5. What do AI and machine learning techniques mean for your SDLC?

Challenges of Adopting Static Analysis

Static analysis is used to find vulnerabilities in code, often against industry coding and security standards such as OWASP, CWE, and others. Developers are often not equipped to analyze their own code for these issues or to identify and prioritize what fixes are needed.

It’s true that there is no shortcut or “easy mode” for static analysis testing. You must do it regularly and thoroughly to provide the most utility. However, automating static analysis testing and leveraging machine learning can enhance your results and make things much easier for your developers.

Can Static Analysis Be Automated?

Definitely! Static analysis identifies defects and errors in your source code. In fact, automating static analysis testing via tools further enhances the results you get. While the types of analysis and priorities can differ, the way the SA tool works and applying its methodology are the same.

For example, the various analyses available revolve around four key aspects.

  1. Security. Locate vulnerabilities that increase security risks.
  2. Reliability. Locate issues that can lead to problems such as memory leaks.
  3. Performance. Locate errors that reduce performance.
  4. Style. Audit the code to help developers adopt uniform coding styles.

Automating these processes in a continuous manner helps teams manage workflows better by identifying potential issues before they become big problems.

Why Is the Adoption of Static Analysis Difficult & Expensive?

The reasons why many developers view adopting static analysis as both expensive and daunting come down to project scope and approach. Many teams want to tackle what they feel are the most pressing issues first, but also tend to bite off more than they can chew at that time.

Instead, tackle the most significant problems first and limit yourself to one “bite” at a time. However, it should be noted that a “baby step” should not become a stopping point. Safety-critical industries require addressing ALL violations to establish compliance before a product can be released. In the meantime, this step helps prevent your team from being overwhelmed with thousands of violations all at once.

How AI Machine Learning Helps Static Analysis

Static analysis is about detecting problems before you even compile and execute the code. But AI can be used to help across multiple levels of software testing such as:

  • UI tests. Manage and maintain volatile automated UI testing and optimize the execution of manual tests.
  • API tests. Discover API usage patterns and automatically generate complete test scenarios.
  • Unit tests. Achieve and maintain code coverage, especially for modified code.
  • Code analysis (reliability and security). Fight violations in the code base.

Image of the software testing pyramid. From bottom: code analysis: reliability + security, unit tests, API tests, automated UI tests. The top tip is empty and disconnected, floating above the rest of the pyramid.

Artificial intelligence helps teams create and maintain automated tests. Moreover, it can optimize test execution and maximize actionable results delivery by augmenting your processes in several ways.

As you automate testing and develop workflows, you can tackle more problems in less time. But triage should be left to your static analysis tools. By working under the supervision of static analysis technologies, developers can expand their skills to learn better coding techniques and write more secure code.

Prevention vs. Detection

Code analysis offers prevention and detection techniques to control risks associated with the quality of your code. While it helps to identify problems, stopping their occurrences in the first place is a more efficient strategy.

Automating your static analysis enhances the development team’s ability to identify problems regularly and more easily. Adding AI and machine learning to static analysis testing helps teams adopt the practice more easily. It suggests violations be resolved in ways that promote efficiency, optimize workflows, and nurture developer productivity and success.

Clustering Methodology Promotes Productivity and Efficiency

Besides clustering violations based on advanced classification algorithms, the AI model can leverage different neural networks (code2vec, for example) to vectorize methods of the code and compare them to each other grouping violations according to the semantic meaning of the code surrounding them.

In the same way that developers may address specific violations first, the AI model further empowers them to address violations within similar code. This offers several benefits:

  • Increases speed and efficiency of fixing violations
  • Prompts to address all violations within semantically similar code
  • Decreases time developers spend analyzing source code to fix problems
  • Increases developer’s confidence in the understanding of the source code

Netflix, but for Static Analysis

Developers often want to address similar violations at the same time for maximum productivity. That makes sense and artificial intelligence with machine learning should enhance that strategy. This is where something like a “Netflix approach” comes into play.

As you watch shows and movies on the streaming platform, the algorithm learns what kind of shows you do and don’t like. Even without rating anything, it will learn that you prefer action/adventure movies over period dramas based on your watch history. Machine learning for static analysis AI works in a similar way.

Based on previous violations a developer has fixed, the system will suggest similar violations to that developer. It fits their established “profile” based on their history—just like with Netflix’s platform. With this approach, developers will spend less time hunting down similar violations and address violations they are most suited to fixing.

Graphic showing AI-enhanced static analysis workflow and how continuously feeding the AI model data from Development Testing Platform (DTP) trains it to prioritize violations.

Machine Learning Processes for Static Analysis AI

The ways in which AI and machine learning affect static analysis testing fall into the following categories. All of these work in concert to benefit the development process from unifying the source code to identifying security vulnerabilities and cutting down on false positives.

Identification & Noise Reduction

  • Classifies important or critical violations to address sooner.
  • Filters noise or non-critical problems that can be addressed later.
  • Aggregates violations within semantically similar code into the same group.
  • Identifies hot spots or root causes that trigger multiple violations.
  • Reduces time spent by the development team manually ranking defects.

Prioritization & Clustering

  • Prioritizes hot spots according to how many violations they cause.
  • Identifies which developer can best handle violations based on their skills.
  • Suggests violations to developers according to their familiarity with the code.

Workflow showing all AI/ML techniques combined into the software architects' workflow and how it optimizes developers' performance while fixing important code issues.

Benefits of Static Analysis AI/ML

The whole idea behind machine learning is that AI learns as it goes based on observation of users’ actions. It can be trained to identify specific patterns and then adapt in response to those patterns. In accordance with this methodology, identifying clusters and grouping violations work to enhance what developers get out of static analysis testing.

Benefits at a Glance

  • Clusters future violations according to the history of previously fixed or suppressed issues.
  • Groups violations into separate queues that are recommended for individual developers.
  • Suggests fixing violations within semantically similar code to speed up the correction process.
  • Reduces redundant work by having a single developer eliminate many violations by addressing one hot spot or similar violations at a time.
  • Enhances team productivity and morale thanks to more effective classification and ranking.

Parasoft Solutions for Static Analysis Machine Learning

Today’s world of software development moves faster every day thanks to technological development and Agile methodologies. Testing approaches need to keep up and even anticipate advancements. The best way to do that is with solutions that bake in automation and the use of machine learning for AI.

Parasoft solutions leverage AI to flag and prioritize high-priority violations while integrating seamlessly into your CI/CD workflow. Our solutions cover a variety of testing practices supported by C/C++test, Jtest, and dotTEST products.

See how your dev team can maximize the benefits of AI/ML to adopt static analysis.

By Igor Kirilenko

Parasoft's VP of Development, Igor is responsible for technical strategy, architecture, and development of Parasoft products. Igor brings over 20 years of experience in leading engineering teams, with a specialization in establishing and promoting the best agile practices in software development environments.

Get the latest software testing news and resources delivered to your inbox.