search menu icon-carat-right cmu-wordmark

Subject: SCALe: a Static Analysis Alert Auditing Tool

Release of SCAIFE System Version 1.0.0 Provides Full GUI-Based Static-Analysis Adjudication System with Meta-Alert Classification

Release of SCAIFE System Version 1.0.0 Provides Full GUI-Based Static-Analysis Adjudication System with Meta-Alert Classification

• SEI Blog
Lori Flynn

The SEI Source Code Analysis Integrated Framework Environment (SCAIFE) is a modular architecture designed to enable a wide variety of tools, systems, and users to use artificial intelligence (AI) classifiers for static-analysis meta-alerts at relatively low cost and effort. SCAIFE uses automation to reduce the significant manual effort required to adjudicate meta-alerts that are produced by static-analysis tools. The architecture also enables low-effort integration for tools to incorporate mathematical formulas for meta-alert prioritization, data aggregation...

Read More
A Public Repository of Data for Static-Analysis Classification Research

A Public Repository of Data for Static-Analysis Classification Research

• SEI Blog
Lori Flynn

Static analysis (SA) tools are a widely used and routine part of testing by DoD and commercial organizations. Validating and repairing defects discovered by SA tools can require more human effort from auditors and coders than organizations have available. Since 2016, researchers in the SEI CERT Division have been developing a method to automatically classify and prioritize alerts (warnings) and meta-alerts (alerts about code flaws or conditions) to help auditors and coders address large volumes...

Read More
Managing Static Analysis Alerts with Efficient Instantiation of the SCAIFE API into Code and an Automatically Classifying System

Managing Static Analysis Alerts with Efficient Instantiation of the SCAIFE API into Code and an Automatically Classifying System

• SEI Blog
Lori Flynn

Static analysis tools analyze code without executing it to identify potential flaws in source code. Since alerts may be false positives, engineers must painstakingly examine them to adjudicate if they are legitimate flaws. Automation is needed to reduce the significant manual effort that would be required to adjudicate all (or significantly more of) the alerts. Many tools produce a large number of alerts with high false-positive rates. Other tools produce alerts for only a limited...

Read More
An Application Programming Interface for Classifying and Prioritizing Static Analysis Alerts

An Application Programming Interface for Classifying and Prioritizing Static Analysis Alerts

• SEI Blog
Lori Flynn

This post was co-written by Ebonie McNeil. In this post, we describe the Source Code Analysis Integrated Framework Environment (SCAIFE) application programming interface (API). SCAIFE is an architecture for classifying and prioritizing static analysis alerts. It is designed so that a wide variety of static analysis tools can integrate with the SCAIFE system using the API. The API is pertinent to organizations that develop or research static analysis alert auditing tools, aggregators, and frameworks....

Read More
SCALe v. 3: Automated Classification and Advanced Prioritization of Static Analysis Alerts

SCALe v. 3: Automated Classification and Advanced Prioritization of Static Analysis Alerts

• SEI Blog
Lori Flynn

This post was co-authored by Ebonie McNeil. Static analysis tools analyze code without executing it, to identify potential flaws in source code. These tools produce a large number of alerts with high false-positive rates that an engineer must painstakingly examine to find legitimate flaws. As described in Lori's first blog post on this topic, we in the SEI's CERT Division have developed the SCALe (Source Code Analysis Laboratory) tool since 2010 as part of our...

Read More
SCALe: A Tool for Managing Output from Static Analysis Tools

SCALe: A Tool for Managing Output from Static Analysis Tools

• SEI Blog
Lori Flynn

Experience shows that most software contains code flaws that can lead to vulnerabilities. Static analysis tools used to identify potential vulnerabilities in source code produce a large number of alerts with high false-positive rates that an engineer must painstakingly examine to find legitimate flaws. As described in this blog post, we in the SEI's CERT Division have developed the SCALe (Source Code Analysis Laboratory) tool, as we have researched and prototyped methods to help analysts...

Read More