Deploying Static Analysis
This provides a practical guide for software engineers and organizations to improve bug detection, but it is incremental as it builds on existing static analysis methods without introducing new technical innovations.
The paper tackles the challenge of effectively deploying static analysis tools in large organizations to find and fix bugs, emphasizing the need to focus on fixing bugs to avoid pitfalls like false positives and tool disrepute.
Static source code analysis is a powerful tool for finding and fixing bugs when deployed properly; it is, however, all too easy to deploy it in a way that looks good superficially, but which misses important defects, shows many false positives, and brings the tool into disrepute. This article is a guide to the process of deploying a static analysis tool in a large organization while avoiding the worst organizational and technical pitfalls. My main point is the importance of concentrating on the main goal of getting bugs fixed, against all the competing lesser goals which will arise during the process.