FuzzSlice: Pruning False Positives in Static Analysis Warnings through Function-Level Fuzzing
This artifact is a full functional and reusable implementation of the approach and results presented in the paper “FuzzSlice: Pruning False Positives in Static Analysis Warnings through Function-Level Fuzzing.
The goal of FuzzSlice is to automatically prune false positives in static analysis warnings. FuzzSlice achieves this by compiling code slices at the function level of each static analysis warning. It then proceeds to fuzz these compiled slices using libfuzzer. The package includes the code for artifact and the benchmarks used in the study (openssl, openssh-portable and tmux repositories). In this artifact, we have provided a docker file which will automatically setup various modules of our package (therefore docker is the only dependency). The docker can be easily setup on a Linux machine by directly applying the commands on the README of the replication package in order. Therefore, there is no particular technology skills assumed by the reviewer. The expected setup time for the docker is a few minutes. We have already provided sample static analysis warnings to demonstrate FuzzSlice. The expected output is the code coverage of fuzzing and whether a static analysis warning is classified as a possible true bug or false positive. We have also provided a user documentation guide, which will go over the various configuration options of FuzzSlice in detail and explain what they do and what to expect as output. We want to claim the “reusable” and “available” badges. For further requests and communication please contact the first author.
