Cognicrypt is a standalone static analysis tool for the detection of cryptographic API Misuses. It consumes rulesets on how to securely and correctly use cryptographic APIs. These rulesets are defined in the domain-specific language CrySL. CogniCrypt's makes use of the allowlisting approach where the secure usage of APIs is defined and violations against such rules result in a warning.
Recently we published an enhancement of CogniCrypt's analysis algorithm that allows the precise detection of dependent errors. Such errors actually are best described as error trees where one subsequent error has several preceding errors. Identifying this relation between error allows for providing more actionable warning reports. However, we still need to develop a user interface to present such error trees. This will help developers understand vulnerabilities and their actual causation location in code which will make it easier to fix them.
For more details, check the paper: Supporting Error Chains in Static Analysis for Precise Evaluation Results and Enhanced Usability (accepted at SANER 2024)
Developing a usable presentation is one of the ideas on how to better support developers.
Further ideas include using machine learning to rank alerts according to the likelihood that it is a true positive, i.e. a real problem that needs to be fixed. In this way, we can present mainly the real warnings to developers. Hence, the pain of inaccurate results is addressed and the developer experiences high precision of the warnings, which decreases or even prevents time lost investigating low priority or false warnings.
For a similar approach, check the paper: ALETHEIA: Improving the Usability of Static Security Analysis by Tripp et al.
