{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,28]],"date-time":"2026-04-28T20:20:43Z","timestamp":1777407643664,"version":"3.51.4"},"publisher-location":"New York, NY, USA","reference-count":71,"publisher":"ACM","license":[{"start":{"date-parts":[[2022,7,18]],"date-time":"2022-07-18T00:00:00Z","timestamp":1658102400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2022,7,18]]},"DOI":"10.1145\/3533767.3534380","type":"proceedings-article","created":{"date-parts":[[2022,7,15]],"date-time":"2022-07-15T14:28:50Z","timestamp":1657895330000},"page":"544-555","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":96,"title":["An empirical study on the effectiveness of static C code analyzers for vulnerability detection"],"prefix":"10.1145","author":[{"given":"Stephan","family":"Lipp","sequence":"first","affiliation":[{"name":"TU Munich, Germany"}]},{"given":"Sebastian","family":"Banescu","sequence":"additional","affiliation":[{"name":"TU Munich, Germany"}]},{"given":"Alexander","family":"Pretschner","sequence":"additional","affiliation":[{"name":"TU Munich, Germany"}]}],"member":"320","published-online":{"date-parts":[[2022,7,18]]},"reference":[{"key":"e_1_3_2_1_1_1","unstructured":"[n. d.]. Clang Static Analyzer. https:\/\/clang-analyzer.llvm.org\/ Accessed: 2021-07-23 \t\t\t\t\t  [n. d.]. Clang Static Analyzer. https:\/\/clang-analyzer.llvm.org\/ Accessed: 2021-07-23"},{"key":"e_1_3_2_1_2_1","unstructured":"[n. d.]. Clang-Tidy: Extra Clang Tools. https:\/\/clang.llvm.org\/extra\/clang-tidy\/ Accessed: 2021-07-23 \t\t\t\t\t  [n. d.]. Clang-Tidy: Extra Clang Tools. https:\/\/clang.llvm.org\/extra\/clang-tidy\/ Accessed: 2021-07-23"},{"key":"e_1_3_2_1_3_1","unstructured":"[n. d.]. CodeChecker. https:\/\/codechecker.readthedocs.io\/en\/latest\/ Accessed: 2021-07-23 \t\t\t\t\t  [n. d.]. CodeChecker. https:\/\/codechecker.readthedocs.io\/en\/latest\/ Accessed: 2021-07-23"},{"key":"e_1_3_2_1_4_1","unstructured":"[n. d.]. CodeQL for Research. https:\/\/securitylab.github.com\/tools\/codeql\/ Accessed: 2021-07-23 \t\t\t\t\t  [n. d.]. CodeQL for Research. https:\/\/securitylab.github.com\/tools\/codeql\/ Accessed: 2021-07-23"},{"key":"e_1_3_2_1_5_1","unstructured":"[n. d.]. The Common Weakness Enumeration (CWE) Initiative. https:\/\/cwe.mitre.org\/ Accessed: 2022-01-19 \t\t\t\t\t  [n. d.]. The Common Weakness Enumeration (CWE) Initiative. https:\/\/cwe.mitre.org\/ Accessed: 2022-01-19"},{"key":"e_1_3_2_1_6_1","unstructured":"[n. d.]. Cppcheck: A Tool for Static C\/C++ Code Analysis. http:\/\/cppcheck.sourceforge.net\/ Accessed: 2021-07-23 \t\t\t\t\t  [n. d.]. Cppcheck: A Tool for Static C\/C++ Code Analysis. http:\/\/cppcheck.sourceforge.net\/ Accessed: 2021-07-23"},{"key":"e_1_3_2_1_7_1","unstructured":"[n. d.]. CWE-Compatible Products and Services. https:\/\/cwe.mitre.org\/compatible\/compatible.html Accessed: 2022-01-12 \t\t\t\t\t  [n. d.]. CWE-Compatible Products and Services. https:\/\/cwe.mitre.org\/compatible\/compatible.html Accessed: 2022-01-12"},{"key":"e_1_3_2_1_8_1","unstructured":"[n. d.]. Cyber Grand Challenge Corpus. http:\/\/www.lungetech.com\/cgc-corpus\/ Accessed: 2021-07-10 \t\t\t\t\t  [n. d.]. Cyber Grand Challenge Corpus. http:\/\/www.lungetech.com\/cgc-corpus\/ Accessed: 2021-07-10"},{"key":"e_1_3_2_1_9_1","unstructured":"[n. d.]. Flawfinder. https:\/\/dwheeler.com\/flawfinder\/ Accessed: 2021-07-23 \t\t\t\t\t  [n. d.]. Flawfinder. https:\/\/dwheeler.com\/flawfinder\/ Accessed: 2021-07-23"},{"key":"e_1_3_2_1_10_1","unstructured":"[n. d.]. Infer: A Tool to Detect Bugs in Java and C\/C++\/Objective-c Code. https:\/\/fbinfer.com\/ Accessed: 2021-07-23 \t\t\t\t\t  [n. d.]. Infer: A Tool to Detect Bugs in Java and C\/C++\/Objective-c Code. https:\/\/fbinfer.com\/ Accessed: 2021-07-23"},{"key":"e_1_3_2_1_11_1","unstructured":"[n. d.]. Introducing the OpenSSF CVE Benchmark. https:\/\/openssf.org\/blog\/2020\/12\/09\/introducing-the-openssf-cve-benchmark\/ Accessed: 2021-08-13 \t\t\t\t\t  [n. d.]. Introducing the OpenSSF CVE Benchmark. https:\/\/openssf.org\/blog\/2020\/12\/09\/introducing-the-openssf-cve-benchmark\/ Accessed: 2021-08-13"},{"key":"e_1_3_2_1_12_1","unstructured":"[n. d.]. Juliet Test Suite. https:\/\/samate.nist.gov\/SRD\/testsuite.php Accessed: 2021-07-10 \t\t\t\t\t  [n. d.]. Juliet Test Suite. https:\/\/samate.nist.gov\/SRD\/testsuite.php Accessed: 2021-07-10"},{"key":"e_1_3_2_1_13_1","doi-asserted-by":"publisher","DOI":"10.1556\/606.2021.00454"},{"key":"e_1_3_2_1_14_1","doi-asserted-by":"publisher","DOI":"10.1109\/LADC.2016.32"},{"key":"e_1_3_2_1_15_1","doi-asserted-by":"publisher","DOI":"10.1109\/EDCC.2016.34"},{"key":"e_1_3_2_1_16_1","doi-asserted-by":"publisher","DOI":"10.1109\/SYNASC.2017.00035"},{"key":"e_1_3_2_1_17_1","doi-asserted-by":"publisher","DOI":"10.4230\/LIPIcs.ECOOP.2016.2"},{"key":"e_1_3_2_1_18_1","doi-asserted-by":"publisher","DOI":"10.1109\/TDSC.2004.2"},{"key":"e_1_3_2_1_19_1","doi-asserted-by":"publisher","DOI":"10.1109\/MS.2008.130"},{"key":"e_1_3_2_1_20_1","doi-asserted-by":"publisher","DOI":"10.1109\/saner.2016.105"},{"key":"e_1_3_2_1_21_1","doi-asserted-by":"publisher","DOI":"10.1145\/3133956.3134020"},{"key":"e_1_3_2_1_22_1","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.2017.2785841"},{"key":"e_1_3_2_1_23_1","doi-asserted-by":"publisher","DOI":"10.1109\/MC.2012.345"},{"key":"e_1_3_2_1_24_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.jss.2018.09.016"},{"key":"e_1_3_2_1_25_1","doi-asserted-by":"publisher","DOI":"10.1145\/3433210.3453096"},{"key":"e_1_3_2_1_26_1","volume-title":"Proceedings of the USENIX Symposium on Operating Systems Design and Implementation. 209\u2013224","author":"Cadar Cristian","year":"2019","unstructured":"Cristian Cadar , Daniel Dunbar , and Dawson Engler . 2019 . KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs . In Proceedings of the USENIX Symposium on Operating Systems Design and Implementation. 209\u2013224 . isbn:9781931971652 https:\/\/doi.org\/10.5555\/1855741.1855756 Cristian Cadar, Daniel Dunbar, and Dawson Engler. 2019. KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs. In Proceedings of the USENIX Symposium on Operating Systems Design and Implementation. 209\u2013224. isbn:9781931971652 https:\/\/doi.org\/10.5555\/1855741.1855756"},{"key":"e_1_3_2_1_27_1","doi-asserted-by":"publisher","DOI":"10.1145\/2049697.2049700"},{"key":"e_1_3_2_1_28_1","doi-asserted-by":"publisher","DOI":"10.1109\/COMPSACW.2011.26"},{"key":"e_1_3_2_1_29_1","doi-asserted-by":"publisher","DOI":"10.1109\/MSP.2004.111"},{"key":"e_1_3_2_1_30_1","doi-asserted-by":"publisher","DOI":"10.1145\/2970276.2970347"},{"key":"e_1_3_2_1_31_1","doi-asserted-by":"publisher","DOI":"10.1145\/512950.512973"},{"key":"e_1_3_2_1_32_1","doi-asserted-by":"publisher","DOI":"10.1109\/EDCC51268.2020.00025"},{"key":"e_1_3_2_1_33_1","doi-asserted-by":"publisher","DOI":"10.1109\/COUFLESS.2015.10"},{"key":"e_1_3_2_1_34_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2016.15"},{"key":"e_1_3_2_1_35_1","doi-asserted-by":"publisher","DOI":"10.1109\/IBCAST.2018.8312265"},{"key":"e_1_3_2_1_36_1","volume-title":"Proceedings of the USENIX Workshop on Offensive Technologies.","author":"Fioraldi Andrea","year":"2020","unstructured":"Andrea Fioraldi , Dominik Maier , Heiko Ei\u00df feldt, and Marc Heuse . 2020 . AFL++: Combining Incremental Steps of Fuzzing Research . In Proceedings of the USENIX Workshop on Offensive Technologies. Andrea Fioraldi, Dominik Maier, Heiko Ei\u00df feldt, and Marc Heuse. 2020. AFL++: Combining Incremental Steps of Fuzzing Research. In Proceedings of the USENIX Workshop on Offensive Technologies."},{"key":"e_1_3_2_1_37_1","unstructured":"Sijia Geng Yuekang Li Yunlan Du Jun Xu Yang Liu and Bing Mao. 2020. An Empirical Study on Benchmarks of Artificial Software Vulnerabilities. mar issn:2331-8422 arxiv:2003.09561. arxiv:2003.09561 \t\t\t\t\t  Sijia Geng Yuekang Li Yunlan Du Jun Xu Yang Liu and Bing Mao. 2020. An Empirical Study on Benchmarks of Artificial Software Vulnerabilities. mar issn:2331-8422 arxiv:2003.09561. arxiv:2003.09561"},{"key":"e_1_3_2_1_38_1","volume-title":"Evaluation of Open Source Static Analysis Security Testing","author":"Gentsch Christoph","unstructured":"Christoph Gentsch . 2020. Evaluation of Open Source Static Analysis Security Testing ( SAST) Tools for C. German Aerospace Center (DLR DW) , 37. https:\/\/elib.dlr.de\/133945\/ Christoph Gentsch. 2020. Evaluation of Open Source Static Analysis Security Testing (SAST) Tools for C. German Aerospace Center (DLR DW), 37. https:\/\/elib.dlr.de\/133945\/"},{"key":"e_1_3_2_1_39_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-81-322-2268-2_59"},{"key":"e_1_3_2_1_40_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.infsof.2015.08.002"},{"key":"e_1_3_2_1_41_1","doi-asserted-by":"publisher","DOI":"10.1145\/3238147.3238213"},{"key":"e_1_3_2_1_42_1","doi-asserted-by":"publisher","DOI":"10.1145\/3410220.3456276"},{"key":"e_1_3_2_1_43_1","doi-asserted-by":"publisher","DOI":"10.1109\/MSR.2019.00049"},{"key":"e_1_3_2_1_44_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE.2013.6606613"},{"key":"e_1_3_2_1_45_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.procs.2020.04.217"},{"key":"e_1_3_2_1_46_1","doi-asserted-by":"publisher","DOI":"10.1145\/1287624.1287633"},{"key":"e_1_3_2_1_47_1","doi-asserted-by":"publisher","DOI":"10.1145\/360248.360252"},{"key":"e_1_3_2_1_48_1","doi-asserted-by":"publisher","DOI":"10.1007\/3-540-44898-5_16"},{"key":"e_1_3_2_1_49_1","doi-asserted-by":"publisher","DOI":"10.1145\/161494.161501"},{"key":"e_1_3_2_1_50_1","doi-asserted-by":"publisher","DOI":"10.1109\/CGO.2004.1281665"},{"key":"e_1_3_2_1_51_1","doi-asserted-by":"publisher","DOI":"10.5281\/zenodo.6515687"},{"key":"e_1_3_2_1_52_1","volume-title":"Proc. Usenix Security Symposium. 271\u2013286","author":"Benjamin Livshits V","year":"2005","unstructured":"V Benjamin Livshits and Monica S Lam . 2005 . Finding Security Errors in Java Programs with Static Analysis . In Proc. Usenix Security Symposium. 271\u2013286 . V Benjamin Livshits and Monica S Lam. 2005. Finding Security Errors in Java Programs with Static Analysis. In Proc. Usenix Security Symposium. 271\u2013286."},{"key":"e_1_3_2_1_53_1","volume-title":"Proceedings of the Workshop on the Evaluation of Software Defect Detection Tools. 1\u20135. https:\/\/doi.org\/10","author":"Lu Shan","year":"2005","unstructured":"Shan Lu , Zhenmin Li , Feng Qin , Lin Tan , Pin Zhou , and Yuanyuan Zhou . 2005 . BugBench: Benchmarks for Evaluating Bug Detection Tools . In Proceedings of the Workshop on the Evaluation of Software Defect Detection Tools. 1\u20135. https:\/\/doi.org\/10 .1.1.134.8941 Shan Lu, Zhenmin Li, Feng Qin, Lin Tan, Pin Zhou, and Yuanyuan Zhou. 2005. BugBench: Benchmarks for Evaluating Bug Detection Tools. In Proceedings of the Workshop on the Evaluation of Software Defect Detection Tools. 1\u20135. https:\/\/doi.org\/10.1.1.134.8941"},{"key":"e_1_3_2_1_54_1","volume-title":"Proceedings of the USENIX Security Symposium. 919\u2013936","author":"Mu Dongliang","year":"2018","unstructured":"Dongliang Mu , Alejandro Cuevas , Limin Yang , Hang Hu , Xinyu Xing , Bing Mao , and Gang Wang . 2018 . Understanding the Reproducibility of Crowd-reported Security Vulnerabilities . In Proceedings of the USENIX Security Symposium. 919\u2013936 . isbn:9781939133045 Dongliang Mu, Alejandro Cuevas, Limin Yang, Hang Hu, Xinyu Xing, Bing Mao, and Gang Wang. 2018. Understanding the Reproducibility of Crowd-reported Security Vulnerabilities. In Proceedings of the USENIX Security Symposium. 919\u2013936. isbn:9781939133045"},{"key":"e_1_3_2_1_55_1","doi-asserted-by":"publisher","DOI":"10.1145\/3213846.3213850"},{"key":"e_1_3_2_1_56_1","doi-asserted-by":"publisher","DOI":"10.6028\/NIST.SP.500-297"},{"key":"e_1_3_2_1_57_1","volume-title":"Proceedings of the USENIX Security Symposium. isbn:9781939133175","author":"Poeplau Sebastian","year":"2020","unstructured":"Sebastian Poeplau and Aur\u00e9lien Francillon . 2020 . Symbolic Execution with SymCC: Don\u2019t Interpret, Compile! . In Proceedings of the USENIX Security Symposium. isbn:9781939133175 Sebastian Poeplau and Aur\u00e9lien Francillon. 2020. Symbolic Execution with SymCC: Don\u2019t Interpret, Compile!. In Proceedings of the USENIX Security Symposium. isbn:9781939133175"},{"key":"e_1_3_2_1_58_1","doi-asserted-by":"publisher","DOI":"10.1109\/lics.2002.1029817"},{"key":"e_1_3_2_1_59_1","doi-asserted-by":"publisher","DOI":"10.1145\/1368088.1368135"},{"key":"e_1_3_2_1_60_1","doi-asserted-by":"publisher","DOI":"10.1145\/3188720"},{"key":"e_1_3_2_1_61_1","doi-asserted-by":"publisher","DOI":"10.1109\/ISSREW.2015.7392027"},{"key":"e_1_3_2_1_62_1","doi-asserted-by":"publisher","DOI":"10.2507\/31st.daaam.proceedings.078"},{"key":"e_1_3_2_1_63_1","volume-title":"Challenges of Using Sound and Complete Static Analysis Tools in Industrial Software","author":"Stikkelorum Wouter","year":"1818","unstructured":"Wouter Stikkelorum . 2016. Challenges of Using Sound and Complete Static Analysis Tools in Industrial Software . University of Amsterdam. https :\/\/scripties.uba.uva.nl\/scriptie\/6 1818 2 Wouter Stikkelorum. 2016. Challenges of Using Sound and Complete Static Analysis Tools in Industrial Software. University of Amsterdam. https:\/\/scripties.uba.uva.nl\/scriptie\/618182"},{"key":"e_1_3_2_1_64_1","doi-asserted-by":"publisher","DOI":"10.1145\/3486592"},{"key":"e_1_3_2_1_65_1","doi-asserted-by":"publisher","DOI":"10.1145\/2351676.2351685"},{"key":"e_1_3_2_1_66_1","first-page":"1","article-title":"Security Vulnerabilities of the Top Ten Programming Languages: C, Java, C++, Objective-C, C#, Php, Visual Basic, Python, Perl, and Ruby","volume":"5","author":"Turner Stephen","year":"2014","unstructured":"Stephen Turner . 2014 . Security Vulnerabilities of the Top Ten Programming Languages: C, Java, C++, Objective-C, C#, Php, Visual Basic, Python, Perl, and Ruby . Journal of Technology Research , 5 (2014), 1 \u2013 16 . Stephen Turner. 2014. Security Vulnerabilities of the Top Ten Programming Languages: C, Java, C++, Objective-C, C#, Php, Visual Basic, Python, Perl, and Ruby. Journal of Technology Research, 5 (2014), 1\u201316.","journal-title":"Journal of Technology Research"},{"key":"e_1_3_2_1_67_1","doi-asserted-by":"publisher","DOI":"10.1109\/SANER.2018.8330195"},{"key":"e_1_3_2_1_68_1","doi-asserted-by":"publisher","DOI":"10.5220\/0005032902440252"},{"key":"e_1_3_2_1_69_1","volume-title":"Proceedings of the USENIX Security Symposium. 745\u2013761","author":"Yun Insu","year":"2018","unstructured":"Insu Yun , Sangho Lee , Meng Xu , Yeongjin Jang , and Taesoo Kim . 2018 . QSYM: A Practical Concolic Execution Engine Tailored for Hybrid Fuzzing . In Proceedings of the USENIX Security Symposium. 745\u2013761 . isbn:9781939133045 https:\/\/doi.org\/10.5555\/3277203.3277260 Insu Yun, Sangho Lee, Meng Xu, Yeongjin Jang, and Taesoo Kim. 2018. QSYM: A Practical Concolic Execution Engine Tailored for Hybrid Fuzzing. In Proceedings of the USENIX Security Symposium. 745\u2013761. isbn:9781939133045 https:\/\/doi.org\/10.5555\/3277203.3277260"},{"key":"e_1_3_2_1_70_1","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.2006.38"},{"key":"e_1_3_2_1_71_1","doi-asserted-by":"publisher","DOI":"10.1145\/1029894.1029911"}],"event":{"name":"ISSTA '22: 31st ACM SIGSOFT International Symposium on Software Testing and Analysis","location":"Virtual South Korea","acronym":"ISSTA '22","sponsor":["SIGSOFT ACM Special Interest Group on Software Engineering"]},"container-title":["Proceedings of the 31st ACM SIGSOFT International Symposium on Software Testing and Analysis"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3533767.3534380","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3533767.3534380","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,18]],"date-time":"2025-06-18T18:43:40Z","timestamp":1750272220000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3533767.3534380"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2022,7,18]]},"references-count":71,"alternative-id":["10.1145\/3533767.3534380","10.1145\/3533767"],"URL":"https:\/\/doi.org\/10.1145\/3533767.3534380","relation":{},"subject":[],"published":{"date-parts":[[2022,7,18]]},"assertion":[{"value":"2022-07-18","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}