{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,7,1]],"date-time":"2026-07-01T03:37:43Z","timestamp":1782877063581,"version":"3.54.5"},"reference-count":50,"publisher":"Association for Computing Machinery (ACM)","issue":"FSE","content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Proc. ACM Softw. Eng."],"published-print":{"date-parts":[[2025,6,19]]},"abstract":"<jats:p>\n            Scalable static analyzers are popular tools for finding incorrect, inefficient, insecure, and hard-to-maintain code early during the development process. Because not all warnings reported by a static analyzer are immediately useful to developers, many static analyzers provide a way to suppress warnings, e.g., in the form of special comments added into the code. Such\n            <jats:italic toggle=\"yes\">suppressions<\/jats:italic>\n            are an important mechanism at the interface between static analyzers and software developers, but little is currently known about them. This paper presents the first in-depth empirical study of suppressions of static analysis warnings, addressing questions about the prevalence of suppressions, their evolution over time, the relationship between suppressions and warnings, and the reasons for using suppressions. We answer these questions by studying projects written in three popular languages and suppressions for warnings by four popular static analyzers. Our findings show that (i) suppressions are relatively common, e.g., with a total of 7,357 suppressions in 46 Python projects, (ii) the number of suppressions in a project tends to continuously increase over time, (iii) surprisingly, 50.8% of all suppressions do not affect any warning and hence are practically useless, (iv) some suppressions, including useless ones, may unintentionally hide future warnings, and (v) common reasons for introducing suppressions include false positives, suboptimal configurations of the static analyzer, and misleading warning messages. These results have actionable implications, e.g., that developers should be made aware of useless suppressions and the potential risk of unintentional suppressing, that static analyzers should provide better warning messages, and that static analyzers should separately categorize warnings from third-party libraries.\n          <\/jats:p>","DOI":"10.1145\/3715729","type":"journal-article","created":{"date-parts":[[2025,6,19]],"date-time":"2025-06-19T15:16:02Z","timestamp":1750346162000},"page":"290-311","source":"Crossref","is-referenced-by-count":3,"title":["An Empirical Study of Suppressed Static Analysis Warnings"],"prefix":"10.1145","volume":"2","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-1470-0839","authenticated-orcid":false,"given":"Huimin","family":"Hu","sequence":"first","affiliation":[{"name":"University of Stuttgart, Stuttgart, Germany"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-6531-5420","authenticated-orcid":false,"given":"Yingying","family":"Wang","sequence":"additional","affiliation":[{"name":"University of British Columbia, Vancouver, Canada"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-7280-1614","authenticated-orcid":false,"given":"Julia","family":"Rubin","sequence":"additional","affiliation":[{"name":"University of British Columbia, Vancouver, Canada"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-1623-498X","authenticated-orcid":false,"given":"Michael","family":"Pradel","sequence":"additional","affiliation":[{"name":"University of Stuttgart, Stuttgart, Germany"}],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"320","published-online":{"date-parts":[[2025,6,19]]},"reference":[{"key":"e_1_2_1_1_1","unstructured":"[n. d.]. Android Espresso UI Testing Framework. https:\/\/developer.android.com\/training\/testing\/espresso"},{"key":"e_1_2_1_2_1","unstructured":"[n. d.]. Checkstyle. https:\/\/checkstyle.sourceforge.io\/"},{"key":"e_1_2_1_3_1","unstructured":"[n. d.]. Codacy. https:\/\/www.codacy.com\/"},{"key":"e_1_2_1_4_1","unstructured":"[n. d.]. Cyclomatic complexity. https:\/\/en.wikipedia.org\/wiki\/Cyclomatic_complexity"},{"key":"e_1_2_1_5_1","unstructured":"[n. d.]. ESLint. https:\/\/eslint.org\/"},{"key":"e_1_2_1_6_1","unstructured":"[n. d.]. Flipper - Extensible mobile app debugger. https:\/\/fbflipper.com"},{"key":"e_1_2_1_7_1","unstructured":"[n. d.]. Flow: Static Type Checker for JavaScript. https:\/\/flow.org\/ accessed: 2018-09-12"},{"key":"e_1_2_1_8_1","unstructured":"[n. d.]. JUnit4. https:\/\/junit.org\/junit4\/"},{"key":"e_1_2_1_9_1","unstructured":"[n. d.]. Mypy. https:\/\/mypy-lang.org\/"},{"key":"e_1_2_1_10_1","unstructured":"[n. d.]. PMD. http:\/\/pmd.sourceforge.net"},{"key":"e_1_2_1_11_1","unstructured":"[n. d.]. Pylint. pylint.readthedocs.io\/"},{"key":"e_1_2_1_12_1","unstructured":"[n. d.]. Rhino. https:\/\/github.com\/mozilla\/rhino"},{"key":"e_1_2_1_13_1","volume-title":"12th IEEE International Working Conference on Source Code Analysis and Manipulation, SCAM 2012","author":"Aftandilian Edward","year":"2012","unstructured":"Edward Aftandilian, Raluca Sauciuc, Siddharth Priya, and Sundaresan Krishnan. 2012. Building Useful Program Analysis Tools Using an Extensible Java Compiler. In 12th IEEE International Working Conference on Source Code Analysis and Manipulation, SCAM 2012, Riva del Garda, Italy, September 23-24, 2012. 14\u201323. https:\/\/doi.org\/10.1109\/SCAM.2012.28 10.1109\/SCAM.2012.28"},{"key":"e_1_2_1_14_1","volume-title":"Proceedings of the 45th International Conference on Software Engineering. 589\u2013601","author":"An Gabin","year":"2023","unstructured":"Gabin An, Jingun Hong, Naryeong Kim, and Shin Yoo. 2023. Fonte: Finding Bug Inducing Commits from Failures. In Proceedings of the 45th International Conference on Software Engineering. 589\u2013601. https:\/\/doi.org\/10.1109\/ICSE48619.2023.00059 10.1109\/ICSE48619.2023.00059"},{"key":"e_1_2_1_15_1","doi-asserted-by":"publisher","DOI":"10.1109\/MS.2008.130"},{"key":"e_1_2_1_16_1","volume-title":"2016 IEEE 23rd International Conference on Software Analysis, Evolution, and Reengineering (SANER). 1, 470\u2013481","author":"Beller Moritz","year":"2016","unstructured":"Moritz Beller, Radjino Bholanath, Shane McIntosh, and Andy Zaidman. 2016. Analyzing the state of static analysis: A large-scale evaluation in open source software. In 2016 IEEE 23rd International Conference on Software Analysis, Evolution, and Reengineering (SANER). 1, 470\u2013481. https:\/\/doi.org\/10.1109\/SANER.2016.105 10.1109\/SANER.2016.105"},{"key":"e_1_2_1_17_1","doi-asserted-by":"publisher","DOI":"10.1145\/1646353.1646374"},{"key":"e_1_2_1_18_1","volume-title":"NASA Formal Methods Symposium. 3\u201311","author":"Calcagno Cristiano","year":"2015","unstructured":"Cristiano Calcagno, Dino Distefano, J\u00e9r\u00e9my Dubreil, Dominik Gabi, Pieter Hooimeijer, Martino Luca, Peter O\u2019Hearn, Irene Papakonstantinou, Jim Purbrick, and Dulma Rodriguez. 2015. Moving fast with software verification. In NASA Formal Methods Symposium. 3\u201311."},{"key":"e_1_2_1_19_1","volume-title":"Proceedings of the 31st IEEE\/ACM international conference on automated software engineering. 332\u2013343","author":"Christakis Maria","year":"2016","unstructured":"Maria Christakis and Christian Bird. 2016. What developers want and need from program analysis: an empirical study. In Proceedings of the 31st IEEE\/ACM international conference on automated software engineering. 332\u2013343. https:\/\/doi.org\/10.1145\/2970276.2970347 10.1145\/2970276.2970347"},{"key":"e_1_2_1_20_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE48619.2023.00091"},{"key":"e_1_2_1_21_1","doi-asserted-by":"publisher","unstructured":"Luca Di Grazia and Michael Pradel. 2022. The Evolution of Type Annotations in Python: An Empirical Study. In ESEC\/FSE. https:\/\/doi.org\/10.1145\/3540250.3549114 10.1145\/3540250.3549114","DOI":"10.1145\/3540250.3549114"},{"key":"e_1_2_1_22_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE43902.2021.00135"},{"key":"e_1_2_1_23_1","doi-asserted-by":"publisher","unstructured":"Rui Gu Guoliang Jin Linhai Song Linjie Zhu and Shan Lu. 2015. What change history tells us about thread synchronization. In ESEC\/FSE. 426\u2013438. https:\/\/doi.org\/10.1145\/2786805.2786815 10.1145\/2786805.2786815","DOI":"10.1145\/2786805.2786815"},{"key":"e_1_2_1_24_1","doi-asserted-by":"publisher","unstructured":"Andrew Habib and Michael Pradel. 2018. How Many of All Bugs Do We Find? A Study of Static Bug Detectors. In ASE. https:\/\/doi.org\/10.1145\/3238147.3238213 10.1145\/3238147.3238213","DOI":"10.1145\/3238147.3238213"},{"key":"e_1_2_1_25_1","doi-asserted-by":"publisher","unstructured":"David Hovemeyer and William Pugh. 2004. Finding bugs is easy. In Companion to the Conference on Object-Oriented Programming Systems Languages and Applications (OOPSLA). ACM 132\u2013136. https:\/\/doi.org\/10.1145\/1052883.1052895 10.1145\/1052883.1052895","DOI":"10.1145\/1052883.1052895"},{"key":"e_1_2_1_26_1","volume-title":"2019 IEEE 30th International Symposium on Software Reliability Engineering (ISSRE). 323\u2013333","author":"Imtiaz Nasif","year":"2019","unstructured":"Nasif Imtiaz, Brendan Murphy, and Laurie Williams. 2019. How do developers act on static analysis alerts? an empirical study of coverity usage. In 2019 IEEE 30th International Symposium on Software Reliability Engineering (ISSRE). 323\u2013333. https:\/\/doi.org\/10.1109\/ISSRE.2019.00040 10.1109\/ISSRE.2019.00040"},{"key":"e_1_2_1_27_1","volume-title":"2019 IEEE\/ACM 16th International Conference on Mining Software Repositories (MSR). 245\u2013249","author":"Imtiaz Nasif","year":"2019","unstructured":"Nasif Imtiaz, Akond Rahman, Effat Farhana, and Laurie Williams. 2019. Challenges with responding to static analysis tool alerts. In 2019 IEEE\/ACM 16th International Conference on Mining Software Repositories (MSR). 245\u2013249. https:\/\/doi.org\/10.1109\/MSR.2019.00049 10.1109\/MSR.2019.00049"},{"key":"e_1_2_1_28_1","volume-title":"2013 35th International Conference on Software Engineering (ICSE). 672\u2013681","author":"Johnson Brittany","year":"2013","unstructured":"Brittany Johnson, Yoonki Song, Emerson Murphy-Hill, and Robert Bowdidge. 2013. Why don\u2019t software developers use static analysis tools to find bugs? In 2013 35th International Conference on Software Engineering (ICSE). 672\u2013681. https:\/\/doi.org\/10.1109\/ICSE.2013.6606613 10.1109\/ICSE.2013.6606613"},{"key":"e_1_2_1_29_1","unstructured":"S. C. Johnson. 1978. Lint a C Program Checker."},{"key":"e_1_2_1_30_1","doi-asserted-by":"publisher","unstructured":"Ashwin Kallingal Joshy Xueyuan Chen Benjamin Steenhoek and Wei Le. 2021. Validating Static Warnings via Testing Code Fragments. In ISSTA. https:\/\/doi.org\/10.1145\/3460319.3464832 10.1145\/3460319.3464832","DOI":"10.1145\/3460319.3464832"},{"key":"e_1_2_1_31_1","volume-title":"Proceedings of the 44th International Conference on Software Engineering. 698\u2013709","author":"Kang Hong Jin","year":"2022","unstructured":"Hong Jin Kang, Khai Loong Aw, and David Lo. 2022. Detecting false alarms from automatic static analysis tools: how far are we? In Proceedings of the 44th International Conference on Software Engineering. 698\u2013709. https:\/\/doi.org\/10.1145\/3510003.3510214 10.1145\/3510003.3510214"},{"key":"e_1_2_1_32_1","doi-asserted-by":"publisher","DOI":"10.1145\/3510003.3510153"},{"key":"e_1_2_1_33_1","volume-title":"Proceedings of the the 6th joint meeting of the European software engineering conference and the ACM SIGSOFT symposium on The foundations of software engineering. 45\u201354","author":"Kim Sunghun","year":"2007","unstructured":"Sunghun Kim and Michael D Ernst. 2007. Which warnings should I fix first? In Proceedings of the the 6th joint meeting of the European software engineering conference and the ACM SIGSOFT symposium on The foundations of software engineering. 45\u201354. https:\/\/doi.org\/10.1145\/1287624.1287633 10.1145\/1287624.1287633"},{"key":"e_1_2_1_34_1","volume-title":"Engler","author":"Kremenek Ted","year":"2003","unstructured":"Ted Kremenek and Dawson R. Engler. 2003. Z-Ranking: Using Statistical Analysis to Counter the Impact of Static Analysis Approximations. In International Symposium on Static Analysis (SAS). Springer, 295\u2013315."},{"key":"e_1_2_1_35_1","doi-asserted-by":"publisher","DOI":"10.1145\/3318162"},{"key":"e_1_2_1_36_1","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.2024.3358283"},{"key":"e_1_2_1_37_1","volume-title":"Automated Software Entity Matching Between Successive Versions. In 2023 38th IEEE\/ACM International Conference on Automated Software Engineering (ASE). 1615\u20131627","author":"Liu Bo","year":"2023","unstructured":"Bo Liu, Hui Liu, Nan Niu, Yuxia Zhang, Guangjie Li, and Yanjie Jiang. 2023. Automated Software Entity Matching Between Successive Versions. In 2023 38th IEEE\/ACM International Conference on Automated Software Engineering (ASE). 1615\u20131627. https:\/\/doi.org\/10.1109\/ASE56229.2023.00132 10.1109\/ASE56229.2023.00132"},{"key":"e_1_2_1_38_1","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.2018.2884955"},{"key":"e_1_2_1_39_1","volume-title":"2021 IEEE\/ACM 43rd International Conference on Software Engineering: Software Engineering in Practice (ICSE-SEIP). 208\u2013217","author":"Ljungberg Anton","year":"2021","unstructured":"Anton Ljungberg, David \u00c5kerman, Emma S\u00f6derberg, Gustaf Lundh, Jon Sten, and Luke Church. 2021. Case study on data-driven deployment of program analysis on an open tools stack. In 2021 IEEE\/ACM 43rd International Conference on Software Engineering: Software Engineering in Practice (ICSE-SEIP). 208\u2013217. https:\/\/doi.org\/10.1109\/ICSE-SEIP52600.2021.00030 10.1109\/ICSE-SEIP52600.2021.00030"},{"key":"e_1_2_1_40_1","doi-asserted-by":"crossref","first-page":"308","DOI":"10.1109\/TSE.1976.233837","article-title":"A Complexity Measure","volume":"2","author":"McCabe Thomas J.","year":"1976","unstructured":"Thomas J. McCabe. 1976. A Complexity Measure. IEEE Transactions on Software Engineering, 2, 4 (1976), Dec., 308\u2013320.","journal-title":"IEEE Transactions on Software Engineering"},{"key":"e_1_2_1_41_1","volume-title":"European Software Engineering Conference and International Symposiumon Foundations of Software Engineering (ESEC\/FSE). ACM, 268\u2013278","author":"Nguyen Khanh","year":"2013","unstructured":"Khanh Nguyen and Guoqing Xu. 2013. Cachetor: Detecting Cacheable Data to Remove Bloat. In European Software Engineering Conference and International Symposiumon Foundations of Software Engineering (ESEC\/FSE). ACM, 268\u2013278. https:\/\/doi.org\/10.1145\/2491411.2491416 10.1145\/2491411.2491416"},{"key":"e_1_2_1_42_1","volume-title":"International Symposium on Software Reliability Engineering (ISSRE). IEEE Computer Society, 245\u2013256","author":"Rutar Nick","year":"2004","unstructured":"Nick Rutar, Christian B. Almazan, and Jeffrey S. Foster. 2004. A Comparison of Bug Finding Tools for Java. In International Symposium on Software Reliability Engineering (ISSRE). IEEE Computer Society, 245\u2013256. https:\/\/doi.org\/10.1109\/ISSRE.2004.1 10.1109\/ISSRE.2004.1"},{"key":"e_1_2_1_43_1","volume-title":"2015 IEEE\/ACM 37th IEEE International Conference on Software Engineering. 1, 598\u2013608","author":"Sadowski Caitlin","year":"2015","unstructured":"Caitlin Sadowski, Jeffrey Van Gogh, Ciera Jaspan, Emma Soderberg, and Collin Winter. 2015. Tricorder: Building a program analysis ecosystem. In 2015 IEEE\/ACM 37th IEEE International Conference on Software Engineering. 1, 598\u2013608."},{"key":"e_1_2_1_44_1","volume-title":"Basics of Qualitative Research: Techniques and Procedures for Developing Grounded Theory","author":"Strauss Anselm","unstructured":"Anselm Strauss and Juliet Corbin. 1998. Basics of Qualitative Research: Techniques and Procedures for Developing Grounded Theory. Thousand Oaks, CA: Sage."},{"key":"e_1_2_1_45_1","volume-title":"Conference on Automated Software Engineering (ASE). ACM, 50\u201359","author":"Thung Ferdian","unstructured":"Ferdian Thung, Lucia, David Lo, Lingxiao Jiang, Foyzur Rahman, and Premkumar T. Devanbu. 2012. To what extent could we detect field defects? an empirical study of false negatives in static bug finding tools. In Conference on Automated Software Engineering (ASE). ACM, 50\u201359. https:\/\/doi.org\/10.1145\/2351676.2351685 10.1145\/2351676.2351685"},{"key":"e_1_2_1_46_1","volume-title":"Proceedings of the ACM\/IEEE 42nd International Conference on Software Engineering. 824\u2013834","author":"van Tonder Rijnard","year":"2020","unstructured":"Rijnard van Tonder and Claire Le Goues. 2020. Tailoring programs for static analysis via program transformation. In Proceedings of the ACM\/IEEE 42nd International Conference on Software Engineering. 824\u2013834. https:\/\/doi.org\/10.1145\/3377811.3380343 10.1145\/3377811.3380343"},{"key":"e_1_2_1_47_1","volume-title":"Proceedings of the 2017 11th joint meeting on foundations of software engineering. 672\u2013682","author":"Wei Lili","year":"2017","unstructured":"Lili Wei, Yepang Liu, and Shing-Chi Cheung. 2017. Oasis: prioritizing static analysis warnings for android apps based on app user reviews. In Proceedings of the 2017 11th joint meeting on foundations of software engineering. 672\u2013682. https:\/\/doi.org\/10.1145\/3106237.3106294 10.1145\/3106237.3106294"},{"key":"e_1_2_1_48_1","doi-asserted-by":"publisher","unstructured":"Ping Yu Yijian Wu Xin Peng Jiahan Peng Jian Zhang Peicheng Xie and Wenyun Zhao. 2023. ViolationTracker: Building Precise Histories for Static Analysis Violations. In ICSE. https:\/\/doi.org\/10.1109\/ICSE48619.2023.00171 10.1109\/ICSE48619.2023.00171","DOI":"10.1109\/ICSE48619.2023.00171"},{"key":"e_1_2_1_49_1","volume-title":"Proceedings of the 14th International Conference on Mining Software Repositories, MSR 2017","author":"Zampetti Fiorella","year":"2017","unstructured":"Fiorella Zampetti, Simone Scalabrino, Rocco Oliveto, Gerardo Canfora, and Massimiliano Di Penta. 2017. How open source projects use static code analysis tools in continuous integration pipelines. In Proceedings of the 14th International Conference on Mining Software Repositories, MSR 2017, Buenos Aires, Argentina, May 20-28, 2017. 334\u2013344. https:\/\/doi.org\/10.1109\/MSR.2017.2 10.1109\/MSR.2017.2"},{"key":"e_1_2_1_50_1","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.2006.38"}],"container-title":["Proceedings of the ACM on Software Engineering"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3715729","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,19]],"date-time":"2025-06-19T15:22:12Z","timestamp":1750346532000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3715729"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,6,19]]},"references-count":50,"journal-issue":{"issue":"FSE","published-print":{"date-parts":[[2025,6,19]]}},"alternative-id":["10.1145\/3715729"],"URL":"https:\/\/doi.org\/10.1145\/3715729","relation":{},"ISSN":["2994-970X"],"issn-type":[{"value":"2994-970X","type":"electronic"}],"subject":[],"published":{"date-parts":[[2025,6,19]]}}}