{"id":"https://openalex.org/W4389159189","doi":"https://doi.org/10.1145/3611643.3616262","title":"Comparison and Evaluation on Static Application Security Testing (SAST) Tools for Java","display_name":"Comparison and Evaluation on Static Application Security Testing (SAST) Tools for Java","publication_year":2023,"publication_date":"2023-11-30","ids":{"openalex":"https://openalex.org/W4389159189","doi":"https://doi.org/10.1145/3611643.3616262"},"language":"en","primary_location":{"id":"doi:10.1145/3611643.3616262","is_oa":false,"landing_page_url":"https://doi.org/10.1145/3611643.3616262","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 31st ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering","raw_type":"proceedings-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":true,"oa_status":"green","oa_url":"https://ink.library.smu.edu.sg/sis_research/8976","any_repository_has_fulltext":true},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5100713124","display_name":"Kaixuan Li","orcid":"https://orcid.org/0000-0002-3517-353X"},"institutions":[{"id":"https://openalex.org/I66867065","display_name":"East China Normal University","ror":"https://ror.org/02n96ep67","country_code":"CN","type":"education","lineage":["https://openalex.org/I66867065"]}],"countries":["CN"],"is_corresponding":true,"raw_author_name":"Kaixuan Li","raw_affiliation_strings":["East China Normal University, Shanghai, China"],"affiliations":[{"raw_affiliation_string":"East China Normal University, Shanghai, China","institution_ids":["https://openalex.org/I66867065"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5100658276","display_name":"Sen Chen","orcid":"https://orcid.org/0000-0001-9477-4100"},"institutions":[{"id":"https://openalex.org/I162868743","display_name":"Tianjin University","ror":"https://ror.org/012tb2g32","country_code":"CN","type":"education","lineage":["https://openalex.org/I162868743"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Sen Chen","raw_affiliation_strings":["Tianjin University, Tianjin, China"],"affiliations":[{"raw_affiliation_string":"Tianjin University, Tianjin, China","institution_ids":["https://openalex.org/I162868743"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5102012317","display_name":"Lingling Fan","orcid":"https://orcid.org/0000-0002-2428-9297"},"institutions":[{"id":"https://openalex.org/I205237279","display_name":"Nankai University","ror":"https://ror.org/01y1kjr75","country_code":"CN","type":"education","lineage":["https://openalex.org/I205237279"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Lingling Fan","raw_affiliation_strings":["Nankai University, Tianjin, China"],"affiliations":[{"raw_affiliation_string":"Nankai University, Tianjin, China","institution_ids":["https://openalex.org/I205237279"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5032257261","display_name":"Ruitao Feng","orcid":"https://orcid.org/0000-0001-9080-6865"},"institutions":[{"id":"https://openalex.org/I31746571","display_name":"UNSW Sydney","ror":"https://ror.org/03r8z3t63","country_code":"AU","type":"education","lineage":["https://openalex.org/I31746571"]}],"countries":["AU"],"is_corresponding":false,"raw_author_name":"Ruitao Feng","raw_affiliation_strings":["University of New South Wales, Sydney, Australia"],"affiliations":[{"raw_affiliation_string":"University of New South Wales, Sydney, Australia","institution_ids":["https://openalex.org/I31746571"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5100657632","display_name":"Han Liu","orcid":"https://orcid.org/0009-0000-8384-7933"},"institutions":[{"id":"https://openalex.org/I66867065","display_name":"East China Normal University","ror":"https://ror.org/02n96ep67","country_code":"CN","type":"education","lineage":["https://openalex.org/I66867065"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Han Liu","raw_affiliation_strings":["East China Normal University, Shanghai, China"],"affiliations":[{"raw_affiliation_string":"East China Normal University, Shanghai, China","institution_ids":["https://openalex.org/I66867065"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5100319564","display_name":"Chengwei Liu","orcid":"https://orcid.org/0000-0003-1175-2753"},"institutions":[{"id":"https://openalex.org/I172675005","display_name":"Nanyang Technological University","ror":"https://ror.org/02e7b5302","country_code":"SG","type":"education","lineage":["https://openalex.org/I172675005"]}],"countries":["SG"],"is_corresponding":false,"raw_author_name":"Chengwei Liu","raw_affiliation_strings":["Nanyang Technological University, Singapore, Singapore"],"affiliations":[{"raw_affiliation_string":"Nanyang Technological University, Singapore, Singapore","institution_ids":["https://openalex.org/I172675005"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5100355692","display_name":"Yang Liu","orcid":"https://orcid.org/0000-0001-7300-9215"},"institutions":[{"id":"https://openalex.org/I172675005","display_name":"Nanyang Technological University","ror":"https://ror.org/02e7b5302","country_code":"SG","type":"education","lineage":["https://openalex.org/I172675005"]}],"countries":["SG"],"is_corresponding":false,"raw_author_name":"Yang Liu","raw_affiliation_strings":["Nanyang Technological University, Singapore, Singapore"],"affiliations":[{"raw_affiliation_string":"Nanyang Technological University, Singapore, Singapore","institution_ids":["https://openalex.org/I172675005"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5102000768","display_name":"Yixiang Chen","orcid":"https://orcid.org/0000-0003-1235-5530"},"institutions":[{"id":"https://openalex.org/I66867065","display_name":"East China Normal University","ror":"https://ror.org/02n96ep67","country_code":"CN","type":"education","lineage":["https://openalex.org/I66867065"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Yixiang Chen","raw_affiliation_strings":["East China Normal University, Shanghai, China"],"affiliations":[{"raw_affiliation_string":"East China Normal University, Shanghai, China","institution_ids":["https://openalex.org/I66867065"]}]}],"institutions":[],"countries_distinct_count":3,"institutions_distinct_count":8,"corresponding_author_ids":["https://openalex.org/A5100713124"],"corresponding_institution_ids":["https://openalex.org/I66867065"],"apc_list":null,"apc_paid":null,"fwci":13.1901,"has_fulltext":false,"cited_by_count":29,"citation_normalized_percentile":{"value":0.98755736,"is_in_top_1_percent":false,"is_in_top_10_percent":true},"cited_by_percentile_year":{"min":90,"max":100},"biblio":{"volume":null,"issue":null,"first_page":"921","last_page":"933"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T10260","display_name":"Software Engineering Research","score":0.9991999864578247,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T10260","display_name":"Software Engineering Research","score":0.9991999864578247,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10743","display_name":"Software Testing and Debugging Techniques","score":0.9991999864578247,"subfield":{"id":"https://openalex.org/subfields/1712","display_name":"Software"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T12423","display_name":"Software Reliability and Analysis Research","score":0.9991000294685364,"subfield":{"id":"https://openalex.org/subfields/1712","display_name":"Software"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.7446234822273254},{"id":"https://openalex.org/keywords/java","display_name":"Java","score":0.5913476347923279},{"id":"https://openalex.org/keywords/consistency","display_name":"Consistency (knowledge bases)","score":0.5849649906158447},{"id":"https://openalex.org/keywords/software-engineering","display_name":"Software engineering","score":0.5250879526138306},{"id":"https://openalex.org/keywords/systems-development-life-cycle","display_name":"Systems development life cycle","score":0.49960899353027344},{"id":"https://openalex.org/keywords/application-security","display_name":"Application security","score":0.48812946677207947},{"id":"https://openalex.org/keywords/resource","display_name":"Resource (disambiguation)","score":0.43044987320899963},{"id":"https://openalex.org/keywords/secure-coding","display_name":"Secure coding","score":0.4170994460582733},{"id":"https://openalex.org/keywords/software","display_name":"Software","score":0.39895012974739075},{"id":"https://openalex.org/keywords/risk-analysis","display_name":"Risk analysis (engineering)","score":0.3283679187297821},{"id":"https://openalex.org/keywords/software-development","display_name":"Software development","score":0.2803032696247101},{"id":"https://openalex.org/keywords/software-development-process","display_name":"Software development process","score":0.24166357517242432},{"id":"https://openalex.org/keywords/software-security-assurance","display_name":"Software security assurance","score":0.22232314944267273},{"id":"https://openalex.org/keywords/information-security","display_name":"Information security","score":0.18292462825775146},{"id":"https://openalex.org/keywords/computer-security","display_name":"Computer security","score":0.17171600461006165},{"id":"https://openalex.org/keywords/artificial-intelligence","display_name":"Artificial intelligence","score":0.09223270416259766},{"id":"https://openalex.org/keywords/operating-system","display_name":"Operating system","score":0.08432617783546448}],"concepts":[{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.7446234822273254},{"id":"https://openalex.org/C548217200","wikidata":"https://www.wikidata.org/wiki/Q251","display_name":"Java","level":2,"score":0.5913476347923279},{"id":"https://openalex.org/C2776436953","wikidata":"https://www.wikidata.org/wiki/Q5163215","display_name":"Consistency (knowledge bases)","level":2,"score":0.5849649906158447},{"id":"https://openalex.org/C115903868","wikidata":"https://www.wikidata.org/wiki/Q80993","display_name":"Software engineering","level":1,"score":0.5250879526138306},{"id":"https://openalex.org/C120617098","wikidata":"https://www.wikidata.org/wiki/Q559486","display_name":"Systems development life cycle","level":5,"score":0.49960899353027344},{"id":"https://openalex.org/C77109596","wikidata":"https://www.wikidata.org/wiki/Q4781497","display_name":"Application security","level":5,"score":0.48812946677207947},{"id":"https://openalex.org/C206345919","wikidata":"https://www.wikidata.org/wiki/Q20380951","display_name":"Resource (disambiguation)","level":2,"score":0.43044987320899963},{"id":"https://openalex.org/C22680326","wikidata":"https://www.wikidata.org/wiki/Q7444867","display_name":"Secure coding","level":5,"score":0.4170994460582733},{"id":"https://openalex.org/C2777904410","wikidata":"https://www.wikidata.org/wiki/Q7397","display_name":"Software","level":2,"score":0.39895012974739075},{"id":"https://openalex.org/C112930515","wikidata":"https://www.wikidata.org/wiki/Q4389547","display_name":"Risk analysis (engineering)","level":1,"score":0.3283679187297821},{"id":"https://openalex.org/C529173508","wikidata":"https://www.wikidata.org/wiki/Q638608","display_name":"Software development","level":3,"score":0.2803032696247101},{"id":"https://openalex.org/C180152950","wikidata":"https://www.wikidata.org/wiki/Q2904257","display_name":"Software development process","level":4,"score":0.24166357517242432},{"id":"https://openalex.org/C62913178","wikidata":"https://www.wikidata.org/wiki/Q7554361","display_name":"Software security assurance","level":4,"score":0.22232314944267273},{"id":"https://openalex.org/C527648132","wikidata":"https://www.wikidata.org/wiki/Q189900","display_name":"Information security","level":2,"score":0.18292462825775146},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.17171600461006165},{"id":"https://openalex.org/C154945302","wikidata":"https://www.wikidata.org/wiki/Q11660","display_name":"Artificial intelligence","level":1,"score":0.09223270416259766},{"id":"https://openalex.org/C111919701","wikidata":"https://www.wikidata.org/wiki/Q9135","display_name":"Operating system","level":1,"score":0.08432617783546448},{"id":"https://openalex.org/C29983905","wikidata":"https://www.wikidata.org/wiki/Q7445066","display_name":"Security service","level":3,"score":0.0},{"id":"https://openalex.org/C71924100","wikidata":"https://www.wikidata.org/wiki/Q11190","display_name":"Medicine","level":0,"score":0.0},{"id":"https://openalex.org/C31258907","wikidata":"https://www.wikidata.org/wiki/Q1301371","display_name":"Computer network","level":1,"score":0.0}],"mesh":[],"locations_count":2,"locations":[{"id":"doi:10.1145/3611643.3616262","is_oa":false,"landing_page_url":"https://doi.org/10.1145/3611643.3616262","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 31st ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering","raw_type":"proceedings-article"},{"id":"pmh:oai:ink.library.smu.edu.sg:sis_research-9979","is_oa":true,"landing_page_url":"https://ink.library.smu.edu.sg/sis_research/8976","pdf_url":null,"source":{"id":"https://openalex.org/S4306401925","display_name":"Singapore Management University Institutional Knowledge (InK) (Singapore Management University)","issn_l":null,"issn":null,"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I79891267","host_organization_name":"Singapore Management University","host_organization_lineage":["https://openalex.org/I79891267"],"host_organization_lineage_names":[],"type":"repository"},"license":"cc-by-nc-nd","license_id":"https://openalex.org/licenses/cc-by-nc-nd","version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":"https://doi.org/10.1145/3611643.3616262","raw_type":"Conference Proceeding Article"}],"best_oa_location":{"id":"pmh:oai:ink.library.smu.edu.sg:sis_research-9979","is_oa":true,"landing_page_url":"https://ink.library.smu.edu.sg/sis_research/8976","pdf_url":null,"source":{"id":"https://openalex.org/S4306401925","display_name":"Singapore Management University Institutional Knowledge (InK) (Singapore Management University)","issn_l":null,"issn":null,"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I79891267","host_organization_name":"Singapore Management University","host_organization_lineage":["https://openalex.org/I79891267"],"host_organization_lineage_names":[],"type":"repository"},"license":"cc-by-nc-nd","license_id":"https://openalex.org/licenses/cc-by-nc-nd","version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":"https://doi.org/10.1145/3611643.3616262","raw_type":"Conference Proceeding Article"},"sustainable_development_goals":[{"score":0.5,"id":"https://metadata.un.org/sdg/12","display_name":"Responsible consumption and production"}],"awards":[],"funders":[{"id":"https://openalex.org/F4320320709","display_name":"National Research Foundation Singapore","ror":"https://ror.org/03cpyc314"},{"id":"https://openalex.org/F4320322725","display_name":"China Scholarship Council","ror":"https://ror.org/04atp4p48"},{"id":"https://openalex.org/F4320335777","display_name":"National Key Research and Development Program of China","ror":null}],"has_content":{"pdf":false,"grobid_xml":false},"content_urls":null,"referenced_works_count":38,"referenced_works":["https://openalex.org/W1498432697","https://openalex.org/W1761184020","https://openalex.org/W2019230987","https://openalex.org/W2020841721","https://openalex.org/W2022759867","https://openalex.org/W2033539354","https://openalex.org/W2107024044","https://openalex.org/W2767911201","https://openalex.org/W2784669118","https://openalex.org/W2796301966","https://openalex.org/W2853432192","https://openalex.org/W2888223970","https://openalex.org/W2892815795","https://openalex.org/W2898686857","https://openalex.org/W2899424311","https://openalex.org/W2937413037","https://openalex.org/W2976928731","https://openalex.org/W2979528578","https://openalex.org/W2985139693","https://openalex.org/W3033053557","https://openalex.org/W3046919285","https://openalex.org/W3090910431","https://openalex.org/W3093700956","https://openalex.org/W3102504333","https://openalex.org/W3105413283","https://openalex.org/W3153018678","https://openalex.org/W3170526652","https://openalex.org/W3180445586","https://openalex.org/W3208077293","https://openalex.org/W4200028713","https://openalex.org/W4220988989","https://openalex.org/W4229842944","https://openalex.org/W4285490437","https://openalex.org/W4285490477","https://openalex.org/W4310423035","https://openalex.org/W4313563659","https://openalex.org/W4378760032","https://openalex.org/W4381989586"],"related_works":["https://openalex.org/W47727947","https://openalex.org/W4385835594","https://openalex.org/W4385839004","https://openalex.org/W2101186143","https://openalex.org/W3015499098","https://openalex.org/W125279808","https://openalex.org/W4210690107","https://openalex.org/W3128900203","https://openalex.org/W2150933192","https://openalex.org/W2557302400"],"abstract_inverted_index":{"Static":[0],"application":[1],"security":[2],"testing":[3],"(SAST)":[4],"takes":[5],"a":[6],"significant":[7],"role":[8],"in":[9,166],"the":[10,23,32,63,108,113,143,153,160],"software":[11],"development":[12],"life":[13],"cycle":[14],"(SDLC).":[15],"However,":[16],"it":[17],"is":[18,31,136],"challenging":[19],"to":[20,28,62,172],"comprehensively":[21],"evaluate":[22],"effectiveness":[24],"of":[25,101,116],"SAST":[26,52,74,88],"tools":[27,53,57,75,89],"determine":[29],"which":[30],"better":[33],"one":[34],"for":[35,58,182],"detecting":[36,145],"vulnerabilities.":[37,133],"In":[38],"this":[39],"paper,":[40],"based":[41],"on":[42,92,175],"well-defined":[43],"criteria,":[44],"we":[45,69],"first":[46],"selected":[47,109],"seven":[48],"free":[49],"or":[50],"open-source":[51],"from":[54,76],"161":[55],"existing":[56],"further":[59],"evaluation.":[60],"Owing":[61],"synthetic":[64,93],"and":[65,71,78,85,129,147,180,185],"newly-constructed":[66],"real-world":[67,102],"benchmarks,":[68,94],"evaluated":[70],"compared":[72],"these":[73],"different":[77],"comprehensive":[79,168],"perspectives":[80],"such":[81],"as":[82],"effectiveness,":[83],"consistency,":[84],"performance.":[86],"While":[87],"perform":[90],"well":[91],"our":[95,167],"results":[96],"indicate":[97],"that":[98,137],"only":[99],"12.7%":[100],"vulnerabilities":[103,120],"can":[104],"be":[105],"detected":[106],"by":[107],"tools.":[110],"Even":[111],"combining":[112],"detection":[114,154],"capability":[115],"all":[117],"tools,":[118],"most":[119],"(70.9%)":[121],"remain":[122],"undetected,":[123],"especially":[124],"those":[125],"beyond":[126],"resource":[127],"control":[128],"insufficiently":[130],"neutralized":[131],"input/output":[132],"The":[134],"fact":[135],"although":[138],"they":[139],"have":[140],"already":[141],"built":[142],"corresponding":[144],"rules":[146],"integrated":[148],"them":[149],"into":[150],"their":[151],"capabilities,":[152],"result":[155],"still":[156],"did":[157],"not":[158],"meet":[159],"expectations.":[161],"All":[162],"useful":[163],"findings":[164],"unveiled":[165],"study":[169],"indeed":[170],"help":[171],"provide":[173],"guidance":[174],"tool":[176],"development,":[177],"improvement,":[178],"evaluation,":[179],"selection":[181],"developers,":[183],"researchers,":[184],"potential":[186],"users.":[187]},"counts_by_year":[{"year":2025,"cited_by_count":18},{"year":2024,"cited_by_count":10},{"year":2023,"cited_by_count":1}],"updated_date":"2026-04-05T17:49:38.594831","created_date":"2025-10-10T00:00:00"}