{"id":"https://openalex.org/W4399667970","doi":"https://doi.org/10.1145/3661167.3661262","title":"Semgrep*: Improving the Limited Performance of Static Application Security Testing (SAST) Tools","display_name":"Semgrep*: Improving the Limited Performance of Static Application Security Testing (SAST) Tools","publication_year":2024,"publication_date":"2024-06-14","ids":{"openalex":"https://openalex.org/W4399667970","doi":"https://doi.org/10.1145/3661167.3661262"},"language":"en","primary_location":{"id":"doi:10.1145/3661167.3661262","is_oa":true,"landing_page_url":"https://doi.org/10.1145/3661167.3661262","pdf_url":null,"source":null,"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 28th International Conference on Evaluation and Assessment in Software Engineering","raw_type":"proceedings-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":true,"oa_status":"gold","oa_url":"https://doi.org/10.1145/3661167.3661262","any_repository_has_fulltext":true},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5099127773","display_name":"Gareth Bennett","orcid":"https://orcid.org/0000-0001-7592-7079"},"institutions":[{"id":"https://openalex.org/I67415387","display_name":"Lancaster University","ror":"https://ror.org/04f2nsd36","country_code":"GB","type":"education","lineage":["https://openalex.org/I67415387"]}],"countries":["GB"],"is_corresponding":true,"raw_author_name":"Gareth Bennett","raw_affiliation_strings":["School of Computing and Communications, Lancaster University, United Kingdom"],"affiliations":[{"raw_affiliation_string":"School of Computing and Communications, Lancaster University, United Kingdom","institution_ids":["https://openalex.org/I67415387"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5019248666","display_name":"Tracy Hall","orcid":"https://orcid.org/0000-0002-2728-9014"},"institutions":[{"id":"https://openalex.org/I67415387","display_name":"Lancaster University","ror":"https://ror.org/04f2nsd36","country_code":"GB","type":"education","lineage":["https://openalex.org/I67415387"]}],"countries":["GB"],"is_corresponding":false,"raw_author_name":"Tracy Hall","raw_affiliation_strings":["School of Computing and Communications, Lancaster University, United Kingdom"],"affiliations":[{"raw_affiliation_string":"School of Computing and Communications, Lancaster University, United Kingdom","institution_ids":["https://openalex.org/I67415387"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5022899674","display_name":"Emily Winter","orcid":"https://orcid.org/0000-0003-3314-7300"},"institutions":[{"id":"https://openalex.org/I67415387","display_name":"Lancaster University","ror":"https://ror.org/04f2nsd36","country_code":"GB","type":"education","lineage":["https://openalex.org/I67415387"]}],"countries":["GB"],"is_corresponding":false,"raw_author_name":"Emily Winter","raw_affiliation_strings":["School of Computing and Communications, Lancaster University, United Kingdom"],"affiliations":[{"raw_affiliation_string":"School of Computing and Communications, Lancaster University, United Kingdom","institution_ids":["https://openalex.org/I67415387"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5083706258","display_name":"Steve Counsell","orcid":"https://orcid.org/0000-0002-2939-8919"},"institutions":[{"id":"https://openalex.org/I59433898","display_name":"Brunel University of London","ror":"https://ror.org/00dn4t376","country_code":"GB","type":"education","lineage":["https://openalex.org/I124357947","https://openalex.org/I59433898"]}],"countries":["GB"],"is_corresponding":false,"raw_author_name":"Steve Counsell","raw_affiliation_strings":["Dept. of Computer Science, Brunel University, United Kingdom"],"affiliations":[{"raw_affiliation_string":"Dept. of Computer Science, Brunel University, United Kingdom","institution_ids":["https://openalex.org/I59433898"]}]}],"institutions":[],"countries_distinct_count":1,"institutions_distinct_count":4,"corresponding_author_ids":["https://openalex.org/A5099127773"],"corresponding_institution_ids":["https://openalex.org/I67415387"],"apc_list":null,"apc_paid":null,"fwci":12.3444,"has_fulltext":true,"cited_by_count":16,"citation_normalized_percentile":{"value":0.98527976,"is_in_top_1_percent":false,"is_in_top_10_percent":true},"cited_by_percentile_year":{"min":96,"max":99},"biblio":{"volume":null,"issue":null,"first_page":"614","last_page":"623"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T10260","display_name":"Software Engineering Research","score":0.9954000115394592,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T10260","display_name":"Software Engineering Research","score":0.9954000115394592,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T12127","display_name":"Software System Performance and Reliability","score":0.9854000210762024,"subfield":{"id":"https://openalex.org/subfields/1705","display_name":"Computer Networks and Communications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T12479","display_name":"Web Application Security Vulnerabilities","score":0.984499990940094,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.6996136903762817},{"id":"https://openalex.org/keywords/security-testing","display_name":"Security testing","score":0.44791847467422485},{"id":"https://openalex.org/keywords/software-performance-testing","display_name":"Software performance testing","score":0.4133286774158478},{"id":"https://openalex.org/keywords/software","display_name":"Software","score":0.13867545127868652},{"id":"https://openalex.org/keywords/security-information-and-event-management","display_name":"Security information and event management","score":0.13026773929595947},{"id":"https://openalex.org/keywords/operating-system","display_name":"Operating system","score":0.12275901436805725},{"id":"https://openalex.org/keywords/cloud-computing-security","display_name":"Cloud computing security","score":0.12258380651473999},{"id":"https://openalex.org/keywords/cloud-computing","display_name":"Cloud computing","score":0.11014777421951294},{"id":"https://openalex.org/keywords/software-development","display_name":"Software development","score":0.07677879929542542},{"id":"https://openalex.org/keywords/software-construction","display_name":"Software construction","score":0.0660519003868103}],"concepts":[{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.6996136903762817},{"id":"https://openalex.org/C195518309","wikidata":"https://www.wikidata.org/wiki/Q13424265","display_name":"Security testing","level":5,"score":0.44791847467422485},{"id":"https://openalex.org/C178059732","wikidata":"https://www.wikidata.org/wiki/Q1982529","display_name":"Software performance testing","level":5,"score":0.4133286774158478},{"id":"https://openalex.org/C2777904410","wikidata":"https://www.wikidata.org/wiki/Q7397","display_name":"Software","level":2,"score":0.13867545127868652},{"id":"https://openalex.org/C103377522","wikidata":"https://www.wikidata.org/wiki/Q3493999","display_name":"Security information and event management","level":4,"score":0.13026773929595947},{"id":"https://openalex.org/C111919701","wikidata":"https://www.wikidata.org/wiki/Q9135","display_name":"Operating system","level":1,"score":0.12275901436805725},{"id":"https://openalex.org/C184842701","wikidata":"https://www.wikidata.org/wiki/Q370563","display_name":"Cloud computing security","level":3,"score":0.12258380651473999},{"id":"https://openalex.org/C79974875","wikidata":"https://www.wikidata.org/wiki/Q483639","display_name":"Cloud computing","level":2,"score":0.11014777421951294},{"id":"https://openalex.org/C529173508","wikidata":"https://www.wikidata.org/wiki/Q638608","display_name":"Software development","level":3,"score":0.07677879929542542},{"id":"https://openalex.org/C186846655","wikidata":"https://www.wikidata.org/wiki/Q3398377","display_name":"Software construction","level":4,"score":0.0660519003868103}],"mesh":[],"locations_count":3,"locations":[{"id":"doi:10.1145/3661167.3661262","is_oa":true,"landing_page_url":"https://doi.org/10.1145/3661167.3661262","pdf_url":null,"source":null,"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 28th International Conference on Evaluation and Assessment in Software Engineering","raw_type":"proceedings-article"},{"id":"pmh:oai:eprints.lancs.ac.uk:230340","is_oa":false,"landing_page_url":null,"pdf_url":null,"source":{"id":"https://openalex.org/S4306401916","display_name":"Lancaster EPrints (Lancaster University)","issn_l":null,"issn":null,"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I67415387","host_organization_name":"Lancaster University","host_organization_lineage":["https://openalex.org/I67415387"],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":"acceptedVersion","is_accepted":true,"is_published":false,"raw_source_name":null,"raw_type":"PeerReviewed"},{"id":"pmh:oai:bura.brunel.ac.uk:2438/30374","is_oa":true,"landing_page_url":"https://bura.brunel.ac.uk/handle/2438/30374","pdf_url":"http://bura.brunel.ac.uk/bitstream/2438/30374/1/FullText.pdf","source":{"id":"https://openalex.org/S4306401473","display_name":"Brunel University Research Archive (BURA) (Brunel University London)","issn_l":null,"issn":null,"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I59433898","host_organization_name":"Brunel University of London","host_organization_lineage":["https://openalex.org/I59433898"],"host_organization_lineage_names":[],"type":"repository"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":"28th International Conference on Evaluation and Assessment in Software Engineering (EASE '24)","raw_type":"Conference Paper"}],"best_oa_location":{"id":"doi:10.1145/3661167.3661262","is_oa":true,"landing_page_url":"https://doi.org/10.1145/3661167.3661262","pdf_url":null,"source":null,"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 28th International Conference on Evaluation and Assessment in Software Engineering","raw_type":"proceedings-article"},"sustainable_development_goals":[],"awards":[],"funders":[],"has_content":{"pdf":false,"grobid_xml":false},"content_urls":null,"referenced_works_count":18,"referenced_works":["https://openalex.org/W814172419","https://openalex.org/W1497444954","https://openalex.org/W2017484176","https://openalex.org/W2106371080","https://openalex.org/W2518040442","https://openalex.org/W2735686703","https://openalex.org/W2754913139","https://openalex.org/W2892815795","https://openalex.org/W2901980656","https://openalex.org/W2963926786","https://openalex.org/W2976928731","https://openalex.org/W2990685757","https://openalex.org/W3116842536","https://openalex.org/W3166095789","https://openalex.org/W3202871865","https://openalex.org/W4231868071","https://openalex.org/W4233410239","https://openalex.org/W4290005235"],"related_works":["https://openalex.org/W4391375266","https://openalex.org/W2748952813","https://openalex.org/W2390279801","https://openalex.org/W2017747296","https://openalex.org/W1663662652","https://openalex.org/W4399451348","https://openalex.org/W1997387084","https://openalex.org/W31995590","https://openalex.org/W107788109","https://openalex.org/W142381204"],"abstract_inverted_index":{"Vulnerabilities":[0],"in":[1,13,27,56,161],"code":[2,74,120],"should":[3],"be":[4,17],"detected":[5],"and":[6,45,116,157],"patched":[7],"quickly":[8],"to":[9,24,67,92,111],"reduce":[10],"the":[11,82],"time":[12],"which":[14],"they":[15],"can":[16,99],"exploited.":[18],"There":[19],"are":[20,109],"many":[21],"automated":[22],"approaches":[23],"assist":[25],"developers":[26],"detecting":[28],"vulnerabilities,":[29,149],"most":[30],"notably":[31],"Static":[32],"Application":[33],"Security":[34],"Testing":[35],"(SAST)":[36],"tools.":[37],"However,":[38],"no":[39],"single":[40],"tool":[41,51,123,145],"detects":[42,146],"all":[43],"vulnerabilities":[44,54,115],"so":[46],"relying":[47],"on":[48,72,127],"any":[49],"one":[50],"may":[52],"leave":[53],"dormant":[55],"code.":[57],"In":[58],"this":[59],"study,":[60],"we":[61,130],"use":[62],"a":[63,136,153,158],"manually":[64],"curated":[65],"dataset":[66],"evaluate":[68],"four":[69,97],"SAST":[70,107,139],"tools":[71,88,98,108],"production":[73],"with":[75],"known":[76],"vulnerabilities.":[77,103],"Our":[78,141],"results":[79],"show":[80],"that":[81],"vulnerability":[83],"detection":[84,163],"rates":[85],"of":[86,102,114,148,155],"individual":[87],"range":[89],"from":[90,122],"11.2%":[91],"26.5%,":[93],"but":[94],"combining":[95],"these":[96],"detect":[100,112],"38.8%":[101],"We":[104],"investigate":[105],"why":[106],"unable":[110],"61.2%":[113],"identify":[117],"missing":[118],"vulnerable":[119],"patterns":[121],"rule":[124],"sets.":[125],"Based":[126],"our":[128],"findings,":[129],"create":[131],"new":[132],"rules":[133],"for":[134],"Semgrep,":[135],"popular":[137],"configurable":[138],"tool.":[140],"newly":[142],"configured":[143],"Semgrep":[144],"44.7%":[147],"more":[150],"than":[151],"using":[152],"combination":[154],"tools,":[156],"181%":[159],"improvement":[160],"Semgrep\u2019s":[162],"rate.":[164]},"counts_by_year":[{"year":2026,"cited_by_count":2},{"year":2025,"cited_by_count":11},{"year":2024,"cited_by_count":3}],"updated_date":"2026-04-04T16:13:02.066488","created_date":"2025-10-10T00:00:00"}