icon-carat-right menu search cmu-wordmark
Carnegie Mellon University

Automated Code Repair for C/C++ Static Analysis

Technical Report
By
This engineering experience paper details the application of design, development, and performance testing to an automated program repair tool we built that repairs C/C++ code.
Publisher

Software Engineering Institute

CMU/SEI Report Number
CMU/SEI-2025-TR-007
DOI (Digital Object Identifier)
10.1184/R1/29905805
Topic or Tag

Abstract

Static analysis (SA) tools produce many diagnostic alerts indicating that source code in C or C++ may be defective and potentially vulnerable to security exploits. Many of these alerts are false positives. Identifying the true-positive alerts and repairing the defects in the associated code are huge efforts; automated program repair (APR) tools can help. Our experience showed us that APR can reduce the number of SA alerts significantly and reduce the manual effort of analysts to review code. This engineering experience paper details the application of design, development, and performance testing to an APR tool we built that repairs C/C++ code. Its repairs are simple and local. Furthermore, our findings convinced the maintainers of the CERT Coding Standards to re-assess and update the metrics used to assess when violations of guidelines are detectable or repairable. We discuss engineering design choices made to support goals of trustworthiness and acceptability to developers.

SHARE
Download the PDF
Cite This Technical Report

Svoboda, D., Flynn, L., Klieber, W., Duggan, M., Reimer, N., & Sible, J. (2025, September 29). Automated Code Repair for C/C++ Static Analysis. (Technical Report CMU/SEI-2025-TR-007). Retrieved November 10, 2025, from https://doi.org/10.1184/R1/29905805.

@techreport{svoboda_2025,
author={Svoboda, David and Flynn, Lori and Klieber, William and Duggan, Michael and Reimer, Nicholas and Sible, Joe},
title={Automated Code Repair for C/C++ Static Analysis},
month={{Sep},
year={{2025},
number={{CMU/SEI-2025-TR-007},
howpublished={Carnegie Mellon University, Software Engineering Institute's Digital Library},
url={https://doi.org/10.1184/R1/29905805},
note={Accessed: 2025-Nov-10}
}

Svoboda, David, Lori Flynn, William Klieber, Michael Duggan, Nicholas Reimer, and Joe Sible. "Automated Code Repair for C/C++ Static Analysis." (CMU/SEI-2025-TR-007). Carnegie Mellon University, Software Engineering Institute's Digital Library. Software Engineering Institute, September 29, 2025. https://doi.org/10.1184/R1/29905805.

D. Svoboda, L. Flynn, W. Klieber, M. Duggan, N. Reimer, and J. Sible, "Automated Code Repair for C/C++ Static Analysis," Carnegie Mellon University, Software Engineering Institute's Digital Library. Software Engineering Institute, Technical Report CMU/SEI-2025-TR-007, 29-Sep-2025 [Online]. Available: https://doi.org/10.1184/R1/29905805. [Accessed: 10-Nov-2025].

Svoboda, David, Lori Flynn, William Klieber, Michael Duggan, Nicholas Reimer, and Joe Sible. "Automated Code Repair for C/C++ Static Analysis." (Technical Report CMU/SEI-2025-TR-007). Carnegie Mellon University, Software Engineering Institute's Digital Library, Software Engineering Institute, 29 Sep. 2025. https://doi.org/10.1184/R1/29905805. Accessed 10 Nov. 2025.

Svoboda, David; Flynn, Lori; Klieber, William; Duggan, Michael; Reimer, Nicholas; & Sible, Joe. Automated Code Repair for C/C++ Static Analysis. CMU/SEI-2025-TR-007. Software Engineering Institute. 2025. https://doi.org/10.1184/R1/29905805

Ask a question about this Technical Report