Embodiments of the present invention relate to software testing and in particular static code analysis.
In static code analysis, a software application is tested without actually executing the application. The software application is typically tested by processing and analyzing the source code of the application prior to compiling the code. The entire source code of the application, or only portions of the source code, may be analyzed. The source code may be analyzed to identify vulnerabilities in the application, where vulnerabilities may include bugs, security breaches, violations of programming conventions, etc.
It is becoming increasingly common for software developers to generate (and typically release to the public) updates to software applications after the initial release of the application. Although the source code of the initially released application may be tested for vulnerabilities, it is often similarly desirable to test the updated software applications for vulnerabilities. The updated software applications typically have much source code in common with the initial release of the application. Accordingly, when potential vulnerabilities are not addressed in the initial release, they are identified during a test of not only the initial release but also the updated release of the software application. In some situations, such as when a potential vulnerability is not a real vulnerability, the redundant identification of potential vulnerabilities is problematic as it creates additional burdens on the tester reviewing the identified potential vulnerabilities.