Our publication accepted in 2025 at the ACM Transactions on Software Engineering and Methodology (TOSEM) concerns the prioritization of issues identified by code-based analyzers. These often find too many potentially security-related issues to address them all. Thus, issues likely to lead to vulnerabilities should be fixed first. Prioritization requires project-specific knowledge, such as quality requirements, security-related decisions, and design, which is not accessible to code analyzers. We present TraceSEC, an automated technique for prioritizing issues according to their security-related importance to the project. Its core concept is to incorporate available design artifacts and trace links between them, considering the project context that the code lacks. We reduce issue prioritization to a maximum flow problem and quantify the importance of each issue by the flow from user-defined quality aspects to the issue, i.e., its impact on project-specific security preferences. Our evaluation shows that TraceSEC effectively provides automated prioritization and can be tailored to project-specific quality goals. Its prioritization correlates stronger with manual expert prioritization than SonarQube rule severities, and it scales reasonably well for codebases up to 4 M lines of code.
Peldszus et al. (Thu,) studied this question.