CodeCureAgent: Automatic Classification and Repair of Static Analysis Warnings
Pascal Joos, Islem Bouzenia, Michael Pradel
TL;DR
CodeCureAgent addresses the manual burden of static analysis warnings by introducing an autonomous LLM-based agent that first classifies warnings as true positives or false positives and then either repairs the warning or suppresses it. The system uses an agentic loop with a repair and a classification sub-agent, plus a change approver that validates builds, warning removal, and test success before accepting changes. Evaluated on 1000 SonarQube warnings from 106 Java projects, it achieves 96.8% plausible fixes and 86.3% correct fixes, outperforming Sorald and CORE while incurring modest per-warning costs and a few minutes of processing time. The approach enables scalable, end-to-end automatic repair of static analysis warnings and is suitable for CI/CD integration to prevent warning accumulation while maintaining code quality.
Abstract
Static analysis tools are widely used to detect bugs, vulnerabilities, and code smells. Traditionally, developers must resolve these warnings manually. Because this process is tedious, developers sometimes ignore warnings, leading to an accumulation of warnings and a degradation of code quality. This paper presents CodeCureAgent, an approach that harnesses LLM-based agents to automatically analyze, classify, and repair static analysis warnings. Unlike previous work, our method does not follow a predetermined algorithm. Instead, we adopt an agentic framework that iteratively invokes tools to gather additional information from the codebase (e.g., via code search) and edit the codebase to resolve the warning. CodeCureAgent detects and suppresses false positives, while fixing true positives when identified. We equip CodeCureAgent with a three-step heuristic to approve patches: (1) build the project, (2) verify that the warning disappears without introducing new warnings, and (3) run the test suite. We evaluate CodeCureAgent on a dataset of 1,000 SonarQube warnings found in 106 Java projects and covering 291 distinct rules. Our approach produces plausible fixes for 96.8% of the warnings, outperforming state-of-the-art baseline approaches by 30.7% and 29.2% in plausible-fix rate, respectively. Manual inspection of 291 cases reveals a correct-fix rate of 86.3%, showing that CodeCureAgent can reliably repair static analysis warnings. The approach incurs LLM costs of about 2.9 cents (USD) and an end-to-end processing time of about four minutes per warning. We envision CodeCureAgent helping to clean existing codebases and being integrated into CI/CD pipelines to prevent the accumulation of static analysis warnings.