DTP Violations Explorer provides various recommendations based on machine learning to assist developers in assessing and triaging violations.
The Recommend Violations to Fix feature provides recommendations whether to fix violations based on historical data of whether similar violations have been fixed or suppressed. This recommendation is given as a fix percentage: a high percentage (for example, 80% or more) indicates that similar violations have been fixed in the past, while a low percentage (for example, less than 20%) means that similar violations have been suppressed in the past.
The Recommend Assignees feature recommends who should work on the violations based on who has worked on violations in the past.
The CVE Match is a measure (between 0% and 100%) that quantifies the similarity between the source code of the method containing the violation and source code with known security vulnerabilities. The higher the probability, the higher the likelihood that the method containing the violation contains a security vulnerability.
Required Permissions
To use the machine learning features, you must have either the prioritizeOwner or prioritizeAll permission. Either of these permissions are typically granted to administrators as well as team leaders and team members of a project. Refer to Team Membership for information about team and leader permissions.
prioritizeOwner (typically granted to team members) allows users to get recommendations.
prioritizeAll (typically granted to team leaders and administrators) allows users to train the models (Recommend Violations to Fix and Recommend Assignees).
Optional: Advanced Metadata
The Recommend Violations to Fix and Recommend Assignees features analyze code analysis reports using a set of criteria to determine which actions should be taken, but you can enable the code analysis tools to include additional metadata to enable advanced analysis. The additional metadata broadens the set features used to recommend actions, resulting in more accurate recommendations.
Advanced metadata is enabled in the test configuration. If you manage test configurations in DTP, you can enable the option in the test configurations editor (also see Configuring Test Configurations):
- Choose Test Configurations from the DTP settings (gear icon) menu.
- Choose a test configuration from the sidebar menu and click on the Static Analysis Settings tab.
- Enable Send advanced metadata to DTP for machine learning and click Save.
You can also use the test configuration editor shipped with the tool to enable the advanced metadata option for local code analysis. Refer to your tool's documentation for details.
