Sound Static Program Analysis in Modern Software Engineering (Dagstuhl Seminar 25421)

Abstract

This report documents the program and the outcomes of Dagstuhl Seminar 25421 "Sound Static Program Analysis in Modern Software Engineering".
Sound Static Program Analysis (SSPA) has historically been effective in proving the absence of runtime errors and security vulnerabilities, notably in safety-critical embedded software. However, it has seen limited adoption in desktop applications until its revival for Web application security (e.g., to prove the absence of SQL injection vulnerabilities). Modern software development, characterized by architectures like microservices, serverless computing, and the increasing use of scripting languages, presents challenges to SSPA due to the integration of multiple languages and complex semantics, while also posing new problems related to soundness, precision, and scalability stemming from the machine learning revolution in code development. Despite these new opportunities for SSPA to offer structured feedback and address serious flaws often overlooked by the shallow analyses currently favored by the industry, there has not been a significant resurgence in its industrial application. This Dagstuhl Seminar aimed to bridge the SSPA and software engineering communities to extend existing theories to these new trends, foster integration with modern practices like DevOps, and discuss the formal methods challenges arising from contemporary software architectures.