This repository contains the complete replication package for a comparative study of static analysis tools detecting cryptographic API misuse in Go projects.
Tools compared: CodeQL, Gosec, Gopher, Snyk
Dataset: 329 open-source Go projects analyzed for crypto API misuse patterns
Included in this package:
- 📊 Complete analysis results (
results/directory)- 14 rule-specific Venn diagrams + overall tool consensus
- Rule-level metrics and sampling data
- 🔬 Raw tool outputs (
raw_results/- 206MB, 329 projects) - 🐍 Python analysis code (
src/tool_consensus/) - 🐳 Docker composition tooling for running experiments
- 📝 Experiment orchestration scripts
Generate Docker Compose files for running experiments.
Setup:
- Install Go and run
go mod download - Add to
internal/docker/.env:BASE_DIR=/absolute/path/to/go-cryptoapi
Usage:
go run cmd/compose/main.go -tools <toolname> -verbose <datasetpath>Setup tools:
- CodeQL: Clone into
internal/tool/codeql-home(instructions) - Snyk: Download binary to
internal/tool/snyk(instructions) and addSNYK_TOKEN=tointernal/docker/.env - Gopher/Gosec: Included
Run:
./run_experiments_batches.sh <dataset> <compose_dir> <batch_size> <parallel_batches> <tools>Analyze tool consensus and generate Venn diagrams from results.
Setup:
pip install -r src/requirements.txtRun:
uv run analyze-results raw_results --output-dir ./analysis_outputOutput: Venn diagrams, metrics, and sampled findings in analysis_output/
Analysis results are already included in the results/ directory:
venn_diagrams/- Visual tool overlap analysisrule_analysis/- Per-rule metrics and findings
.
├── cmd/ # Compose file generator
├── data/ # Dataset metadata
├── internal/ # Tool configurations and Docker setup
├── scripts/ # Experiment orchestration
├── src/ # Python analysis code
├── raw_results/ # Tool outputs (329 projects)
└── results/ # Pre-computed analysis
If you use this replication package, please cite:
[Add your paper citation here]
MIT License - See LICENSE file for details
