Static analysis tools are widely used to detect bugs, vulnerabilities, and code smells. Traditionally, developers must resolve these warnings manually. Because this process is tedious, developers sometimes ignore warnings, leading to an accumulation of warnings and a degradation of code quality. This paper presents CodeCureAgent, an approach that harnesses LLM-based agents to automatically analyze, classify, and repair static analysis warnings. Unlike previous work, our method does not follow a predetermined algorithm. Instead, we adopt an agentic framework that iteratively invokes tools to gather additional information from the codebase (e.g., via code search) and edit the codebase to resolve the warning. CodeCureAgent detects and suppresses false positives, while fixing true positives when identified. We equip CodeCureAgent with a three-step heuristic to approve patches: (1) build the project, (2) verify that the warning disappears without introducing new warnings, and (3) run the test suite. We evaluate CodeCureAgent on a dataset of 1,000 SonarQube warnings found in 106 Java projects and covering 291 distinct rules. Our approach produces plausible fixes for 96.8% of the warnings, outperforming state-of-the-art baseline approaches by 29.2%-34.0% in plausible-fix rate. Manual inspection of 291 cases reveals a correct-fix rate of 86.3%, showing that CodeCureAgent can reliably repair static analysis warnings. The approach incurs LLM costs of about 2.9 cents (USD) and an end-to-end processing time of about four minutes per warning. We envision CodeCureAgent helping to clean existing codebases and being integrated into CI/CD pipelines to prevent the accumulation of static analysis warnings.

翻译：静态分析工具被广泛用于检测缺陷、安全漏洞和代码异味。传统上，开发者必须手动处理这些警告。由于该过程繁琐，开发者有时会忽略警告，导致警告累积和代码质量下降。本文提出CodeCureAgent，一种利用基于LLM的智能体来自动分析、分类和修复静态分析警告的方法。与先前工作不同，我们的方法不遵循预定算法，而是采用智能体框架，通过迭代调用工具从代码库中收集额外信息（例如通过代码搜索）并编辑代码库以解决警告。CodeCureAgent能够检测并抑制误报，同时在识别出真实警告时进行修复。我们为CodeCureAgent配备了三步启发式补丁审核机制：（1）构建项目，（2）验证警告消失且未引入新警告，（3）运行测试套件。我们在包含106个Java项目中1,000个SonarQube警告的数据集上评估CodeCureAgent，这些警告覆盖291条不同规则。我们的方法能为96.8%的警告生成合理修复，在合理修复率上优于现有基线方法29.2%-34.0%。对291个案例的人工检查显示其正确修复率达到86.3%，表明CodeCureAgent能够可靠地修复静态分析警告。该方法处理每个警告的LLM成本约为2.9美分（美元），端到端处理时间约为四分钟。我们设想CodeCureAgent能帮助清理现有代码库，并可集成到CI/CD流水线中以防止静态分析警告的累积。