CodeCureAgent: Automatic Classification and Repair of Static Analysis Warnings
arXiv:2509.11787v4 Announce Type: replace-cross Abstract: Static analysis tools are widely used to detect bugs, vulnerabilities, and code smells. Traditionally, developers must resolve these warnings manually. Because this process is tedious, developers sometimes ignore warnings, leading to an accumulation of warnings and a degradation of code quality. This paper presents CodeCureAgent, an approach that harnesses LLM-based agents to automatically analyze, classify, and repair static analysis warnings. Unlike previous work, our method does not follow a predetermined algorithm. Instead, we adopt an agentic framework that iteratively invokes tools to gather additional information from the codebase (e.g., via code search) and edit the codebase to resolve the warning. CodeCureAgent detects and
View PDF HTML (experimental)
Abstract:Static analysis tools are widely used to detect bugs, vulnerabilities, and code smells. Traditionally, developers must resolve these warnings manually. Because this process is tedious, developers sometimes ignore warnings, leading to an accumulation of warnings and a degradation of code quality. This paper presents CodeCureAgent, an approach that harnesses LLM-based agents to automatically analyze, classify, and repair static analysis warnings. Unlike previous work, our method does not follow a predetermined algorithm. Instead, we adopt an agentic framework that iteratively invokes tools to gather additional information from the codebase (e.g., via code search) and edit the codebase to resolve the warning. CodeCureAgent detects and suppresses false positives, while fixing true positives when identified. We equip CodeCureAgent with a three-step heuristic to approve patches: (1) build the project, (2) verify that the warning disappears without introducing new warnings, and (3) run the test suite. We evaluate CodeCureAgent on a dataset of 1,000 SonarQube warnings found in 106 Java projects and covering 291 distinct rules. Our approach produces plausible fixes for 96.8% of the warnings, outperforming state-of-the-art baseline approaches by 29.2%-34.0% in plausible-fix rate. Manual inspection of 291 cases reveals a correct-fix rate of 86.3%, showing that CodeCureAgent can reliably repair static analysis warnings. The approach incurs LLM costs of about 2.9 cents (USD) and an end-to-end processing time of about four minutes per warning. We envision CodeCureAgent helping to clean existing codebases and being integrated into CI/CD pipelines to prevent the accumulation of static analysis warnings.
Subjects:
Software Engineering (cs.SE); Multiagent Systems (cs.MA)
Cite as: arXiv:2509.11787 [cs.SE]
(or arXiv:2509.11787v4 [cs.SE] for this version)
https://doi.org/10.48550/arXiv.2509.11787
arXiv-issued DOI via DataCite
Submission history
From: Pascal Joos [view email] [v1] Mon, 15 Sep 2025 11:16:04 UTC (1,032 KB) [v2] Wed, 8 Oct 2025 14:40:12 UTC (1,032 KB) [v3] Wed, 25 Feb 2026 12:42:03 UTC (1,038 KB) [v4] Wed, 1 Apr 2026 15:51:14 UTC (1,038 KB)
Sign in to highlight and annotate this article
Conversation starters
Daily AI Digest
Get the top 5 AI stories delivered to your inbox every morning.
More about
announceanalysisagentic
AI agent observability: what enterprises need to know
You wouldn t run a hospital without monitoring patients vitals. Yet most enterprises deploying AI agents have no real visibility into what those agents are actually doing — or why. What began as chatbots and demos has evolved into autonomous systems embedded in core workflows: handling customer interactions, executing decisions, and orchestrating actions across complex infrastructures.... The post AI agent observability: what enterprises need to know appeared first on DataRobot .
Knowledge Map
Connected Articles — Knowledge Graph
This article is connected to other articles through shared AI topics and tags.
More in Products
Desktop Canary v2.1.48-canary.29
🐤 Canary Build — v2.1.48-canary.29 Automated canary build from canary branch. Commit Information Based on changes since v2.1.48-canary.28 Commit count: 2 dbdbe16da9 ♻️ refactor: move skills/tools to @ mention with direct context injection ( #13419 ) (Innei) 5cd4e390e3 👷 build(model-bank): align pnpm setup with packageManager ( #13545 ) (Innei) ⚠️ Important Notes This is an automated canary build and is NOT intended for production use. Canary builds are triggered by build / fix / style commits on the canary branch. May contain unstable or incomplete changes . Use at your own risk. It is strongly recommended to back up your data before using a canary build. 📦 Installation Download the appropriate installer for your platform from the assets below. Platform File macOS (Apple Silicon) .dmg (
Discussion
Sign in to join the discussion
No comments yet — be the first to share your thoughts!