Quantification and Comparison of the Energy Impact of Static Analysis Security Tools in Continuous Integration in Large-Scale Projects

Abstract

Within the context of Continuous Integration, pipeline checks must run fully and continuously. Some of these checks are done through Static Analysis Security Tools (SAST). However, they are costly, with a significant, non-negligible environmental impact. In this report, one of the most used SAST tools (SpotBugs with the Find Security Bugs plugin) is analyzed, and its average consumption costs are calculated. Additionally, optimizations are explored that would serve to reduce overheads and, thus, environmental impact. It was found that the 3 Spotbugs configurations analyzed (Default, High Effort, Low Threshold) lead to an increase in consumption rates only in specific situations. These are namely either very large projects configured through Gradle with the High Effort Configuration (exhaustive, lead to an increase in cost of over 7%); and small to medium sized projects configured through Maven when running with the Low Threshold configuration (reports low-priority issues, lead to an increase in costs of 1%). This means that for small to large Gradle projects, and large to very large Maven Projects, exhaustive methods are recommended since the tradeoff between energy costs and higher efficiency is negligible. Additionally, it was detected that for similarly sized projects running SpotBugs+FSB, Maven consumes over 100 times as much energy as equivalent Gradle Projects.