Precision, recall and why you shouldn't crank up the warnings to 11

Recently, the code hosting site GitHub deployed widely a tool called CodeQL with rather agressive settings. It does static analysis on the code and it attempts to flag problems. I use the phrase "static analysis" to refer to an analysis that does not run the code. Static analysis is limited: it can