Software libraries ease development tasks by allowing client developers to reuse code written by third parties. To perform a specific task, there is usually a large number of libraries that offer the desired functionality. Unfortunately, selecting the appropriate library to use is not straightforward since developers are often unaware of the advantages and disadvantages of each library, and may also care about different characteristics in different situations. In this paper, we introduce the idea of using software metrics to help developers choose the libraries most suited to their needs. We propose creating library comparisons based on several metrics extracted from multiple sources such as software repositories, issue tracking systems, and Q&A websites. By consolidating all of this information in a single website, we enable developers to make informed decisions by comparing metric data belonging to libraries from several domains. Additionally, we will use this website to survey developers about which metrics are the most valuable to them, helping us answer the broader question of what determines library quality. In this short paper, we describe the metrics we propose in our work and present preliminary results, as well as faced challenges.
{"title":"Which Library Should I Use?: A Metric-Based Comparison of Software Libraries","authors":"Fernando López de la Mora, Sarah Nadi","doi":"10.1145/3183399.3183418","DOIUrl":"https://doi.org/10.1145/3183399.3183418","url":null,"abstract":"Software libraries ease development tasks by allowing client developers to reuse code written by third parties. To perform a specific task, there is usually a large number of libraries that offer the desired functionality. Unfortunately, selecting the appropriate library to use is not straightforward since developers are often unaware of the advantages and disadvantages of each library, and may also care about different characteristics in different situations. In this paper, we introduce the idea of using software metrics to help developers choose the libraries most suited to their needs. We propose creating library comparisons based on several metrics extracted from multiple sources such as software repositories, issue tracking systems, and Q&A websites. By consolidating all of this information in a single website, we enable developers to make informed decisions by comparing metric data belonging to libraries from several domains. Additionally, we will use this website to survey developers about which metrics are the most valuable to them, helping us answer the broader question of what determines library quality. In this short paper, we describe the metrics we propose in our work and present preliminary results, as well as faced challenges.","PeriodicalId":212579,"journal":{"name":"2018 IEEE/ACM 40th International Conference on Software Engineering: New Ideas and Emerging Technologies Results (ICSE-NIER)","volume":"32 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2018-05-27","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"131753077","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
A popular form of software reuse is the use of open source software libraries hosted on centralized code repositories, such as Maven or npm. Developers only need to declare dependencies to external libraries, and automated tools make them available to the workspace of the project. Recent incidents, such as the Equifax data breach and the leftpad package removal, demonstrate the difficulty in assessing the severity, impact and spread of bugs in dependency networks. While dependency checkers are being adapted as a counter measure, they only provide indicative information. To remedy this situation, we propose a fine-grained dependency network that goes beyond packages and into call graphs. The result is a versioned ecosystem-level call graph. In this paper, we outline the process to construct the proposed graph and present a preliminary evaluation of a security issue from a core package to an affected client application.
{"title":"Software Ecosystem Call Graph for Dependency Management","authors":"J. Hejderup, A. Deursen, Georgios Gousios","doi":"10.1145/3183399.3183417","DOIUrl":"https://doi.org/10.1145/3183399.3183417","url":null,"abstract":"A popular form of software reuse is the use of open source software libraries hosted on centralized code repositories, such as Maven or npm. Developers only need to declare dependencies to external libraries, and automated tools make them available to the workspace of the project. Recent incidents, such as the Equifax data breach and the leftpad package removal, demonstrate the difficulty in assessing the severity, impact and spread of bugs in dependency networks. While dependency checkers are being adapted as a counter measure, they only provide indicative information. To remedy this situation, we propose a fine-grained dependency network that goes beyond packages and into call graphs. The result is a versioned ecosystem-level call graph. In this paper, we outline the process to construct the proposed graph and present a preliminary evaluation of a security issue from a core package to an affected client application.","PeriodicalId":212579,"journal":{"name":"2018 IEEE/ACM 40th International Conference on Software Engineering: New Ideas and Emerging Technologies Results (ICSE-NIER)","volume":"126 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2018-05-27","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"131567869","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
M. Galster, Danny Weyns, A. Tang, R. Kazman, Mehdi Mirakhorli
Empirical software engineering (SE) research is often criticized for poorly designed and reported studies, a lack of replications to build up bodies of knowledge, and little practical relevance. In this paper, we discuss issues in empirical software architecture research as an illustration of these issues in one subfield of SE and as a step towards better understanding empirical research in SE in general. Based on feedback from software architecture researchers and practitioners, we explore why, despite persistent discussions in the SE research community, there are still disagreements about why and how to conduct empirical research. Then, we explore how empirical SE research can progress beyond "one-off" studies and endless "new and exciting" results toward SE research as a mature science. This would allow us to establish foundations for evaluating existing and future empirical research and help researchers design and publish better studies.
{"title":"From Craft to Science: The Road Ahead for Empirical Software Engineering Research","authors":"M. Galster, Danny Weyns, A. Tang, R. Kazman, Mehdi Mirakhorli","doi":"10.1145/3183399.3183421","DOIUrl":"https://doi.org/10.1145/3183399.3183421","url":null,"abstract":"Empirical software engineering (SE) research is often criticized for poorly designed and reported studies, a lack of replications to build up bodies of knowledge, and little practical relevance. In this paper, we discuss issues in empirical software architecture research as an illustration of these issues in one subfield of SE and as a step towards better understanding empirical research in SE in general. Based on feedback from software architecture researchers and practitioners, we explore why, despite persistent discussions in the SE research community, there are still disagreements about why and how to conduct empirical research. Then, we explore how empirical SE research can progress beyond \"one-off\" studies and endless \"new and exciting\" results toward SE research as a mature science. This would allow us to establish foundations for evaluating existing and future empirical research and help researchers design and publish better studies.","PeriodicalId":212579,"journal":{"name":"2018 IEEE/ACM 40th International Conference on Software Engineering: New Ideas and Emerging Technologies Results (ICSE-NIER)","volume":"25 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2018-05-27","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"132831846","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Developers can use lossy compression on images and many other artifacts to reduce size and improve network transfer times. Native program instructions, however, are typically not considered candi-dates for lossy compression since arbitrary losses in instructions may dramatically affect program output. In this paper we show that lossy compression of compiled native instructions is possible in certain circumstances. We demonstrate that the instructions sequence of a program can be lossily translated into a separate but equivalent program with instruction-wise differences, which still produces the same output. We contribute the novel insight that it is possible to exploit such instruction differences to design lossy compression schemes for native code. We support this idea with sound and unsound program transformations that improve performance of compression techniques such as Run-Length (RLE), Huffman and LZ77. We also show that large areas of code can endure tampered instructions with no impact on the output, a result consistent with previous works from various communities.
{"title":"Images of Code: Lossy Compression for Native Instructions","authors":"M. Rodriguez-Cancio, Jules White, B. Baudry","doi":"10.1145/3183399.3183409","DOIUrl":"https://doi.org/10.1145/3183399.3183409","url":null,"abstract":"Developers can use lossy compression on images and many other artifacts to reduce size and improve network transfer times. Native program instructions, however, are typically not considered candi-dates for lossy compression since arbitrary losses in instructions may dramatically affect program output. In this paper we show that lossy compression of compiled native instructions is possible in certain circumstances. We demonstrate that the instructions sequence of a program can be lossily translated into a separate but equivalent program with instruction-wise differences, which still produces the same output. We contribute the novel insight that it is possible to exploit such instruction differences to design lossy compression schemes for native code. We support this idea with sound and unsound program transformations that improve performance of compression techniques such as Run-Length (RLE), Huffman and LZ77. We also show that large areas of code can endure tampered instructions with no impact on the output, a result consistent with previous works from various communities.","PeriodicalId":212579,"journal":{"name":"2018 IEEE/ACM 40th International Conference on Software Engineering: New Ideas and Emerging Technologies Results (ICSE-NIER)","volume":"11 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2018-05-27","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"115437188","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Yasuhiro Watanabe, H. Washizaki, Kiyoshi Honda, Y. Fukazawa, Masahiro Taga, Akira Matsuzaki, Takayoshi Suzuki
A Business-to-Business (B-to-B) software development company develops services to satisfy their customers' requirements. Developers should prioritize customer satisfaction because customers greatly influence on agile software development. However, it is possible that a B-to-B software development company has following issues: 1) failure to understand actual users because the requirements are not often derived from actual users and 2) failure to satisfy the future customers' requirements when only satisfying current customers. Although many previous works proposed methods to elicit the requirements based on actual quantitative data, these works had not considered customers and end-users simultaneously. Herein we proposed Retrospective based on Data-Driven Persona Significance (ReD2PS) to help developers to plan future releases. ReD2PS includes Persona Significance Index (PerSiI) to reflect the correspondence between target users, which developers assume based on requirements in releases, and end-users' personas. A case study involving a Japanese cloud application shows that PerSiI reflects the relationship between target users and end-users to discuss about the validity and effectiveness of ReD2PS.
{"title":"Retrospective Based on Data-Driven Persona Significance in B-to-B Software Development","authors":"Yasuhiro Watanabe, H. Washizaki, Kiyoshi Honda, Y. Fukazawa, Masahiro Taga, Akira Matsuzaki, Takayoshi Suzuki","doi":"10.1145/3183399.3183410","DOIUrl":"https://doi.org/10.1145/3183399.3183410","url":null,"abstract":"A Business-to-Business (B-to-B) software development company develops services to satisfy their customers' requirements. Developers should prioritize customer satisfaction because customers greatly influence on agile software development. However, it is possible that a B-to-B software development company has following issues: 1) failure to understand actual users because the requirements are not often derived from actual users and 2) failure to satisfy the future customers' requirements when only satisfying current customers. Although many previous works proposed methods to elicit the requirements based on actual quantitative data, these works had not considered customers and end-users simultaneously. Herein we proposed Retrospective based on Data-Driven Persona Significance (ReD2PS) to help developers to plan future releases. ReD2PS includes Persona Significance Index (PerSiI) to reflect the correspondence between target users, which developers assume based on requirements in releases, and end-users' personas. A case study involving a Japanese cloud application shows that PerSiI reflects the relationship between target users and end-users to discuss about the validity and effectiveness of ReD2PS.","PeriodicalId":212579,"journal":{"name":"2018 IEEE/ACM 40th International Conference on Software Engineering: New Ideas and Emerging Technologies Results (ICSE-NIER)","volume":"29 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2018-05-27","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"129433609","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Evaluation of assurance cases typically requires certifiers' domain knowledge and experience, and, as such, most software certification has been conducted manually. Given the advancement in uncertainty theories and software traceability, we envision that these technologies can synergistically be combined and leveraged to offer some degree of automation to improve the certifiers' capability to perform software certification. To this end, we present a novel confidence calculation framework that 1) applies the Dempster-Shafer theory as a mathematical model to calculate the confidence between a parent claim and its children claims; and 2) uses the vector space model to evaluate the confidence for the evidence items using traceability information. A fragment of an assurance case (expressed in the goal-structuring notation – GSN) for the coupled tank system is used to illustrate our new framework.
{"title":"Measure Confidence of Assurance Cases in Safety-Critical Domains","authors":"Chung-Ling Lin, Wuwei Shen, S. Drager, B. Cheng","doi":"10.1145/3183399.3183419","DOIUrl":"https://doi.org/10.1145/3183399.3183419","url":null,"abstract":"Evaluation of assurance cases typically requires certifiers' domain knowledge and experience, and, as such, most software certification has been conducted manually. Given the advancement in uncertainty theories and software traceability, we envision that these technologies can synergistically be combined and leveraged to offer some degree of automation to improve the certifiers' capability to perform software certification. To this end, we present a novel confidence calculation framework that 1) applies the Dempster-Shafer theory as a mathematical model to calculate the confidence between a parent claim and its children claims; and 2) uses the vector space model to evaluate the confidence for the evidence items using traceability information. A fragment of an assurance case (expressed in the goal-structuring notation – GSN) for the coupled tank system is used to illustrate our new framework.","PeriodicalId":212579,"journal":{"name":"2018 IEEE/ACM 40th International Conference on Software Engineering: New Ideas and Emerging Technologies Results (ICSE-NIER)","volume":"37 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2018-05-27","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"122415767","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Enterprise software needs to be customizable, and the customization needs from a customer are often beyond what the software vendor can predict in advance. In the on-premises era, customers do deep customizations beyond vendor's prediction by directly modifying the vendor's source code and then build and operate it on their own premises. When enterprise software is moving to cloud-based multi-tenant SaaS (Software as a Service), it is no longer possible for customers to directly modify the vendor's source code, because the same instance of code is shared by multiple customers at runtime. Therefore, the question is whether it is still possible to do deep customization on multi-tenant SaaS. In this paper, we give an answer to this question with a novel architecture style to realize deep customization of SaaS using intrusive microservices. We evaluate the approach on an open source online commercial system, and discuss the further research questions to make deep customization applicable in practice.
{"title":"Deep Customization of Multi-tenant SaaS Using Intrusive Microservices","authors":"Hui Song, Franck Chauvel, Arnor Solberg","doi":"10.1145/3183399.3183407","DOIUrl":"https://doi.org/10.1145/3183399.3183407","url":null,"abstract":"Enterprise software needs to be customizable, and the customization needs from a customer are often beyond what the software vendor can predict in advance. In the on-premises era, customers do deep customizations beyond vendor's prediction by directly modifying the vendor's source code and then build and operate it on their own premises. When enterprise software is moving to cloud-based multi-tenant SaaS (Software as a Service), it is no longer possible for customers to directly modify the vendor's source code, because the same instance of code is shared by multiple customers at runtime. Therefore, the question is whether it is still possible to do deep customization on multi-tenant SaaS. In this paper, we give an answer to this question with a novel architecture style to realize deep customization of SaaS using intrusive microservices. We evaluate the approach on an open source online commercial system, and discuss the further research questions to make deep customization applicable in practice.","PeriodicalId":212579,"journal":{"name":"2018 IEEE/ACM 40th International Conference on Software Engineering: New Ideas and Emerging Technologies Results (ICSE-NIER)","volume":"49 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2018-05-27","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"116758475","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
In software-intensive industries, companies face the constant challenge of not having enough security experts on staff in order to validate the design of the high-complexity projects they run. Many of these companies are now realizing that increasing automation in their secure development process is the only way forward in order to cope with the ultra-large scale of modern systems. This paper embraces that viewpoint. We chart the roadmap to the development of a generative design tool that iteratively produces several design alternatives, each attempting to solve the security goals by incorporating security mechanisms. The tool explores the possible solutions by starting from well-known security techniques and by creating variations via mutations and crossovers. By incorporating user feedback, the tool generates increasingly better design alternatives.
{"title":"Generative Secure Design, Defined","authors":"R. Scandariato, Jennifer Horkoff, R. Feldt","doi":"10.1145/3183399.3183400","DOIUrl":"https://doi.org/10.1145/3183399.3183400","url":null,"abstract":"In software-intensive industries, companies face the constant challenge of not having enough security experts on staff in order to validate the design of the high-complexity projects they run. Many of these companies are now realizing that increasing automation in their secure development process is the only way forward in order to cope with the ultra-large scale of modern systems. This paper embraces that viewpoint. We chart the roadmap to the development of a generative design tool that iteratively produces several design alternatives, each attempting to solve the security goals by incorporating security mechanisms. The tool explores the possible solutions by starting from well-known security techniques and by creating variations via mutations and crossovers. By incorporating user feedback, the tool generates increasingly better design alternatives.","PeriodicalId":212579,"journal":{"name":"2018 IEEE/ACM 40th International Conference on Software Engineering: New Ideas and Emerging Technologies Results (ICSE-NIER)","volume":"43 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2018-05-27","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"126298545","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
User interface (UI) is one of the most important components of a mobile app and strongly influences users' perception of the app. However, UI design tasks are typically manual and time-consuming. This paper proposes a novel approach to (semi)-automate those tasks. Our key idea is to develop and deploy advanced deep learning models based on recurrent neural networks (RNN) and generative adversarial networks (GAN) to learn UI design patterns from millions of currently available mobile apps. Once trained, those models can be used to search for UI design samples given user-provided descriptions written in natural language and generate professional-looking UI designs from simpler, less elegant design drafts.
{"title":"Deep Learning UI Design Patterns of Mobile Apps","authors":"Tam The Nguyen, P. Vu, H. Pham, T. Nguyen","doi":"10.1145/3183399.3183422","DOIUrl":"https://doi.org/10.1145/3183399.3183422","url":null,"abstract":"User interface (UI) is one of the most important components of a mobile app and strongly influences users' perception of the app. However, UI design tasks are typically manual and time-consuming. This paper proposes a novel approach to (semi)-automate those tasks. Our key idea is to develop and deploy advanced deep learning models based on recurrent neural networks (RNN) and generative adversarial networks (GAN) to learn UI design patterns from millions of currently available mobile apps. Once trained, those models can be used to search for UI design samples given user-provided descriptions written in natural language and generate professional-looking UI designs from simpler, less elegant design drafts.","PeriodicalId":212579,"journal":{"name":"2018 IEEE/ACM 40th International Conference on Software Engineering: New Ideas and Emerging Technologies Results (ICSE-NIER)","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2018-05-27","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"131262221","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
We propose a parametric model checking (PMC) method that enables the efficient analysis of quality-of-service (QoS) properties of component-based systems. Our method builds on recent advances in PMC techniques and tools, and can handle large models by exploiting domain-specific modelling patterns for the software components. We precompute closed-form expressions for key QoS properties of such patterns, and handle system-level PMC by combining these expressions into easy-to-evaluate systems of equations.
{"title":"Efficient Parametric Model Checking Using Domain-Specific Modelling Patterns","authors":"R. Calinescu, Kenneth Johnson, Colin Paterson","doi":"10.1145/3183399.3183404","DOIUrl":"https://doi.org/10.1145/3183399.3183404","url":null,"abstract":"We propose a parametric model checking (PMC) method that enables the efficient analysis of quality-of-service (QoS) properties of component-based systems. Our method builds on recent advances in PMC techniques and tools, and can handle large models by exploiting domain-specific modelling patterns for the software components. We precompute closed-form expressions for key QoS properties of such patterns, and handle system-level PMC by combining these expressions into easy-to-evaluate systems of equations.","PeriodicalId":212579,"journal":{"name":"2018 IEEE/ACM 40th International Conference on Software Engineering: New Ideas and Emerging Technologies Results (ICSE-NIER)","volume":"96 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2018-05-27","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"122517888","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: