Pub Date : 2022-10-01DOI: 10.1109/ICSME55016.2022.00060
Mir Sameed Ali, Nikhil Manjunath, S. Chimalakonda
COBOL (Common Business-Oriented Language) has had a strong presence for the last five decades and is still prevalent in the finance and banking sectors and other organizations. The systems which were earlier written in COBOL have now become legacy systems. Therefore, it has become essential to maintain and migrate these legacy COBOL systems. These legacy systems on which companies rely consist of embedded logic to run their business rules and day-to-day operations. Due to ever-changing requirements, these business rules need to be revisited and updated regularly. Understanding the code that enforces the business rules is critical for system evolution. However, this is time-consuming, laborious, and error-prone. Also, the documentation of these systems is sometimes inadequate and may be inconsistent with current organizational policies. Furthermore, the number of current-age developers working on COBOL has been drastically reduced, and they are mainly unfamiliar with legacy systems. To aid this, we propose a tool called COBREX to extract COBOL business rules using a CFG-based approach. The tool’s main aim is to help the researchers and practitioners to understand COBOL source code by extracting and comprehending the business rules. The demo of the tool can be found here - https://youtu.be/3QODmOkISL0 and the details of the tool can be found here -https://rishalab.github.io/COBREXdoc/.
{"title":"COBREX: A Tool for Extracting Business Rules from COBOL","authors":"Mir Sameed Ali, Nikhil Manjunath, S. Chimalakonda","doi":"10.1109/ICSME55016.2022.00060","DOIUrl":"https://doi.org/10.1109/ICSME55016.2022.00060","url":null,"abstract":"COBOL (Common Business-Oriented Language) has had a strong presence for the last five decades and is still prevalent in the finance and banking sectors and other organizations. The systems which were earlier written in COBOL have now become legacy systems. Therefore, it has become essential to maintain and migrate these legacy COBOL systems. These legacy systems on which companies rely consist of embedded logic to run their business rules and day-to-day operations. Due to ever-changing requirements, these business rules need to be revisited and updated regularly. Understanding the code that enforces the business rules is critical for system evolution. However, this is time-consuming, laborious, and error-prone. Also, the documentation of these systems is sometimes inadequate and may be inconsistent with current organizational policies. Furthermore, the number of current-age developers working on COBOL has been drastically reduced, and they are mainly unfamiliar with legacy systems. To aid this, we propose a tool called COBREX to extract COBOL business rules using a CFG-based approach. The tool’s main aim is to help the researchers and practitioners to understand COBOL source code by extracting and comprehending the business rules. The demo of the tool can be found here - https://youtu.be/3QODmOkISL0 and the details of the tool can be found here -https://rishalab.github.io/COBREXdoc/.","PeriodicalId":300084,"journal":{"name":"2022 IEEE International Conference on Software Maintenance and Evolution (ICSME)","volume":"2 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2022-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"114096206","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2022-10-01DOI: 10.1109/ICSME55016.2022.00080
Muslim Chochlov, Gul Aftab Ahmed, James Patten, Guoxian Lu, Wei Hou, David Gregg, J. Buckley
Code clones can detrimentally impact software maintenance and manually detecting them in very large code-bases is impractical. Additionally, automated approaches find detection of Type 3 and Type 4 (inexact) clones very challenging. While the most recent artificial deep neural networks (for ex-ample BERT-based artificial neural networks) seem to be highly effective in detecting such clones, their pairwise comparison of every code pair in the target system(s) is inefficient and scales poorly on large codebases.We therefore introduce SSCD, a BERT-based clone detection approach that targets high recall of Type 3 and Type 4 clones at scale (in line with our industrial partner’s requirements). It does so by computing a representative embedding for each code fragment and finding similar fragments using a nearest neighbour search. SSCD thus avoids the pairwise-comparison bottleneck of other Neural Network approaches while also using parallel, GPU-accelerated search to tackle scalability.This paper details the approach and an empirical assessment towards configuring and evaluating that approach in industrial setting. The configuration analysis suggests that shorter input lengths and text-only based neural network models demonstrate better efficiency in SSCD, while only slightly decreasing effectiveness. The evaluation results suggest that SSCD is more effective than state-of-the-art approaches like SAGA and SourcererCC. It is also highly efficient: in its optimal setting, SSCD effectively locates clones in the entire 320 million LOC BigCloneBench (a standard clone detection benchmark) in just under three hours.
{"title":"Using a Nearest-Neighbour, BERT-Based Approach for Scalable Clone Detection","authors":"Muslim Chochlov, Gul Aftab Ahmed, James Patten, Guoxian Lu, Wei Hou, David Gregg, J. Buckley","doi":"10.1109/ICSME55016.2022.00080","DOIUrl":"https://doi.org/10.1109/ICSME55016.2022.00080","url":null,"abstract":"Code clones can detrimentally impact software maintenance and manually detecting them in very large code-bases is impractical. Additionally, automated approaches find detection of Type 3 and Type 4 (inexact) clones very challenging. While the most recent artificial deep neural networks (for ex-ample BERT-based artificial neural networks) seem to be highly effective in detecting such clones, their pairwise comparison of every code pair in the target system(s) is inefficient and scales poorly on large codebases.We therefore introduce SSCD, a BERT-based clone detection approach that targets high recall of Type 3 and Type 4 clones at scale (in line with our industrial partner’s requirements). It does so by computing a representative embedding for each code fragment and finding similar fragments using a nearest neighbour search. SSCD thus avoids the pairwise-comparison bottleneck of other Neural Network approaches while also using parallel, GPU-accelerated search to tackle scalability.This paper details the approach and an empirical assessment towards configuring and evaluating that approach in industrial setting. The configuration analysis suggests that shorter input lengths and text-only based neural network models demonstrate better efficiency in SSCD, while only slightly decreasing effectiveness. The evaluation results suggest that SSCD is more effective than state-of-the-art approaches like SAGA and SourcererCC. It is also highly efficient: in its optimal setting, SSCD effectively locates clones in the entire 320 million LOC BigCloneBench (a standard clone detection benchmark) in just under three hours.","PeriodicalId":300084,"journal":{"name":"2022 IEEE International Conference on Software Maintenance and Evolution (ICSME)","volume":"108 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2022-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"124061824","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2022-10-01DOI: 10.1109/ICSME55016.2022.00052
Jeewoong Kim, Shin Hong
This work presents DOTELINK, a technique that infers fine-grained traceability links between Javadoc comments and JUnit test code. To resolve the limitation of method-level traceability links, DOTELINK establishes links in sentence-level for Javadoc comments and code region-level for JUnit test methods. DOTELINK first segregates each Javadoc comment into multiple sentences, and each JUnit test method into coherent code snippets. And then, DOTELINK associates a Javadoc sentence with a code snippet if their lexical similarity is high. DOTELINK identifies 62.4% of the true fine-grained traceability links in the experiments with 5 real-world projects. We believe that DOTELINK effectively helps developers utilize the duality of the two sorts of requirement representations to improve test quality.
{"title":"Inferring Fine-grained Traceability Links between Javadoc Comment and JUnit Test Code","authors":"Jeewoong Kim, Shin Hong","doi":"10.1109/ICSME55016.2022.00052","DOIUrl":"https://doi.org/10.1109/ICSME55016.2022.00052","url":null,"abstract":"This work presents DOTELINK, a technique that infers fine-grained traceability links between Javadoc comments and JUnit test code. To resolve the limitation of method-level traceability links, DOTELINK establishes links in sentence-level for Javadoc comments and code region-level for JUnit test methods. DOTELINK first segregates each Javadoc comment into multiple sentences, and each JUnit test method into coherent code snippets. And then, DOTELINK associates a Javadoc sentence with a code snippet if their lexical similarity is high. DOTELINK identifies 62.4% of the true fine-grained traceability links in the experiments with 5 real-world projects. We believe that DOTELINK effectively helps developers utilize the duality of the two sorts of requirement representations to improve test quality.","PeriodicalId":300084,"journal":{"name":"2022 IEEE International Conference on Software Maintenance and Evolution (ICSME)","volume":"30 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2022-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"127707939","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2022-10-01DOI: 10.1109/ICSME55016.2022.00035
Evelien Boerstra, J. Ahn, J. Rubin
Architecture recovery is the process of obtaining the intended architecture of a software system by analyzing its implementation. Most existing architectural recovery approaches rely on extracting information about relationships between code entities and then use the extracted information to group closely related entities together. The approaches differ by the type of relationships they consider, e.g., method calls, data dependencies, and class name similarity. Prior work shows that combining multiple types of relationships during the recovery process is often beneficial as it leads to a better result than the one obtained by using the relationships individually. Yet, most, if not all, academic and industrial architecture recovery approaches simply unify the combined relationships to produce a more complete representation of the analyzed systems. In this paper, we propose and evaluate an alternative approach to combining information derived from multiple relationships, which is based on identifying agreements/disagreements between relationship types. We discuss advantages and disadvantages of both approaches and provide suggestions for future research in this area.
{"title":"Stronger Together: On Combining Relationships in Architectural Recovery Approaches","authors":"Evelien Boerstra, J. Ahn, J. Rubin","doi":"10.1109/ICSME55016.2022.00035","DOIUrl":"https://doi.org/10.1109/ICSME55016.2022.00035","url":null,"abstract":"Architecture recovery is the process of obtaining the intended architecture of a software system by analyzing its implementation. Most existing architectural recovery approaches rely on extracting information about relationships between code entities and then use the extracted information to group closely related entities together. The approaches differ by the type of relationships they consider, e.g., method calls, data dependencies, and class name similarity. Prior work shows that combining multiple types of relationships during the recovery process is often beneficial as it leads to a better result than the one obtained by using the relationships individually. Yet, most, if not all, academic and industrial architecture recovery approaches simply unify the combined relationships to produce a more complete representation of the analyzed systems. In this paper, we propose and evaluate an alternative approach to combining information derived from multiple relationships, which is based on identifying agreements/disagreements between relationship types. We discuss advantages and disadvantages of both approaches and provide suggestions for future research in this area.","PeriodicalId":300084,"journal":{"name":"2022 IEEE International Conference on Software Maintenance and Evolution (ICSME)","volume":"12 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2022-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"126598045","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2022-10-01DOI: 10.1109/ICSME55016.2022.00066
Tim Kräuter, H. König, Adrian Rutle, Yngve Lamo
Debugging is an essential part of software maintenance and evolution since it allows software developers to analyze program execution step by step. Understanding a program is required to fix potential flaws, alleviate bottlenecks, and implement new desired features. Thus, software developers spend a large percentage of their time validating and debugging software, resulting in high software maintenance and evolution cost. We aim to reduce this cost by providing a novel visual debugging tool to software developers to foster program comprehension during debugging. Our debugging tool visualizes program execution information graphically as an object diagram and is fully integrated into the popular Java development environment IntelliJ IDEA. Moreover, the object diagram allows interactions to explore program execution information in more detail. A demonstration of our tool is available at https://www.youtube.com/watch?v=lU_OgotweRk.
{"title":"The Visual Debugger Tool","authors":"Tim Kräuter, H. König, Adrian Rutle, Yngve Lamo","doi":"10.1109/ICSME55016.2022.00066","DOIUrl":"https://doi.org/10.1109/ICSME55016.2022.00066","url":null,"abstract":"Debugging is an essential part of software maintenance and evolution since it allows software developers to analyze program execution step by step. Understanding a program is required to fix potential flaws, alleviate bottlenecks, and implement new desired features. Thus, software developers spend a large percentage of their time validating and debugging software, resulting in high software maintenance and evolution cost. We aim to reduce this cost by providing a novel visual debugging tool to software developers to foster program comprehension during debugging. Our debugging tool visualizes program execution information graphically as an object diagram and is fully integrated into the popular Java development environment IntelliJ IDEA. Moreover, the object diagram allows interactions to explore program execution information in more detail. A demonstration of our tool is available at https://www.youtube.com/watch?v=lU_OgotweRk.","PeriodicalId":300084,"journal":{"name":"2022 IEEE International Conference on Software Maintenance and Evolution (ICSME)","volume":"97 8 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2022-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"127442034","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2022-10-01DOI: 10.1109/icsme55016.2022.00077
Kazumasa Shimari, Masahiro Tanaka, T. Ishio, M. Matsushita, Katsuro Inoue, Satoru Takanezawa
Regression testing is required to check the changes in behavior whenever developers make any changes to a software system. The cost of regression testing is a major problem because developers have to frequently update dependent components to minimize security risks and potential bugs. In this paper, we report a current practice in a company that maintains an industrial simulator as a critical component of their business. The simulator automatically records all the users’ requests and the simulation results in storage. The feature provides a huge number of test cases for regression testing to developers; however, their time budget for testing is limited (i.e., at most one night). Hence, the developers need to select a small number of test cases to confirm both the simulation result and execution performance are unaffected by an update of a dependent component. In other words, the test cases should achieve high coverage while keeping diversity of execution time. To solve the problem, we have developed a clustering-based method to select test cases, using the similarity of execution traces produced by them. The developers have used the method for a half year; they recognize that the method is better than the previous rule-based method used in the company.
{"title":"Selecting Test Cases based on Similarity of Runtime Information: A Case Study of an Industrial Simulator","authors":"Kazumasa Shimari, Masahiro Tanaka, T. Ishio, M. Matsushita, Katsuro Inoue, Satoru Takanezawa","doi":"10.1109/icsme55016.2022.00077","DOIUrl":"https://doi.org/10.1109/icsme55016.2022.00077","url":null,"abstract":"Regression testing is required to check the changes in behavior whenever developers make any changes to a software system. The cost of regression testing is a major problem because developers have to frequently update dependent components to minimize security risks and potential bugs. In this paper, we report a current practice in a company that maintains an industrial simulator as a critical component of their business. The simulator automatically records all the users’ requests and the simulation results in storage. The feature provides a huge number of test cases for regression testing to developers; however, their time budget for testing is limited (i.e., at most one night). Hence, the developers need to select a small number of test cases to confirm both the simulation result and execution performance are unaffected by an update of a dependent component. In other words, the test cases should achieve high coverage while keeping diversity of execution time. To solve the problem, we have developed a clustering-based method to select test cases, using the similarity of execution traces produced by them. The developers have used the method for a half year; they recognize that the method is better than the previous rule-based method used in the company.","PeriodicalId":300084,"journal":{"name":"2022 IEEE International Conference on Software Maintenance and Evolution (ICSME)","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2022-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"132746610","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2022-10-01DOI: 10.1109/ICSME55016.2022.00040
Hind Bangui, Bruno Rossi, Barbora Buhnova
Recently, microservices have been examined as a solution for reshaping and improving the flexibility, scalability, and maintainability of critical infrastructure systems. However, microservice systems are also suffering from the presence of a substantial number of potentially vulnerable components that may threaten the protection of critical infrastructures. To address the problem, this paper proposes to leverage the concept of antifragility built in a framework for building self-learning microservice systems that could be strengthened by faults and threats instead of being deteriorated by them. To illustrate the approach, we instantiate the proposed approach of autonomous machine learning through an experimental evaluation on a benchmarking dataset of microservice faults.
{"title":"A Conceptual Antifragile Microservice Framework for Reshaping Critical Infrastructures","authors":"Hind Bangui, Bruno Rossi, Barbora Buhnova","doi":"10.1109/ICSME55016.2022.00040","DOIUrl":"https://doi.org/10.1109/ICSME55016.2022.00040","url":null,"abstract":"Recently, microservices have been examined as a solution for reshaping and improving the flexibility, scalability, and maintainability of critical infrastructure systems. However, microservice systems are also suffering from the presence of a substantial number of potentially vulnerable components that may threaten the protection of critical infrastructures. To address the problem, this paper proposes to leverage the concept of antifragility built in a framework for building self-learning microservice systems that could be strengthened by faults and threats instead of being deteriorated by them. To illustrate the approach, we instantiate the proposed approach of autonomous machine learning through an experimental evaluation on a benchmarking dataset of microservice faults.","PeriodicalId":300084,"journal":{"name":"2022 IEEE International Conference on Software Maintenance and Evolution (ICSME)","volume":"160 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2022-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"129284641","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2022-10-01DOI: 10.1109/ICSME55016.2022.00020
Mohammed Alhamed, Tim Storer
Reflecting upon recent advances in Natural Language Processing (NLP), this paper evaluates the effectiveness of context-aware NLP models for predicting software task effort estimates. Term Frequency–Inverse Document Frequency (TF-IDF) and Bidirectional Encoder Representations from Transformers (BERT) were used as feature extraction methods; Random forest and BERT feed-forward linear neural networks were used as classifiers. Using three datasets drawn from open-source projects and one from a commercial project, the paper evaluates the models and compares the best performing model with expert estimates from both kinds of datasets. The results suggest that BERT as feature extraction and classifier shows slightly better performance than other combinations, but that there is no significant difference between the presented methods. On the other hand, the results show that expert and Machine Learning (ML) estimate performances are similar, with the experts’ performance being slightly better. Both findings confirmed existing literature, but using substantially different experimental settings.
{"title":"Evaluation of Context-Aware Language Models and Experts for Effort Estimation of Software Maintenance Issues","authors":"Mohammed Alhamed, Tim Storer","doi":"10.1109/ICSME55016.2022.00020","DOIUrl":"https://doi.org/10.1109/ICSME55016.2022.00020","url":null,"abstract":"Reflecting upon recent advances in Natural Language Processing (NLP), this paper evaluates the effectiveness of context-aware NLP models for predicting software task effort estimates. Term Frequency–Inverse Document Frequency (TF-IDF) and Bidirectional Encoder Representations from Transformers (BERT) were used as feature extraction methods; Random forest and BERT feed-forward linear neural networks were used as classifiers. Using three datasets drawn from open-source projects and one from a commercial project, the paper evaluates the models and compares the best performing model with expert estimates from both kinds of datasets. The results suggest that BERT as feature extraction and classifier shows slightly better performance than other combinations, but that there is no significant difference between the presented methods. On the other hand, the results show that expert and Machine Learning (ML) estimate performances are similar, with the experts’ performance being slightly better. Both findings confirmed existing literature, but using substantially different experimental settings.","PeriodicalId":300084,"journal":{"name":"2022 IEEE International Conference on Software Maintenance and Evolution (ICSME)","volume":"103 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2022-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"116033744","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2022-10-01DOI: 10.1109/ICSME55016.2022.00037
Qing Sun, Lili Xu, Yang Xiao, Feng Li, He Su, Yiming Liu, Hongyun Huang, Wei Huo
The software version information affected by the CVEs (Common Vulnerabilities and Exposures) provided by the National Vulnerability Database (NVD) is not always accurate. This could seriously mislead the repair priority for software users, and greatly hinder the work of security researchers. Bao et al. improved the well-known Sliwerski-Zimmermann-Zeller (SZZ) algorithm for vulnerabilities (called V-SZZ) to precisely refine vulnerable software versions. But V-SZZ only focuses on those CVEs of which patches only have deleted lines.In this study, we target Java Open Source Software (OSS) by virtue of its pervasiveness and ubiquitousness. Due to Java’s object-oriented characteristic, a single security patch often involves modifications of multiple functions. Existing patch code similarity analysis does not consider patch existence from the point of view of an entire patch, which would generate too many false positives for Java CVEs. In this work, we address these limitations by introducing a two-stage approach named VERJava, to systematically assess vulnerable versions for a target vulnerability in Java OSS. Specifically, vulnerable versions are calculated respectively at a function level and an entire patch level, then the results are synthesized to decide the final vulnerable versions. For evaluation, we manually annotated the vulnerable versions of 167 real CVEs from seven popular Java open source projects. The result shows that VERJava achieves the precision of 90.7% on average, significantly outperforming the state-of-the-art work V-SZZ. Furthermore, our study reveals some interesting findings that have not yet been discussed.
{"title":"VERJava: Vulnerable Version Identification for Java OSS with a Two-Stage Analysis","authors":"Qing Sun, Lili Xu, Yang Xiao, Feng Li, He Su, Yiming Liu, Hongyun Huang, Wei Huo","doi":"10.1109/ICSME55016.2022.00037","DOIUrl":"https://doi.org/10.1109/ICSME55016.2022.00037","url":null,"abstract":"The software version information affected by the CVEs (Common Vulnerabilities and Exposures) provided by the National Vulnerability Database (NVD) is not always accurate. This could seriously mislead the repair priority for software users, and greatly hinder the work of security researchers. Bao et al. improved the well-known Sliwerski-Zimmermann-Zeller (SZZ) algorithm for vulnerabilities (called V-SZZ) to precisely refine vulnerable software versions. But V-SZZ only focuses on those CVEs of which patches only have deleted lines.In this study, we target Java Open Source Software (OSS) by virtue of its pervasiveness and ubiquitousness. Due to Java’s object-oriented characteristic, a single security patch often involves modifications of multiple functions. Existing patch code similarity analysis does not consider patch existence from the point of view of an entire patch, which would generate too many false positives for Java CVEs. In this work, we address these limitations by introducing a two-stage approach named VERJava, to systematically assess vulnerable versions for a target vulnerability in Java OSS. Specifically, vulnerable versions are calculated respectively at a function level and an entire patch level, then the results are synthesized to decide the final vulnerable versions. For evaluation, we manually annotated the vulnerable versions of 167 real CVEs from seven popular Java open source projects. The result shows that VERJava achieves the precision of 90.7% on average, significantly outperforming the state-of-the-art work V-SZZ. Furthermore, our study reveals some interesting findings that have not yet been discussed.","PeriodicalId":300084,"journal":{"name":"2022 IEEE International Conference on Software Maintenance and Evolution (ICSME)","volume":"29 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2022-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"128629634","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2022-10-01DOI: 10.1109/ICSME55016.2022.00028
Xinrong Lin, Baojian Hua, Qiliang Fan
Python continues to be one of the most popular programming languages and has been used in many safety-critical fields such as medical treatment, autonomous driving systems, and data science. These fields put forward higher security requirements to Python ecosystems. However, existing studies on machine learning systems in Python concentrate on data security, model security and model privacy, and just assume the underlying Python virtual machines (PVMs) are secure and trustworthy. Unfortunately, whether such an assumption really holds is still unknown.This paper presents, to the best of our knowledge, the first and most comprehensive empirical study on the security of CPython, the official and most deployed Python virtual machine. To this end, we first designed and implemented a software prototype dubbed PVMSCAN, then use it to scan the source code of the latest CPython (version 3.10) and other 10 versions (3.0 to 3.9), which consists of 3,838,606 lines of source code. Empirical results give relevant findings and insights towards the security of Python virtual machines, such as: 1) CPython virtual machines are still vulnerable, for example, PVMSCAN detected 239 vulnerabilities in version 3.10, including 55 null dereferences, 86 uninitialized variables and 98 dead stores; Python/C API-related vulnerabilities are very common and have become one of the most severe threats to the security of PVMs: for example, 70 Python/C API-related vulnerabilities are identified in CPython 3.10; 3) the overall quality of the code remained stable during the evolution of Python VMs with vulnerabilities per thousand line (VPTL) to be 0.50; and 4) automatic vulnerability rectification is effective: 166 out of 239 (69.46%) vulnerabilities can be rectified by a simple yet effective syntax-directed heuristics.We have reported our empirical results to the developers of CPython, and they have acknowledged us and already confirmed and fixed 2 bugs (as of this writing) while others are still being analyzed. This study not only demonstrates the effectiveness of our approach, but also highlights the need to improve the reliability of infrastructures like Python virtual machines by leveraging state-of-the-art security techniques and tools.
{"title":"On the Security of Python Virtual Machines: An Empirical Study","authors":"Xinrong Lin, Baojian Hua, Qiliang Fan","doi":"10.1109/ICSME55016.2022.00028","DOIUrl":"https://doi.org/10.1109/ICSME55016.2022.00028","url":null,"abstract":"Python continues to be one of the most popular programming languages and has been used in many safety-critical fields such as medical treatment, autonomous driving systems, and data science. These fields put forward higher security requirements to Python ecosystems. However, existing studies on machine learning systems in Python concentrate on data security, model security and model privacy, and just assume the underlying Python virtual machines (PVMs) are secure and trustworthy. Unfortunately, whether such an assumption really holds is still unknown.This paper presents, to the best of our knowledge, the first and most comprehensive empirical study on the security of CPython, the official and most deployed Python virtual machine. To this end, we first designed and implemented a software prototype dubbed PVMSCAN, then use it to scan the source code of the latest CPython (version 3.10) and other 10 versions (3.0 to 3.9), which consists of 3,838,606 lines of source code. Empirical results give relevant findings and insights towards the security of Python virtual machines, such as: 1) CPython virtual machines are still vulnerable, for example, PVMSCAN detected 239 vulnerabilities in version 3.10, including 55 null dereferences, 86 uninitialized variables and 98 dead stores; Python/C API-related vulnerabilities are very common and have become one of the most severe threats to the security of PVMs: for example, 70 Python/C API-related vulnerabilities are identified in CPython 3.10; 3) the overall quality of the code remained stable during the evolution of Python VMs with vulnerabilities per thousand line (VPTL) to be 0.50; and 4) automatic vulnerability rectification is effective: 166 out of 239 (69.46%) vulnerabilities can be rectified by a simple yet effective syntax-directed heuristics.We have reported our empirical results to the developers of CPython, and they have acknowledged us and already confirmed and fixed 2 bugs (as of this writing) while others are still being analyzed. This study not only demonstrates the effectiveness of our approach, but also highlights the need to improve the reliability of infrastructures like Python virtual machines by leveraging state-of-the-art security techniques and tools.","PeriodicalId":300084,"journal":{"name":"2022 IEEE International Conference on Software Maintenance and Evolution (ICSME)","volume":"69 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2022-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"114254224","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: