Linyi Han, Hang Li, Xiaowang Zhang, Youmeng Li, Zhiyong Feng
� �
Textual vulnerability descriptions (TVDs) in repositories like NVD and IBM X-Force Exchange are essential for security engineers managing vulnerabilities. Engineers typically search for key aspects in TVDs using specific phrases, but with multiple expressions for each aspect, retrieving all relevant records is challenging. We propose a label-based retrieval framework that classifies key aspects and retrieves TVDs by their broader categories. Given the large data volume, manual labeling is infeasible, making unsupervised classification critical. However, short labels and repeated words diminish semantic clarity, affecting classification accuracy. We introduce Unsupervised Classification through Label Profile (UCLP), which expands label semantics through label profiles inspired by recommendation systems. We construct profiles using neural network weights and apply TF-IDF to calculate similarities, smoothing distributions with an arctangent function. Results show that UCLP significantly outperforms four benchmarks, raising accuracy from 68.3% to 78.9% and improving three real-world applications.
{"title":"UCLP: Unsupervised Classification of Key Aspects in Vulnerability Descriptions Through Label Profile","authors":"Linyi Han, Hang Li, Xiaowang Zhang, Youmeng Li, Zhiyong Feng","doi":"10.1002/smr.70052","DOIUrl":"https://doi.org/10.1002/smr.70052","url":null,"abstract":"<div>\u0000 \u0000 <p>Textual vulnerability descriptions (TVDs) in repositories like NVD and IBM X-Force Exchange are essential for security engineers managing vulnerabilities. Engineers typically search for key aspects in TVDs using specific phrases, but with multiple expressions for each aspect, retrieving all relevant records is challenging. We propose a label-based retrieval framework that classifies key aspects and retrieves TVDs by their broader categories. Given the large data volume, manual labeling is infeasible, making unsupervised classification critical. However, short labels and repeated words diminish semantic clarity, affecting classification accuracy. We introduce Unsupervised Classification through Label Profile (UCLP), which expands label semantics through label profiles inspired by recommendation systems. We construct profiles using neural network weights and apply TF-IDF to calculate similarities, smoothing distributions with an arctangent function. Results show that UCLP significantly outperforms four benchmarks, raising accuracy from 68.3% to 78.9% and improving three real-world applications.</p>\u0000 </div>","PeriodicalId":48898,"journal":{"name":"Journal of Software-Evolution and Process","volume":"37 9","pages":""},"PeriodicalIF":1.8,"publicationDate":"2025-09-13","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"145038309","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Heterogeneous defect prediction (HDP) plays a crucial role in software engineering by enabling the early detection of software defects across projects with heterogeneous feature spaces. Recently, some mixed-project HDP (MP-HDP) methods have been proposed, which have demonstrated modest improvements in HDP performance. Nevertheless, existing MP-HDP approaches fail to address feature redundancy and distribution inconsistency simultaneously. To overcome these limitations, this paper proposes a novel MP-HDP approach, UFR-OSFA, based on unified feature representation and oppositional structural feature alignment. Concretely, UFR-OSFA first unifies these features by reducing the distribution differences between source and target projects through matching common features and the Hungarian algorithm based on the Kolmogorov–Smirnov (KS) test. Subsequently, utilizing a generator and two classifiers with oppositional structures, UFR-OSFA separates the features of the source project and clusters those of the target project, addressing the issue of conditional distribution mismatch and enhancing the model's generalization ability in the target project. Extensive experiments on 23 projects from five datasets demonstrate that the proposed approach performs better or comparably to baseline methods.
{"title":"UFR-OSFA: Unified Feature Representation and Oppositional Structure Feature Alignment for Mixed-Project Heterogeneous Defect Prediction","authors":"Yifan Zou, Huiqiang Wang, Hongwu Lv, Shuai Zhao","doi":"10.1002/smr.70049","DOIUrl":"https://doi.org/10.1002/smr.70049","url":null,"abstract":"<div>\u0000 \u0000 <p>Heterogeneous defect prediction (HDP) plays a crucial role in software engineering by enabling the early detection of software defects across projects with heterogeneous feature spaces. Recently, some mixed-project HDP (MP-HDP) methods have been proposed, which have demonstrated modest improvements in HDP performance. Nevertheless, existing MP-HDP approaches fail to address feature redundancy and distribution inconsistency simultaneously. To overcome these limitations, this paper proposes a novel MP-HDP approach, UFR-OSFA, based on unified feature representation and oppositional structural feature alignment. Concretely, UFR-OSFA first unifies these features by reducing the distribution differences between source and target projects through matching common features and the Hungarian algorithm based on the Kolmogorov–Smirnov (KS) test. Subsequently, utilizing a generator and two classifiers with oppositional structures, UFR-OSFA separates the features of the source project and clusters those of the target project, addressing the issue of conditional distribution mismatch and enhancing the model's generalization ability in the target project. Extensive experiments on 23 projects from five datasets demonstrate that the proposed approach performs better or comparably to baseline methods.</p>\u0000 </div>","PeriodicalId":48898,"journal":{"name":"Journal of Software-Evolution and Process","volume":"37 9","pages":""},"PeriodicalIF":1.8,"publicationDate":"2025-09-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"145037623","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Jose A. Calvo-Manzano, Tomás San Feliu, Ángel Herranz, Julio Mariño, Lars-Åke Fredlund, Ana M. Moreno
Cybersecurity is a critical global concern, particularly for small- and medium-sized enterprises (SMEs) with limited resources and expertise. The authors are developing CyberESP, a tailored cybersecurity framework supported by a semi-automated tool to ensure Spanish SMEs' cybersecurity management. Following the Design Science Research (DSR) methodology and grounded in international standards, the authors identified six requirements to be satisfied by a cybersecurity framework for SMEs, which should support the identification of assets, vulnerabilities, threats, and risks. This paper presents the first part of the CyberESP framework dealing with asset management, particularly their identification and analysis of dimensions and cost. A prototype supporting these activities was developed and validated through a case study in a retail SME, showing the solution's potential and identifying particular improvements. The paper also addresses threats to validity and limitations, noting the framework's focus on hardware, software, and networks. Future work includes vulnerability management and will explore the use of cloud and IoT deployment, positioning CyberESP as a practical solution to enhance SMEs' cybersecurity resilience.
{"title":"CyberESP: An Integrated Cybersecurity Framework for SMEs","authors":"Jose A. Calvo-Manzano, Tomás San Feliu, Ángel Herranz, Julio Mariño, Lars-Åke Fredlund, Ana M. Moreno","doi":"10.1002/smr.70050","DOIUrl":"https://doi.org/10.1002/smr.70050","url":null,"abstract":"<p>Cybersecurity is a critical global concern, particularly for small- and medium-sized enterprises (SMEs) with limited resources and expertise. The authors are developing CyberESP, a tailored cybersecurity framework supported by a semi-automated tool to ensure Spanish SMEs' cybersecurity management. Following the Design Science Research (DSR) methodology and grounded in international standards, the authors identified six requirements to be satisfied by a cybersecurity framework for SMEs, which should support the identification of assets, vulnerabilities, threats, and risks. This paper presents the first part of the CyberESP framework dealing with asset management, particularly their identification and analysis of dimensions and cost. A prototype supporting these activities was developed and validated through a case study in a retail SME, showing the solution's potential and identifying particular improvements. The paper also addresses threats to validity and limitations, noting the framework's focus on hardware, software, and networks. Future work includes vulnerability management and will explore the use of cloud and IoT deployment, positioning CyberESP as a practical solution to enhance SMEs' cybersecurity resilience.</p>","PeriodicalId":48898,"journal":{"name":"Journal of Software-Evolution and Process","volume":"37 9","pages":""},"PeriodicalIF":1.8,"publicationDate":"2025-09-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://onlinelibrary.wiley.com/doi/epdf/10.1002/smr.70050","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"145022283","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Matteo Pancini, Matteo Camilli, Giovanni Quattrocchi, Damian Andrew Tamburri
Ensuring high-quality data is crucial for the successful deployment of machine learning models, thereby sustaining the operational pipelines around such models. However, a significant number of practitioners do not currently use data quality checks or measurements as gateways for their model construction and operationalization, indicating a need for greater awareness and adoption of these tools. In this study, we propose an automated approach for automating the process of architecting machine learning pipelines by means of (semi-)automated data quality checks. We focus on tabular data as a representative of the most widely used structured data formats in said pipelines. Our work is based on a subset of metrics that are particularly relevant in MLOps pipelines, stemming from our engagement with expert practitioners in machine learning operations (MLOps). We selected Deepchecks, a well-known tool for conducting data quality checks, from a cohort of similar tools to evaluate the quality of datasets collected from Kaggle, a widely used platform for machine learning competitions and data science projects. We also analyze the main features used by Kaggle to rank their datasets and used these features to validate the relevance of our approach. Our approach shows the potential for automated data quality checks to improve the efficiency and effectiveness of MLOps pipelines and their operation, by decreasing the risk of introducing errors and biases into machine learning models in production.
{"title":"Engineering MLOps Pipelines With Data Quality: A Case Study on Tabular Datasets in Kaggle","authors":"Matteo Pancini, Matteo Camilli, Giovanni Quattrocchi, Damian Andrew Tamburri","doi":"10.1002/smr.70044","DOIUrl":"https://doi.org/10.1002/smr.70044","url":null,"abstract":"<p>Ensuring high-quality data is crucial for the successful deployment of machine learning models, thereby sustaining the operational pipelines around such models. However, a significant number of practitioners do not currently use data quality checks or measurements as gateways for their model construction and operationalization, indicating a need for greater awareness and adoption of these tools. In this study, we propose an automated approach for automating the process of architecting machine learning pipelines by means of (semi-)automated data quality checks. We focus on tabular data as a representative of the most widely used structured data formats in said pipelines. Our work is based on a subset of metrics that are particularly relevant in MLOps pipelines, stemming from our engagement with expert practitioners in machine learning operations (MLOps). We selected Deepchecks, a well-known tool for conducting data quality checks, from a cohort of similar tools to evaluate the quality of datasets collected from Kaggle, a widely used platform for machine learning competitions and data science projects. We also analyze the main features used by Kaggle to rank their datasets and used these features to validate the relevance of our approach. Our approach shows the potential for automated data quality checks to improve the efficiency and effectiveness of MLOps pipelines and their operation, by decreasing the risk of introducing errors and biases into machine learning models in production.</p>","PeriodicalId":48898,"journal":{"name":"Journal of Software-Evolution and Process","volume":"37 9","pages":""},"PeriodicalIF":1.8,"publicationDate":"2025-09-08","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://onlinelibrary.wiley.com/doi/epdf/10.1002/smr.70044","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"145012976","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Effective coordination between contributors with different functional roles is fundamental for the success of collaboration-centric software development paradigms such as DevSecOps. However, quantitatively assessing coordination in such settings has received limited attention. We introduce multi-class socio-technical congruence (), an extension of the widely studied socio-technical congruence () framework to address this gap. Our metric enables the assessment of coordination in a setting where contributors with different functional roles or alignments collaborate. Using a large-scale exploratory case study, we evaluated for two classes (i.e., ). Specifically, we calculated for 100 systematically selected projects from the TravisTorrent dataset, considering developers (dev) and security-focused developers (sf-devs) as the two types of contributors with different functional alignments (i.e., two classes). We hypothesized that the dev and sf-dev interaction would have a quantifiable impact on the vulnerability score (
具有不同功能角色的贡献者之间的有效协调是以协作为中心的软件开发范例(如DevSecOps)成功的基础。但是,对这种情况下的协调进行定量评估的注意有限。我们引入了多阶层的社会技术一致性(M C - S T C) $$ MChbox{-} STC $$ ),是广泛研究的社会技术一致性的延伸 $$ STC $$ )框架来解决这一差距。我们的度量允许在具有不同功能角色或联盟的贡献者协作的环境中评估协调。通过大规模的探索性案例研究,我们评估了C - S - T - C $$ MChbox{-} STC $$ 为两类(即2c - S - T - C) $$ 2Chbox{-} STC $$ ). 具体来说,我们计算了2c - stc $$ 2Chbox{-} STC $$ 从TravisTorrent数据集中系统地选择100个项目,考虑开发人员(dev)和以安全为重点的开发人员(sf-devs)作为两种类型的贡献者,具有不同的功能定位(即两个类)。我们假设开发人员和自开发人员之间的交互会对漏洞评分(vs)产生可量化的影响 $$ VS $$ )。我们的结果表明,2c - S - T - C之间存在适度的负相关 $$ 2Chbox{-} STC $$ 和V S $$ VS $$ , Spearman相关达到− $$ - $$ 0.427 (p = 0。00000624 $$ p=0.00000624 $$ ),这表明开发人员和软件开发人员之间更高层次的协调导致了高严重性漏洞发生率较低的项目。另外,2 C - S - T - C $$ 2Chbox{-} STC $$ 与vs呈较强的负相关 $$ VS $$ 比S T C $$ STC $$ 这表明它是这种关系的更敏感的指标。因此,我们提出的度量的具体实例,2c - S - T - C $$ 2Chbox{-} STC $$ 的表现相对较好 $$ STC $$ 用于衡量我们选定项目中的跨职能协调。然而,进一步的研究需要探索其更广泛的适用性。
{"title":"Towards Multi-Class Socio-Technical Congruence: Assessing Coordination in Collaborative Software Development Settings","authors":"Roshan Namal Rajapakse, Claudia Szabo","doi":"10.1002/smr.70040","DOIUrl":"https://doi.org/10.1002/smr.70040","url":null,"abstract":"<p>Effective coordination between contributors with different functional roles is fundamental for the success of collaboration-centric software development paradigms such as DevSecOps. However, quantitatively assessing coordination in such settings has received limited attention. We introduce multi-class socio-technical congruence (<span></span><math>\u0000 <semantics>\u0000 <mrow>\u0000 <mi>M</mi>\u0000 <mi>C</mi>\u0000 <mtext>-</mtext>\u0000 <mi>S</mi>\u0000 <mi>T</mi>\u0000 <mi>C</mi>\u0000 </mrow>\u0000 <annotation>$$ MChbox{-} STC $$</annotation>\u0000 </semantics></math>), an extension of the widely studied socio-technical congruence (<span></span><math>\u0000 <semantics>\u0000 <mrow>\u0000 <mi>S</mi>\u0000 <mi>T</mi>\u0000 <mi>C</mi>\u0000 </mrow>\u0000 <annotation>$$ STC $$</annotation>\u0000 </semantics></math>) framework to address this gap. Our metric enables the assessment of coordination in a setting where contributors with different functional roles or alignments collaborate. Using a large-scale exploratory case study, we evaluated <span></span><math>\u0000 <semantics>\u0000 <mrow>\u0000 <mi>M</mi>\u0000 <mi>C</mi>\u0000 <mtext>-</mtext>\u0000 <mi>S</mi>\u0000 <mi>T</mi>\u0000 <mi>C</mi>\u0000 </mrow>\u0000 <annotation>$$ MChbox{-} STC $$</annotation>\u0000 </semantics></math> for two classes (i.e., <span></span><math>\u0000 <semantics>\u0000 <mrow>\u0000 <mn>2</mn>\u0000 <mi>C</mi>\u0000 <mtext>-</mtext>\u0000 <mi>S</mi>\u0000 <mi>T</mi>\u0000 <mi>C</mi>\u0000 </mrow>\u0000 <annotation>$$ 2Chbox{-} STC $$</annotation>\u0000 </semantics></math>). Specifically, we calculated <span></span><math>\u0000 <semantics>\u0000 <mrow>\u0000 <mn>2</mn>\u0000 <mi>C</mi>\u0000 <mtext>-</mtext>\u0000 <mi>S</mi>\u0000 <mi>T</mi>\u0000 <mi>C</mi>\u0000 </mrow>\u0000 <annotation>$$ 2Chbox{-} STC $$</annotation>\u0000 </semantics></math> for 100 systematically selected projects from the <i>TravisTorrent</i> dataset, considering developers (<i>dev</i>) and security-focused developers (<i>sf-devs</i>) as the two types of contributors with different functional alignments (i.e., two classes). We hypothesized that the <i>dev</i> and <i>sf-dev</i> interaction would have a quantifiable impact on the <i>vulnerability score</i> (<span></span><math>\u0000 <semantics>\u0000 <mrow","PeriodicalId":48898,"journal":{"name":"Journal of Software-Evolution and Process","volume":"37 9","pages":""},"PeriodicalIF":1.8,"publicationDate":"2025-09-08","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://onlinelibrary.wiley.com/doi/epdf/10.1002/smr.70040","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"145012977","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Crowdsourcing testing has the advantages of efficiency, speed, and reliability, but an excessive number of test reports makes it a challenge for report reviewers to select high-quality test reports in a limited time. Test reports submitted by crowd workers often tend to be short textual descriptions with a large number of screenshots attached. Most traditional processing methods of test reports target reports that only contain text information, which cannot meet the defect detection requirements of crowdsourced test reports. In view of this, this paper proposes a prioritization method of crowdsourced test reports that integrates text and image information. First, we extract the text and image information from the test reports, based on which the defect detection abilities of the test reports are measured and the similarities between test reports are calculated. Then, a multi-stage prioritization method of the test reports is presented based on the defect detection levels and similarities of the test reports. In the first stage, based on the defect detection levels and the similarities, the test report set is sorted and clustered to obtain the sorting results of partial reports and the similar set for each sorted report; in the second stage, the similar test report set is sorted with the criteria of minimizing the similarity and maximizing the defect detection level; the sorting results of the two stages are combined to form the final priorities of test reports. To validate our approach, we conducted experiments on five crowdsourced test datasets. The results and the analysis show that our approach can detect all faults faster in a limited time. By comprehensively utilizing text and image information to prioritize test reports, better sorting results can be obtained than state-of-the-art methods.
{"title":"Prioritization Method for Crowdsourced Test Report by Integrating Text and Image Information","authors":"Huijie Tu, Xiangjuan Yao, Dunwei Gong, Yan Yang","doi":"10.1002/smr.70043","DOIUrl":"https://doi.org/10.1002/smr.70043","url":null,"abstract":"<div>\u0000 \u0000 <p>Crowdsourcing testing has the advantages of efficiency, speed, and reliability, but an excessive number of test reports makes it a challenge for report reviewers to select high-quality test reports in a limited time. Test reports submitted by crowd workers often tend to be short textual descriptions with a large number of screenshots attached. Most traditional processing methods of test reports target reports that only contain text information, which cannot meet the defect detection requirements of crowdsourced test reports. In view of this, this paper proposes a prioritization method of crowdsourced test reports that integrates text and image information. First, we extract the text and image information from the test reports, based on which the defect detection abilities of the test reports are measured and the similarities between test reports are calculated. Then, a multi-stage prioritization method of the test reports is presented based on the defect detection levels and similarities of the test reports. In the first stage, based on the defect detection levels and the similarities, the test report set is sorted and clustered to obtain the sorting results of partial reports and the similar set for each sorted report; in the second stage, the similar test report set is sorted with the criteria of minimizing the similarity and maximizing the defect detection level; the sorting results of the two stages are combined to form the final priorities of test reports. To validate our approach, we conducted experiments on five crowdsourced test datasets. The results and the analysis show that our approach can detect all faults faster in a limited time. By comprehensively utilizing text and image information to prioritize test reports, better sorting results can be obtained than state-of-the-art methods.</p>\u0000 </div>","PeriodicalId":48898,"journal":{"name":"Journal of Software-Evolution and Process","volume":"37 9","pages":""},"PeriodicalIF":1.8,"publicationDate":"2025-09-04","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144934867","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Rodrigo Santos, Antonia Bertolino, Pablo Antonino, Doo-Hwan Bae
For more than a decade, software engineering for systems-of-systems (SoS) and software ecosystems (SECO) has been largely investigated in order to cope with complexity in software-intensive systems. SoS research addresses several aspects related to software system architecture comprising a set of constituent systems that relate to each other to perform missions. As such, SoS have key characteristics such as operational and managerial independence, distribution, emergent behavior, and evolutionary development. Full interoperability and dynamic architecture become critical challenges in this context. On the hand, SECO research refers to modeling and analysis of a socio-technical network of actors and artifacts formed on top of common technological platforms, in which business factors directly influence software maintenance and evolution. Software sustainability and diversity as well as quality attributes that affect the SECO platform health represent challenges in the field. From the long-running, successful series of the International Workshop on Software Engineering for systems-of-systems and Software Ecosystems (SESoS), co-located with the IEEE/ACM International Conference on Software Engineering (ICSE), we present this special issue on the topics in the Journal of Software: Evolution and Process from SESoS 2023 in Melbourne, Australia. Four articles were accepted and published in this special issue, covering a longitudinal analysis of SoS research, as well as strategic patterns, services, and trust in SECO. These articles provide researchers and practitioners with advances in the state of the art and point out opportunities for further research.
{"title":"Advances in Software Engineering Research for Systems-of-Systems and Software Ecosystems","authors":"Rodrigo Santos, Antonia Bertolino, Pablo Antonino, Doo-Hwan Bae","doi":"10.1002/smr.70046","DOIUrl":"https://doi.org/10.1002/smr.70046","url":null,"abstract":"<p>For more than a decade, software engineering for systems-of-systems (SoS) and software ecosystems (SECO) has been largely investigated in order to cope with complexity in software-intensive systems. SoS research addresses several aspects related to software system architecture comprising a set of constituent systems that relate to each other to perform missions. As such, SoS have key characteristics such as operational and managerial independence, distribution, emergent behavior, and evolutionary development. Full interoperability and dynamic architecture become critical challenges in this context. On the hand, SECO research refers to modeling and analysis of a socio-technical network of actors and artifacts formed on top of common technological platforms, in which business factors directly influence software maintenance and evolution. Software sustainability and diversity as well as quality attributes that affect the SECO platform health represent challenges in the field. From the long-running, successful series of the International Workshop on Software Engineering for systems-of-systems and Software Ecosystems (SESoS), co-located with the IEEE/ACM International Conference on Software Engineering (ICSE), we present this special issue on the topics in the Journal of Software: Evolution and Process from SESoS 2023 in Melbourne, Australia. Four articles were accepted and published in this special issue, covering a longitudinal analysis of SoS research, as well as strategic patterns, services, and trust in SECO. These articles provide researchers and practitioners with advances in the state of the art and point out opportunities for further research.</p>","PeriodicalId":48898,"journal":{"name":"Journal of Software-Evolution and Process","volume":"37 9","pages":""},"PeriodicalIF":1.8,"publicationDate":"2025-09-04","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://onlinelibrary.wiley.com/doi/epdf/10.1002/smr.70046","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144935249","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Qing Mi, Zhiyou Xiao, Yi Zhan, Liyan Tao, Jiahe Zhang
� �
Code readability is of central concern for developers, as a more readable code indicates higher maintainability, reusability, and portability. In recent years, many deep learning–based code readability classification methods have been proposed. Among them, a graph neural network (GNN)–based model has achieved the best performance in the field of code readability classification. However, it is still unclear what aspects of the model's input lead to its decisions, which hinders its practical use in the software industry. To improve the interpretability of existing code readability classification models and identify key code characteristics that drive their readability predictions, we propose an explanation framework with GNN explainers towards transparent and trustworthy code readability classification. First, we propose a simplified Abstract Syntax Tree (AST)–based code representation method, which transforms Java code snippets into ASTs and discards lower-level nodes with limited information. Then, we retrain the state-of-the-art GNN-based model together with our simplified program graphs. Finally, we employ SubgraphX to explain the model's code readability predictions at the subgraph level and visualize the explanation results to further analyze what causes such predictions. The experimental results show that sequential logic, code comments, selection logic, and nested structure are the most influential code characteristics when classifying code snippets as readable or unreadable. Further investigations indicate the model's proficiency in capturing features related to complex logic structures and extensive data flows but point to its limitations in identifying readability issues associated with naming conventions and code formatting. The explainability analysis conducted in this research is the first step towards more transparent and reliable code readability classification. We believe that our findings are useful in providing constructive suggestions for developers to write more readable code and delimitating directions for future model improvement.
{"title":"Towards Explainable Code Readability Classification With Graph Neural Networks","authors":"Qing Mi, Zhiyou Xiao, Yi Zhan, Liyan Tao, Jiahe Zhang","doi":"10.1002/smr.70048","DOIUrl":"https://doi.org/10.1002/smr.70048","url":null,"abstract":"<div>\u0000 \u0000 <p>Code readability is of central concern for developers, as a more readable code indicates higher maintainability, reusability, and portability. In recent years, many deep learning–based code readability classification methods have been proposed. Among them, a graph neural network (GNN)–based model has achieved the best performance in the field of code readability classification. However, it is still unclear what aspects of the model's input lead to its decisions, which hinders its practical use in the software industry. To improve the interpretability of existing code readability classification models and identify key code characteristics that drive their readability predictions, we propose an explanation framework with GNN explainers towards transparent and trustworthy code readability classification. First, we propose a simplified Abstract Syntax Tree (AST)–based code representation method, which transforms Java code snippets into ASTs and discards lower-level nodes with limited information. Then, we retrain the state-of-the-art GNN-based model together with our simplified program graphs. Finally, we employ SubgraphX to explain the model's code readability predictions at the subgraph level and visualize the explanation results to further analyze what causes such predictions. The experimental results show that sequential logic, code comments, selection logic, and nested structure are the most influential code characteristics when classifying code snippets as readable or unreadable. Further investigations indicate the model's proficiency in capturing features related to complex logic structures and extensive data flows but point to its limitations in identifying readability issues associated with naming conventions and code formatting. The explainability analysis conducted in this research is the first step towards more transparent and reliable code readability classification. We believe that our findings are useful in providing constructive suggestions for developers to write more readable code and delimitating directions for future model improvement.</p>\u0000 </div>","PeriodicalId":48898,"journal":{"name":"Journal of Software-Evolution and Process","volume":"37 9","pages":""},"PeriodicalIF":1.8,"publicationDate":"2025-09-03","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144934921","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Rafiq Ahmad Khan, Hussein A. Al Hashimi, Hathal S. Alwageed, Ismail Keshta, Alaa Omran Almagrabi, Sarra Ayouni
� �
The increasing complexity of software development processes has heightened the need for robust security measures. Although technical safeguards are essential, the role of human factors in securing software development remains underexplored. This paper presents a novel approach that integrates people's maturity with a fuzzy analytic hierarchy process (Fuzzy-AHP) decision-making framework to enhance the security in software development. The framework provides a systematic method for evaluating and prioritizing human factors that influence an organization's security posture, such as team-expertized communication and adherence to security protocols. Using the decision-making model allows the project managers and stakeholders to determine the appropriate areas for improvement and develop the right strategies and actions to nurture a secure and mature development culture. The paper identifies 24 human success factors (HSFs) and human security vulnerabilities (HSVs) and 38 practices for addressing these HSFs and HSVs through systematic literature review (SLR) and empirical survey. Furthermore, we discuss the local and global ranks of each HSF and HSV practice and categorize the identified practices into nine categories to determine the ranks and weight of each category. Based on collected data, Fuzzy-AHP prioritized these practices; the category “C4: Skill development and stakeholder engagement” is ranked highest at rank-1 and possesses the most significant weight of 0.12435. Similarly, the highest global weight is 0.051506, and the global ranked (rank-1) HSF and HSV practice is “P15: Hands-on practice and stakeholder communication.” The proposed approach complements existing technical methods by addressing the human element of security, making it adaptable to diverse organizational environments. Through this integration of people maturity and Fuzzy-AHP, the paper contributes a new dimension to securing software development, emphasizing the critical role of human factors in achieving comprehensive security.
{"title":"Securing Software Development Through People Maturity: A Fuzzy-AHP Decision-Making Framework","authors":"Rafiq Ahmad Khan, Hussein A. Al Hashimi, Hathal S. Alwageed, Ismail Keshta, Alaa Omran Almagrabi, Sarra Ayouni","doi":"10.1002/smr.70045","DOIUrl":"https://doi.org/10.1002/smr.70045","url":null,"abstract":"<div>\u0000 \u0000 <p>The increasing complexity of software development processes has heightened the need for robust security measures. Although technical safeguards are essential, the role of human factors in securing software development remains underexplored. This paper presents a novel approach that integrates people's maturity with a fuzzy analytic hierarchy process (Fuzzy-AHP) decision-making framework to enhance the security in software development. The framework provides a systematic method for evaluating and prioritizing human factors that influence an organization's security posture, such as team-expertized communication and adherence to security protocols. Using the decision-making model allows the project managers and stakeholders to determine the appropriate areas for improvement and develop the right strategies and actions to nurture a secure and mature development culture. The paper identifies 24 human success factors (HSFs) and human security vulnerabilities (HSVs) and 38 practices for addressing these HSFs and HSVs through systematic literature review (SLR) and empirical survey. Furthermore, we discuss the local and global ranks of each HSF and HSV practice and categorize the identified practices into nine categories to determine the ranks and weight of each category. Based on collected data, Fuzzy-AHP prioritized these practices; the category “C4: Skill development and stakeholder engagement” is ranked highest at rank-1 and possesses the most significant weight of 0.12435. Similarly, the highest global weight is 0.051506, and the global ranked (rank-1) HSF and HSV practice is “P15: Hands-on practice and stakeholder communication.” The proposed approach complements existing technical methods by addressing the human element of security, making it adaptable to diverse organizational environments. Through this integration of people maturity and Fuzzy-AHP, the paper contributes a new dimension to securing software development, emphasizing the critical role of human factors in achieving comprehensive security.</p>\u0000 </div>","PeriodicalId":48898,"journal":{"name":"Journal of Software-Evolution and Process","volume":"37 9","pages":""},"PeriodicalIF":1.8,"publicationDate":"2025-09-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144927289","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Ambiguous user requirements present a challenge in software requirement engineering. A manual approach to handling ambiguity is time-consuming. Software requirements are essential inputs to software development processes, including architecture and design, implementation, and testing. Requirement ambiguities lead to project cost overruns, delays in project delivery, and poor software product quality. Timely identification and correction of ambiguity can result in better software systems that meet product objectives and satisfy the needs of all stakeholders. This study explores various natural language processing techniques and SpanBERT (a variant of BERT). This research proposes a semiautomated approach for detecting anaphoric, coordination, and missing condition ambiguities in functional requirements. The proposed approach is validated on a new, original dataset containing 425 functional requirements from 16 domains. The ambiguities identified through our approach are compared with those detected manually and by ChatGPT. Our approach outperforms ChatGPT in detecting ambiguities. The proposed approach will aid project managers and requirement engineers in identifying ambiguities in requirement specifications, thereby helping to reduce cost overruns and delays in the software development process caused by requirement ambiguities.
{"title":"A Semiautomated Approach for Detecting Ambiguities in Software Requirements Using SpanBERT and Named Entity Recognition","authors":"Fiza Talha, Touseef Tahir, Talha Nadeem","doi":"10.1002/smr.70041","DOIUrl":"https://doi.org/10.1002/smr.70041","url":null,"abstract":"<p>Ambiguous user requirements present a challenge in software requirement engineering. A manual approach to handling ambiguity is time-consuming. Software requirements are essential inputs to software development processes, including architecture and design, implementation, and testing. Requirement ambiguities lead to project cost overruns, delays in project delivery, and poor software product quality. Timely identification and correction of ambiguity can result in better software systems that meet product objectives and satisfy the needs of all stakeholders. This study explores various natural language processing techniques and SpanBERT (a variant of BERT). This research proposes a semiautomated approach for detecting anaphoric, coordination, and missing condition ambiguities in functional requirements. The proposed approach is validated on a new, original dataset containing 425 functional requirements from 16 domains. The ambiguities identified through our approach are compared with those detected manually and by ChatGPT. Our approach outperforms ChatGPT in detecting ambiguities. The proposed approach will aid project managers and requirement engineers in identifying ambiguities in requirement specifications, thereby helping to reduce cost overruns and delays in the software development process caused by requirement ambiguities.</p>","PeriodicalId":48898,"journal":{"name":"Journal of Software-Evolution and Process","volume":"37 8","pages":""},"PeriodicalIF":1.8,"publicationDate":"2025-08-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://onlinelibrary.wiley.com/doi/epdf/10.1002/smr.70041","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144810976","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
扫码关注我们
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号