Journal of Software-Evolution and Process最新文献

Legislations impose requirements on the manufacturing of machinery. Typically, these requirements are interpreted and refined by (domain-specific) technical committees and published in terms of standards. At the company level, these refined requirements are further interpreted, refined, and documented in terms of internal processes. Due to the proliferation of (interdependent) legislations and standards and the consequent increase of the cognitive complexity, at the company level, manual knowledge management is becoming more and more challenging and requires automated decision support. Despite the availability of approaches aimed at automating the decision support, no one offers a satisfactory solution. In this paper, we focus on knowledge management for process compliance and we propose a novel structured ontology. Our ontology aims at mastering (by dividing and conquering via tracing) the cognitive complexity of the compliance problem, when heterogeneous and sometimes geographically distributed knowledge-driven organizational structures (legal department, standardization department, etc.) are involved and need to communicate. We also illustrate the potential usefulness of our proposed ontology in the context of pumps manufacturing and safety process compliance with the Machinery Directive and related harmonized standards including EN 809:1998+A1. Specifically, first, we identify the competencies that characterize departments and interdepartment interactions, then we formulate an initial set of competency questions that translate those identified competencies, then we show how the ontology can be exploited to retrieve the answers to the questions and how the answers can be exploited to build a justification for compliance. Precisely, we propose an argumentation pattern given in two different argumentation notations, and we show how it can be partly instantiated by exploiting the returned answers. The illustration also partly covers the compliance with the Machinery Regulation, expected to replace the Machinery Directive by January 2027. Finally, we sketch our intended future work.

As software grows in size and complexity, software vulnerabilities are increasing, leading to a range of serious insecurity issues. Open-source software vulnerability reports and documentation can provide researchers with great convenience for analysis and detection. However, the quality of different data sources varies, the data are duplicated and lack of correlation, which often requires a lot of manual management and analysis. In order to solve the problems of scattered and heterogeneous data and lack of correlation in traditional vulnerability repositories, this paper proposes a software vulnerability feature knowledge extraction method that combines the N-gram model and mask similarity. The method generates mask text data based on the extraction of N-gram candidate keywords and extracts vulnerability feature knowledge by calculating the similarity of mask text. This method analyzes the samples efficiently and stably in the environment of large sample size and complex samples and can obtain high-value semi-structured data. Then, the final node, relationship, and attribute information are obtained by secondary knowledge cleaning and extraction of the extracted semi-structured data results. And based on the extraction results, the corresponding software vulnerability domain knowledge graph is constructed to deeply explore the semantic information features and entity relationships of vulnerabilities, which can help to efficiently study software security problems and solve vulnerability problems. The effectiveness and superiority of the proposed method is verified by comparing it with several traditional keyword extraction algorithms on Common Weakness Enumeration (CWE) and Common Vulnerabilities and Exposures (CVE) vulnerability data.

This paper documents the results of the PIM.3 (Process Improvement Management) working group in INTACS (International Assessor Certification Schema) supported by the VDA-QMC (Verband der Deutschen Automobilindustrie/German Automotive Association–Quality Management Center). INTACS promotes Automotive SPICE, which is an international standard that allows process capability assessment of projects, which implement systems that integrate mechanics, electronics, and software including optionally cybersecurity, functional safety, and machine learning. The paper outlines that for the first time since more than 20 years, the INTACS and VDA-QMC included a process like PIM.3 Process Improvement Management in the scope for the assessor training. Before that, the assessments focused on the management, engineering, and support processes of series projects, while the improvement management has not been trained or assessed.

In software development and maintenance, code comments can help developers understand source code and improve communication among developers. However, developers sometimes neglect to update the corresponding comment when changing the code, resulting in outdated comments (i.e., inconsistent codes and comments). Outdated comments are dangerous and harmful and may mislead subsequent developers. More seriously, the outdated comments may lead to a fatal flaw sometime in the future. To automatically identify the outdated comments in source code, we proposed a learning-based method, called CoCC, to detect the consistency between code and comment. To efficiently identify outdated comments, we extract multiple features from both codes and comments before and after they change. Besides, we also consider the relation between code and comment in our model. Experiment results show that CoCC can effectively detect outdated comments with precision over 90%. In addition, we have identified the 15 most important factors that cause outdated comments and verified the applicability of CoCC in different programming languages. We also used CoCC to find outdated comments in the latest commits of open source projects, which further proves the effectiveness of the proposed method.

Global software development (GSD) refers to developing software with a distributed team spanning multiple locations and time zones. Based on relationships, there are four types of outsourcing: dyadic (one client–one vendor), multi-vendor (one client–many vendors), co-sourcing (many clients–one vendor), and complex outsourcing (many clients–many vendors). Compared to the other types of outsourcing contracts, complex outsourcing contracts are the hardest to work on and have the highest risk of project failure. This paper presents a model, the complex outsourcing relationships management model (CORMM), to assist the complex outsourcing stakeholders (both the clients and vendors) in managing their relationships in the context of GSD. This paper aims to develop a CORMM to assist the complex outsourcing relationships management stakeholders in GSD. Also, we are interested in identifying the applicability and effectiveness of the CORMM in the real-world industry. The research approach follows a structured methodology comprising multiple phases. Initially, it leverages a systematic literature review (SLR) as its primary research method. The second phase involves the validation of the SLR findings via an empirical study. Subsequently, in the third phase, a model is developed. Finally, the proposed research approach is validated by incorporating two industrial case studies to assess the organization's relationship management utilizing the Motorola tool. The case study results show that CORMM can successfully point out relationship management issues in a complex outsourcing context. The feedback received from the participants of both companies indicates several positive and valuable insights about the CORMM and its application in the context of complex outsourcing relationships. The results highlight that CORMM serves as an assessment tool for evaluating an organization's relationship management capability and a means for organizations to enhance their position. Through CORMM, complex outsourcing organizations (many clients–many vendors) can identify strengths and weaknesses in their relationship management practices, enabling targeted improvement efforts.

Continuous integration and continuous delivery (CI/CD) automate software integration and reduce repetitive engineering work. While the use of CI/CD presents efficiency gains, in database application development, this potential has not been fully exploited. We explore the state of the art in this area, with a focus on current practices, common software tools, challenges, and preconditions that apply to database applications. The work is grounded in a synoptic literature review and contributes a novel generic CI/CD pipeline for database system application development. Our generic pipeline was tailored to three industrial development use cases in which we measured the benefits of integration and deployment automation. The measurements demonstrate clearly that introducing CI/CD had significant benefits. It reduced the number of failed deployments, improved their stability, and increased the number of deployments. Interviews with the developers before and after the implementation of the CI/CD show that the pipeline brings clear benefits to the development team (i.e., a reduced cognitive load). These findings put current database release practices driven by business expectations, such as fixed release windows, in question.

With the widespread application of smart contracts, there is a growing concern over the quality assurance of smart contracts. The data flow testing is an important technology to ensure the correctness of smart contracts. We propose an approach named IABC-TCG (Improved Artificial Bee Colony-Test Case Generation) to generate test cases for the data flow testing of smart contracts. With a dominance relations-based fitness function, an improved artificial bee colony algorithm is used to generate test cases, in which the bee colony search coefficient is adaptively adjusted to improve the effectiveness and efficiency of the search. In addition, an improved test case selection and updation strategy is used to avoid unnecessary test cases. The experimental results show that IABC-TCG achieves 100% coverage for all the test requirements on a dataset of 30 smart contracts and outperforms the baseline approaches in terms of the number of test cases and the execution time. Performing tests with the generated test cases, IABC-TCG can find more errors with less test cost.

The goal of this research study was to identify and prioritize the significant cybersecurity challenges that vendor firms encounter during software development. Using Systematic Literature Reviews (SLRs), 13 significant challenges were found, including “Security issues/Access of Cyberattacks”, “Lack of Right Knowledge”, “Cost Security Issues”, and “Lack of Confidentiality and Trust” among others. To address these concerns, a multifaceted strategy that prioritizes continuing education, training, and investment in cybersecurity measures, as well as cross-industry cooperation and coordination with government entities, is required. These challenges were ranked using the Fuzzy Analytic Hierarchy Process (F-AHP). We obtained the following results after applying the Fuzzy Analytic Hierarchy Process: CSC1 (Cyber Security Challenge-1) “Security Issues/Access of Cyber Attacks”, CSC2 “Lack of Right Knowledge”, and CSC3 “Framework” are the top most critical cyber security challenges, with weightages of 0.1687, 0.1672, and 0.1194, respectively. This study lays the groundwork for future research and assists vendor organizations in addressing the cybersecurity concerns they face during software development. The study also emphasizes the significance of addressing cybersecurity during the software development process in order to avoid the financial and reputational losses associated with cyber intrusions.

Demonstrating software early and responding to feedback is crucial in agile development. However, it is difficult for stakeholders who are not on-site customers but end users, marketing people, or designers, and so forth to give feedback in an agile development environment. Successful graphical user interface (GUI) test executions can be documented and then demonstrated for feedback. In our new concept, GUI tests from behavior-driven development (BDD) are recorded, augmented, and demonstrated as videos. A GUI test is divided into several GUI unit tests, which are specified in Gherkin, a semi-structured natural language. For each GUI unit test, a video is generated during test execution. Test steps specified in Gherkin are traced and highlighted in the video. Stakeholders review these generated videos and provide feedback, for example, on misunderstandings of requirements or on inconsistencies. To evaluate the impact of videos in identifying inconsistencies, we asked 22 participants to identify inconsistencies between (1) given requirements in regular sentences and (2) demonstrated behaviors from videos with Gherkin specifications or from Gherkin specifications alone. Our results show that participants tend to identify more inconsistencies from demonstrated behaviors, which are not in accordance with given requirements. They tend to recognize inconsistencies more easily through videos than through Gherkin specifications alone. The types of inconsistency are threefold: The mentioned feature can be incorrectly implemented, not implemented, or an unspecified new feature. We use a fictitious example showing how this feedback helps a product owner and her team manage requirements. We conclude that GUI test videos can help stakeholders give feedback more effectively. By obtaining early feedback, inconsistencies can be resolved, thus contributing to higher stakeholder satisfaction.