Journal of Software-Evolution and Process最新文献

Industry practitioners assess software from a security perspective to reduce the risks of deploying vulnerable software. Besides following security best practice guidelines during the software development life cycle, predicting vulnerability before roll-out is crucial. Software metrics are popular inputs for vulnerability prediction models. The objective of this study is to provide a comprehensive review of the source code-level security metrics presented in the literature. Our systematic mapping study started with 1451 studies obtained by searching the four digital libraries from ACM, IEEE, ScienceDirect, and Springer. After applying our inclusion/exclusion criteria as well as the snowballing technique, we narrowed down 28 studies for an in-depth study to answer four research questions pertaining to our goal. We extracted a total of 685 code-level metrics. For each study, we identified the empirical methods, quality measures, types of vulnerabilities of the prediction models, and shortcomings of the work. We found that standard machine learning models, such as decision trees, regressions, and random forests, are most frequently used for vulnerability prediction. The most common quality measures are precision, recall, accuracy, and $�F$-measure. Based on our findings, we conclude that the list of software metrics for measuring code-level security is not universal or generic yet. Nonetheless, the results of our study can be used as a starting point for future studies aiming at improving existing security prediction models and a catalog of metrics for vulnerability prediction for software practitioners.

Voice user interface (VUI) systems, such as Alexa, Siri, and Google Assistant, are popular and widely available. Still, challenges such as privacy and the ability to have a dialog remain. In the latter example, the user expects a human-like conversation, that is, that the VUI understands the dialog and its context. However, this VUI feature of context-aware interaction is rather error prone. For this reason, we intend to explore the VUI context of use and its impact on interaction, that is, relevant user experience (UX). We see a demand for context-dependent UX measurement because analyzing the context of use and UX assessment are both critical human-centered design (HCD) methods. Therefore, we examine the VUI context of use by asking users about how, where, and for what they use VUIs, as well as their UX and improvement proposals. We interviewed people with disabilities who rely on VUIs and people without disabilities who use VUIs for convenience or fun. We identified VUI context-of-use categories and factors and explored their impacts on relevant UX qualities. Our result is a matrix containing these elements; thus, it provides an overview of the contextual UX of our target group's VUI interaction. We intend to develop a VUI context-of-use conceptual structure in the future based on this matrix, which is needed to create an automated context-dependent UX measurement recommendation tool for VUIs. This conceptual structure could also be useful for automated UX testing in the context of VUI.

Determining “software release time” and “testing stop time” is a significant challenge in software projects, as both greatly affect the software cost and reliability. To overcome the drawbacks of past research, this study presents a novel robust optimization approach considering the interval estimation of input parameters for a software reliability growth model. It aims to detect the optimal “software release time” and “testing stop time” to minimize software development costs in an uncertain environment. Additionally, it considers the time value of money for calculating model costs by considering the interest rate and inflation. Generally, this research is the first attempt to use a robust approach for optimizing the software development cost considering the time value of money. The paper investigates the model efficiency in practical situations through a case study and analyzes the effect of the discounted rate and parameters uncertainty on the development cost using a software reliability growth model. The results confirm the prominent role of uncertain parameters and the discounted rate value on software development cost. They also indicate that the proposed mathematical model is more consistent with the actual situation and flexible than the past models with deterministic parameters.

Increasingly, software organizations are implementing DevOps culture to benefit from it in terms of continuous testing, delivery, improvement, and so forth. Implementing DevOps is difficult due to a lack of understanding about the practices and their effective application for its effective implementation. This paper aims to explore different DevOps practices that can be implemented in software organizations. The study involves conducting a systematic literature review (SLR) to identify DevOps implementation practices, followed by the utilization of the fuzzy best–worst method (FBWM) to establish a taxonomy or classification of software practices. We have used an SLR to investigate the practices, and subsequently, the survey method was followed to validate the identified practices. Moreover, the best–worst method (BWM) was considered to evaluate the significance and develop the taxonomy of the practices. The results of this study extracted 19 practices that have been identified in the SLR process. The identified factors are further classified into six core DevOps lifecycle phases. The results of the BWM approach are shown. The outcomes of the study conclude that the proposed taxonomy of the practices could help DevOps practitioners and researchers effectively implement them in software development organizations.

The vulnerability in smart contracts (SCs) on the blockchain system may lead to severe security compromises. The SC can be invoked from an externally owned account (EOA) or a contract account (CA). The account a user creates to receive or send ether is an EOA. A CA contains codes that can interact with SCs. In Solidity SC, some vulnerabilities can only be exploited by the interactions between CAs and vulnerable SCs, which can be named external-risky vulnerabilities. Most state-of-the-art (SOTA) detectors detect external-risky vulnerabilities by executing contract codes as an EOA user, thus reporting many unexploitable vulnerabilities. Therefore, we propose a CA-triggering method to identify exploitable external-risky vulnerabilities in Solidity SCs. We first designed agent contracts to simulate CAs' interactions with the target SCs in the real blockchain environment. We then detect vulnerability exploitation by analyzing transaction logs between agent contracts and target SCs and identifying successful exploits. We implemented the CA-triggering method in a tool named SoliTester and evaluated it using three benchmark datasets, which contain three types of external-risky vulnerabilities, namely, Reentancy (RE), Unchecked Call (UcC), and TxOrigin (TO). The results show that SoliTester can efficiently detect exploitable external-risky vulnerabilities with significantly better precisions and recalls than SOTA detectors.

Crowdsource software development has become more and more popular in recent years in the software industry. Crowdsourcing is an open-call technique for outsourcing tasks to a broad and undefined crowd. Crowdsourcing provides numerous advantages including reduced costs, fast project completion, talent identification, diversity of solutions, top-quality, and access to problem-solving creativity. Despite of the benefits gained from crowdsourcing, there are numerous issues like lack of experienced workers, lack of confidentiality, copyright issues, software sustainability, and so forth. There is also less focus on the long-term sustainability of software development because of new ideas emerging in crowdsourcing software development. Furthermore, in literature, lack of guidelines towards sustainable software crowdsourcing is highlighted as one of the limitations in the software standards. This study aims to identify the factors that influence sustainability aspects in crowdsourced software development. We have conducted a systematic literature review for identification of these factors. In this paper, we present findings of the systematic literature review in the form of a list of 11 factors extracted from a sample of 45 finally selected papers. Among these factors, six of the factors are ranked as critical factors. These critical factors are “Lack of coding standard in documentation,” “Use of popular programming tools,” “Crowd Lack of knowledge and awareness about sustainability,” “Energy-efficient coding,” “Lack of awareness about sustainable software engineering practices,” and “Lack of coordination/communication between client and crowd.”

To enable the people involved in a software development process to communicate and reason close to their area of knowledge, we are investigating and engineering a method that formalizes and integrates knowledge of multiple domains into domain models and into specifications in terms of those domain models. We follow an action research approach, starting with a diagnosis phase, in which we have previously defined a set of method objectives, and performed a systematic literature review. During action planning, we defined how we are going to develop the method—called Multi-Domain Formalization Method (MuDForM). This paper reports on the methodical support for using a domain model as the terminology for feature specifications. During action taking, we defined an initial version of the method and set up case studies. During the evaluation phase, we performed a case study to validate how well the method helps in the specification of processes and to realize the case-specific objectives of the customer. The case study pertains to the formalization of the ISO26262 standard for functional safety in the automotive domain. The created models are explained to the involved experts to ensure their consistency with the original text. We found that MuDForM is suitable to systematically formalize processes described in natural language, such that the resulting process models are fully expressed in terms of domain concepts and concepts from outside the domains and processes of interest. Further, during the specifying learning phase, we have extended our method with concepts, steps, and guidelines for grammatical analysis, for formalization of constraints, and for the specification of processes.

Effective management of development projects is crucial to delivering high-quality software within time and budget constraints. However, organizing geographically distributed software development activities presents unique challenges, including difficulties in face-to-face interaction and coordination. To assist the global software development community in updating and developing new project management techniques, identifying and prioritizing best practices is essential. This study aims to develop a taxonomy based on the prioritization of management practices for software development, drawing from empirical data. Fifty-five best practices associated with the Project Management Body of Knowledge (PMBOK) fields were identified from the existing literature. The study also empirically examines the acceptability and relevance of these practices within the industry. An analytic hierarchy process within a fuzzy system is employed to prioritize these practices based on their importance in managing global software development.

Software defect prediction (SDP) aims to distinguish between defective and nondefective instances, but the imbalance between these two classes often leads to reduced prediction performance. Conventional SDP approaches use oversampling techniques, such as synthetic oversampling, to tackle the problem of imbalanced data. However, these methods merely synthesize new instances based on traditional code features without considering actual defects at the code level. To address the issue of data imbalance while preserving semantic features of code samples, a mutation-based data augmentation approach in SDP is proposed. The method utilizes the mutation operator to generate mutants that mutate nondefective instances and create new defective instances. Six projects from the PROMISE dataset are used to evaluate the approach, employing four traditional and two deep classifiers. The experimental results demonstrate the effectiveness of this method in improving defect prediction performance for both traditional and deep classifiers compared with other data augmentation methods.