Information and Software Technology最新文献

Context:

Many IT organizations are looking towards DevOps to make their software development and delivery processes faster and more reliable, while DevOps revolutionized the industry by emphasizing collaboration between development and operations teams. Nonetheless, there still exist challenges in harmonizing cultural, technical, measurement and process capabilities for its successful adoption.

Objective:

To research improving DevOps adoption, this study explores DevOps Capabilities relevant to the Life Cycle Processes (LCPs) of the IEEE 2675-2021 DevOps standard. Aiming to provide valuable information on increasing efficiency and outcomes by mapping DevOps Capabilities in each phase of the LCPs. Whereas previous research identified and classified 37 DevOps Capabilities, this study aims to determine which capabilities can enhance each of the 30 phases of the LCPs.

Methods:

Out of 102 documents identified in the Systematic Literature Review (SLR), relations among DevOps Capabilities and LCPs have been synthesized and organized. An in-depth analysis of data was conducted over the connections across various categories. The mapping revealed how they relate in terms of their application and impact.

Results:

The SLR shows technical DevOps Capabilities and technical LCPs strongly correlated. DevOps measurement capabilities have a significant impact on agreement processes. Using an impact scale classification, the study identifies eight capabilities that have exceptional impact on LCPs and eleven capabilities that have a very high impact on the supply process, requirements definition, integration process, and validation process.

Conclusion:

The study demonstrates how DevOps Capabilities together with LCPs can improve software delivery, quality, and reliability. It presents a structured approach for improving processes, as well as evidence of DevOps integration in software development and maintenance. The findings help to assess DevOps Capabilities and LCP relations, which is expected to improve successful adoption. Future research should focus on researching practical cases of DevOps integration into LCPs, while overcoming adoption challenges.

Context

Objective

Method

Results

Conclusion

Context:

AI code generators are revolutionizing code writing and software development, but their training on large datasets, including potentially untrusted source code, raises security concerns. Furthermore, these generators can produce incomplete code snippets that are challenging to evaluate using current solutions.

Objective:

This research work introduces DeVAIC (Detection of Vulnerabilities in AI-generated Code), a tool to evaluate the security of AI-generated Python code, which overcomes the challenge of examining incomplete code.

Methods:

We followed a methodological approach that involved gathering vulnerable samples, extracting implementation patterns, and creating regular expressions to develop the proposed tool. The implementation of DeVAIC includes a set of detection rules based on regular expressions that cover 35 Common Weakness Enumerations (CWEs) falling under the OWASP Top 10 vulnerability categories.

Results:

We utilized four popular AI models to generate Python code, which we then used as a foundation to evaluate the effectiveness of our tool. DeVAIC demonstrated a statistically significant difference in its ability to detect security vulnerabilities compared to the state-of-the-art solutions, showing an $F_1$ Score and Accuracy of 94% while maintaining a low computational cost of 0.14 s per code snippet, on average.

Conclusions:

The proposed tool provides a lightweight and efficient solution for vulnerability detection even on incomplete code.

Context:

Detecting critical to ensure software system security. The traditional static vulnerability detection methods are limited by staff expertise and perform poorly with today’s increasingly complex software systems. Researchers have successfully applied the techniques used in NLP to vulnerability detection as deep learning has developed. The existing deep learning-based vulnerability detection models can be divided into sequence-based and graph-based categories. Sequence-based embedding models cannot use structured information embedded in the code, and graph-based embedding models lack effective node representations.

Objective:

To solve these problems, we propose a deep learning-based method, DGVD (Double Graph Neural Network for Vulnerability Detection).

Methods:

We use the sequential neural network approach to extract local semantic features of the code as nodes embedded in the control flow graph. First, we propose a dual graph neural network module (DualGNN) that consists of GCN and GAT. The altered module utilizes two different graph neural networks to obtain the global structural information of the control flow and the relationship between the nodes and fuses the two. Second, we propose a convolution-based feature enhancement module (TC-FE) that uses different convolution kernels of different sizes to capture information at different scales so that subsequent readout layers can better aggregate node information.

Results:

Experiments demonstrate that DGVD outperforms existing models, obtaining 64.23% vulnerability detection accuracy on CodeXGLUE’s real benchmark dataset.

Conclusion:

The proposed DGVD achieves better performance than the state-of-the-art DGVD has a more effective source code feature extraction capability on real-world datasets.

Context:

Testing activities are essential for the quality assurance of mobile applications under development. Despite its importance, some studies show that testing is not widely applied in mobile applications. Some characteristics of mobile devices and a varied market of mobile devices with different operating system versions lead to a highly fragmented mobile ecosystem. Thus, researchers put some effort into proposing different solutions to optimize mobile application testing.

Objective:

The main goal of this paper is to provide a categorization and classification of existing testing infrastructures to support mobile application testing.

Methods:

To this aim, the study provides a Systematic Mapping Study of 27 existing primary studies.

Results:

We present a new classification and categorization of existing types of testing infrastructure, the types of supported devices and operating systems, whether the testing infrastructure is available for usage or experimentation, and supported testing types and applications.

Conclusion:

Our findings show a need for mobile testing infrastructures that support multiple phases of the testing process. Moreover, we showed a need for testing infrastructure for context-aware applications and support for both emulators and real devices. Finally, we pinpoint the need to make the research available to the community whenever possible.

Context:

Code search aims to find relevant code snippets from a codebase given a natural language query. It not only boosts developer efficiency but also improves the performance of tasks such as code generation and program repair, thus becoming one of the crucial tasks in software engineering.

Objective:

However, recent works are mainly designed for mainstream programming languages with abundant training data. We aim to address the challenges of code search for domain-specific programming languages with limited training data by proposing a novel two-stage, few-shot code search framework named SMIAO.

Method:

SMIAO includes a specialized model initialization and an architecture optimization stage. In the first stage, we first quantitatively identify a mainstream programming language’s dataset that is semantically closest to a target few-shot programming language. Then, we enrich the dataset with hard samples and train an Adapter-GraphCodeBERT model to obtain well-initialized parameters. In the second stage, we first design a search space for the initialized Adapter-GraphCodeBERT model. Then, we employ neural architecture search to optimize the Adapter modules’ positions and quantities in the GraphCodeBERT layers, tailoring for real-world few-shot code search tasks.

Results:

We conduct experiments on a publicly available dataset to demonstrate the effectiveness and rationality of SMIAO. The experimental results show that SMIAO outperforms other state-of-the-art baselines.

Conclusion:

Using mainstream languages’ datasets to initialize Adapter-GraphCodeBERT models, followed by adjusting the quantities and positions of Adapter modules within the GraphCodeBERT layers by neural architecture search, can effectively improve the performance of few-shot code search tasks.

Context:

Model-driven approaches are increasingly used in different domains, such as education, finance and app development, in order to involve non-developers in the software development process. Such tools are hugely dependent on visual elements and thus might not be accessible for users with specific challenges, e.g., visual impairments.

Objectives:

To locate and analyse existing literature on the accessibility of low-code approaches, their strengths and weaknesses and key directions for future research.

Methods:

We carried out a systematic literature review and searched through five leading databases for primary studies. We used both quantitative and qualitative methods for data synthesis.

Results:

After reviewing and filtering 918 located studies, and conducting both backward and forward snowballing, we identified 38 primary studies that were included in our analysis. We found most papers focusing on accessibility of visual languages and block-based programming.

Conclusion:

Limited work has been done on improving low code programming environment accessibility. The findings of this systematic literature review will assist researchers and developers in understanding the accessibility issues in low-code approaches and what has been done so far to develop accessible approaches.

Context:

Newcomers joining an unfamiliar software project face numerous barriers; therefore, effective onboarding is essential to help them engage with the team and develop the behaviors, attitudes, and skills needed to excel in their roles. However, onboarding can be a lengthy, costly, and error-prone process. Software solutions can help mitigate these barriers and streamline the process without overloading senior members.

Objective:

This study aims to identify the state-of-the-art software solutions for onboarding newcomers.

Methods:

We conducted a systematic literature review (SLR) to answer six research questions.

Results:

We analyzed 32 studies about software solutions for onboarding newcomers and yielded several key findings: (1) a range of strategies exists, with recommendation systems being the most prevalent; (2) most solutions are web-based; (3) solutions target a variety of onboarding aspects, with a focus on process; (4) many onboarding barriers remain unaddressed by existing solutions; (5) laboratory experiments are the most commonly used method for evaluating these solutions; and (6) diversity and inclusion aspects primarily address experience level.

Conclusion:

We shed light on current technological support and identify research opportunities to develop more inclusive software solutions for onboarding. These insights may also guide practitioners in refining existing platforms and onboarding programs to promote smoother integration of newcomers into software projects.

Context:

In today’s fast-paced digital landscape, integrating DevOps, cloud, and agile methodologies is crucial for meeting software demands. However, this integration remains under-researched.

Objective:

This study explores the integration of Agile, Cloud, and DevOps in today’s software development landscape. It aims to analyze the challenges and benefits associated with merging these three approaches, focusing on their impact on software testing and the role of mindset in successful implementation and identifying the most suitable Agile methodologies.

Methods:

This investigation utilizes a Systematic Literature Review(SLR) to enrich comprehension of this integration in current software development practices.

Results:

The analysis of 31 articles highlights benefits such as improved collaboration and accelerated development, despite challenges with tool proliferation. Platforms like Jenkins, GitLab, Kubernetes, and Docker show promise in addressing these complexities. Our study examines the advantages and challenges of this integration, focusing on its impact on software testing and the role of mindset in successful implementation and identifying the most suitable Agile methodologies.

Conclusion:

The integration of Agile, DevOps, and Cloud signifies a vital move towards collaborative, scalable, and automated methods, crucial for swift delivery, enhanced quality, and ongoing competitiveness. This unified approach is fundamental for organizational advancement and innovation in the ever-evolving software development realm. Further research should tackle challenges in merging these methods and delve into their interactions with emerging technologies to refine practices for increased efficiency.

Significant increases in cyberattacks worldwide have threatened the security of organizations, businesses, and individuals. Cyberattacks exploit vulnerabilities in software systems. Recent work has leveraged powerful and complex models, such as deep neural networks, to improve the predictive performance of vulnerability detection models. However, these models are often regarded as “black box” models, making it challenging for software practitioners to understand and interpret their predictions. This lack of explainability has resulted in a reluctance to adopt or deploy these vulnerability prediction models in industry applications. This paper proposes a novel approach, Genetic Algorithm-based Vulnerability Prediction Explainer, (herein GAVulExplainer), which generates explanations for vulnerability prediction models based on graph neural networks. GAVulExplainer leverages genetic algorithms to construct a subgraph explanation that represents the crucial factor contributing to the vulnerability. Experimental results show that our proposed approach outperforms baselines in providing concrete reasons for a vulnerability prediction.