Automated Software Engineering最新文献

Software vulnerabilities are a major concern in cybersecurity, as even small flaws can expose systems to serious risks. Most automated detection methods focus on a single source–usually code–limiting their ability to capture the diverse ways vulnerabilities can appear and leaving complementary information underused. To address this limitation, this work investigates how heterogeneous modalities contribute to vulnerability detection and proposes a multimodal deep learning framework that integrates code semantics, commit messages, static metrics, and syntactic structures through an attention-based fusion mechanism. To ensure deployability in real-world scenarios where commit information is often unavailable at inference time, a teacher–student knowledge distillation scheme is employed. The multimodal teacher model, using all modalities, transfers its knowledge to a lightweight student model that relies solely on code features. Experiments on multiple vulnerability datasets show that multimodal fusion significantly improves detection performance and that knowledge distillation preserves much of this gain while enabling practical deployment. Our findings highlight the importance of cross-modal integration and distillation for building robust and scalable vulnerability detection systems.

The substantial increase in software vulnerabilities poses a significant threat to system security, prompting a surge of interest in applying deep learning (DL) to vulnerability detection. However, current DL-based detectors heavily rely on large-scale labeled data, leading to inefficiency and notable performance degradation in scenarios with limited data. Furthermore, these detectors often lack robustness against adversarial code transformation attacks. To address these challenges, this paper proposes ArVD (Adversarial Reprogramming-Based Vulnerability Detector), which implements a novel and computationally inexpensive approach to reprogram a pre-trained model for detecting vulnerabilities at the function level. Specifically, ArVD first constructs structure-aware token sequences from source code. Given these inputs, the model then exclusively learns universal perturbation elements to be added into the token sequences and leverages self-attention mechanism to enhance non-linear interactions among tokens and perturbations, such that the learning capabilities from the pre-trained model can be adapted to vulnerability detection with less training data and time yet higher detection effectiveness and robustness. Extensive experiments conducted on multiple datasets demonstrate that ArVD significantly reduces the trainable parameters to approximately 20,000 while outperforming DL-based baselines in terms of detection effectiveness, data-limited performance, as well as runtime overhead. Moreover, ArVD effectively counters code transformation attacks; compared to the state-of-the-art ZigZag framework that is designed to enhance detector robustness, ArVD exhibits an averaged relative improvement of 18.89% in F1, with a decrease of 43.25% and 42.65% in FPR and FNR, respectively.

Eliciting evolutionary requirements is essential for the continuous improvement of software systems. Traditional approaches rely on user feedback from forums and social media; however, these methods often suffer from low engagement rates and subjective biases. In contrast, user interaction behavior data offers more objective and comprehensive insights into user needs throughout task execution. Despite its advantages, the ambiguous relationship between user behaviors and requirements presents significant challenges for behavior-driven requirement inference. This paper proposes a novel approach for eliciting evolution requirements based on user interaction behavior. We first employ the conceptual model and goal model to normalize multi-modal behavior data and associate it with goal contexts. This structured representation reduces complexity and establishes a foundation for further analysis. Next, we extract key behavioral metrics through statistical analysis to quantify task difficulty from a user experience perspective, providing a basis for prioritizing inferred requirements. Finally, pattern mining techniques and large language model are applied to derive evolutionary requirements, identifying meaningful behavioral patterns to strengthen the connection between user behavior and requirements while enhancing automation and effectiveness by large language model inference. A case study with 20 participants was conducted to validate the proposed method. The results demonstrate that the approach successfully captures 95.6% of explicitly stated user requirements and uncovers additional valuable insights. These findings underscore the method’s effectiveness and usefulness in enhancing software design optimization.

Many Android apps collect data from users, and the European Union’s General Data Protection Regulation (GDPR) mandates clear disclosures of such data collection. However, apps often use third-party code, complicating accurate disclosures. This paper investigates how accurately current Android apps fulfill these requirements. In this work, we present a multi-layered definition of privacy-related data to correctly report data collection in Android apps. We further create a dataset of privacy-sensitive data classes that may be used as input by an Android app. This dataset takes into account data collected both through the user interface and system APIs. Based on this, we implement a semi-automated prototype that detects and labels privacy-related data collected by a given Android app. We manually examine the data safety sections of 70 Android apps to observe how data collection is reported, identifying instances of over- and under-reporting. We compare our prototype’s results with the data safety sections of 20 apps revealing reporting discrepancies. Using the results from two Messaging and Social Media apps (Signal and Instagram), we discuss how app developers under-report and over-report data collection, respectively, and identify inaccurately reported data categories. A broader study of 7,500 Android apps reveals that apps most frequently collect data that can partially identify users. Although system APIs consistently collect large amounts of privacy-related data, user interfaces exhibit some more diverse data collection patterns. A more focused study on various domains of apps reveals that the largest fraction of apps collecting personal data belong to the domain of Messaging and Social Media. Our findings show that location is collected frequently by apps, specially from the E-commerce and Shopping domain. However, it is often under-reported in app data safety sections. Our results highlight the need for greater consistency in privacy-aware app development and reporting practices.

Large Language Models (LLMs) and LLM-based Multi-Agent Systems (MAS) are revolutionizing software engineering (SE) by advancing automation, decision-making, and knowledge processing. Their recent application to SE tasks has already shown promising results. In this paper, we focus on summarization as a key application area. We present Metagente , an LLM-based MAS designed to generate concise and accurate summaries of software documentation. Metagente employs a Teacher–Student architecture where multiple LLM agents collaborate to enhance relevance and precision of produced summaries. An empirical evaluation on real-world datasets demonstrates Metagente ’s effectiveness in streamlining workflows, outperforming the considered baselines. The evaluation provides evidence that Metagente improves summarization for requirement analysis and technical documentation. Moreover, we also demonstrate that compared to a set of single, independent LLMs, the multi-agent architecture is meaningful and beneficial to the summarization of software documents. Our findings underscore the transformative potential of these technologies in SE, while identifying challenges and future research directions for their seamless integration.

Effective Requirements Engineering (RE) is essential for building successful software systems, yet analyzing unstructured stakeholder input remains a persistent challenge. Qualitative Data Analysis (QDA) provides structured methods, open coding (entity extraction), axial coding (relationship discovery), and selective coding (model refinement) to transform natural language requirements into domain models. While manual QDA has proven effective for requirements analysis, it remains time-consuming, repetitive, and difficult to scale. Although individual RE tasks have been automated, no prior work has automated the complete QDA methodology for domain modeling. In this paper, we present QuaRUM, the first framework to automate end-to-end QDA for UML domain model generation by combining large language models with retrieval-augmented generation. QuaRUM processes requirements through document ingestion, semantic indexing, and retrieval-augmented coding, and helps ground each model element in the source text to mitigate hallucination risks. Empirical results show that QuaRUM performs with high accuracy across three domains. It achieves F1-scores between 0.85 and 0.98. Cohen’s (kappa) reaches up to 0.92, surpassing human inter-coder agreement. Notably, QuaRUM recovers 37 valid attributes and 23 relationships initially missed by human analysts. A cost-benefit analysis shows a 218% Return on Investment (ROI) for initial use, increasing to 1,131% in repeated deployments, demonstrating strong economic scalability.

Mobile AI applications enhance functionality but introduce complex privacy and security challenges. This research develops and evaluates an automated framework that leverages Large Language Models (LLMs) to analyze user reviews and unveil “hidden permissions” defined not as technically undeclared functionalities, but as declared permissions whose purpose or necessity is opaque to users, leading to perceived privacy risks. The framework integrates static analysis of permission manifests with a hybrid Natural Language Processing (NLP) pipeline that combines Term Frequency-Inverse Document Frequency (TF-IDF) with BERT embeddings. A fine-tuned RoBERTa model then classifies user-reported concerns into predefined risk categories. We correlate these user-reported behaviors with declared permissions to identify potential mismatches and prioritize them using a risk-scoring methodology validated against the MITRE Common Weakness Enumeration (CWE) database. In an evaluation against other LLM architectures (GPT-3.5, DistilBERT, XLNet, and LLaMA-2), our fine-tuned RoBERTa model demonstrates superior performance, achieving an F1-score of 0.90 in classifying reviews related to unauthorized tracking. The framework effectively surfaces and prioritizes user-perceived privacy risks, offering actionable insights for developers to address mismatches between an app’s declared permissions and its user-experienced behavior, thereby fostering a more secure and trustworthy AI mobile ecosystem.

For decades, goal modeling has been significant in the early stages of requirements engineering. Numerous studies have demonstrated the effectiveness and practicality of utilizing requirement goal models. However, creating goal models is usually done manually, which is a challenging task for large-scale systems. Our research objective is to simplify and optimize the creation process of iStar goal models with a semi-automatic framework, assisting in the practical adoption of goal modeling approaches. In this paper, we significantly extend our previous work to better deal with the above problem. Specifically, we utilize the Design Science Research paradigm to propose an interactive and iterative modeling process that combines human decision-making steps with automated analysis steps, minimizing modeling costs while ensuring the quality of the models. This research is based on conducting interviews on the practicality of iStar modeling and conducting a literature review on the automation of iStar modeling for goal modeling. To fulfill the modeling process, we propose a novel hybrid approach that features highly customizable logical reasoning rules and deep learning techniques, allowing for tailored selection and design according to specific needs. To pragmatically promote our approach, we develop a prototype tool with a user-friendly interface. In this paper, we select BERT as the deep learning component and design a series of rules based on BERT as an example. Then, an evaluation is conducted using this specific implementation of this approach. Besides, we conduct a case study on a real-life scenario to evaluate the effectiveness of our modeling approach, showing the efficiency of the modeling process. These results indicate that our proposal efficiently establishes high-quality goal models and thus pragmatically contributes to adopting goal model analysis approaches.

Version control systems are essential in software development, allowing teams to collaborate simultaneously without interfering with each other’s work. Tools like Git facilitate code integration through merge operations, which automatically detect textual conflicts. However, these systems focus solely on source code differences, overlooking more complex semantic conflicts that can lead to failures or unexpected behavior after integration. To address this challenge, static analysis emerges as an effective solution, detecting semantic conflicts that traditional merge tools might miss, providing an additional layer of security and quality to the code integration process. In this study, we explore combinations of static analysis techniques to improve the detection of semantic conflicts. Our approach was evaluated on a dataset from 32 real-world GitHub projects, all manually labeled to include ground truth information. These outcomes highlight the adaptability of our approach: in contexts where minimizing false positives is essential, high-precision techniques can be prioritized; in contrast, recall-focused techniques are preferable for broader conflict coverage. The results show that combining static analysis strategies delivers superior performance in terms of precision, recall, F1 score, and accuracy compared to previous methods, and is a more lightweight and flexible approach to adapt to the application context.

Purpose: In the field of vulnerability repair, previous research has leveraged pre-trained models and LLM-based prompt engineering, among which LLM-based approaches show better generalizability and achieve the best performance. However, the LLM-based approaches generally regard vulnerability repair as a sequence-to-sequence task, and do not explicitly capture the syntax patterns for different vulnerability types, leading to limited accuracy. We aim to create a method that ensures the specificity of prompts targeting vulnerable code while also leveraging the generative capabilities of Large Language Models. Methods: We propose SPVR (Syntax-to-Prompt Vulnerability Repair), a novel framework that collects information from syntax trees, and generates corresponding prompts. Our method consists of three steps: rule design, prompt generation, and patch generation. In the rule design step, our method parses code patches and designs rules to extract relevant contextual information. These rules aid in identifying vulnerability-related issues. In the prompt generation step, our method extracts information from vulnerable code with pre-defined rules, automatically converting them into prompts. We also incorporate the description of CWE (Common Weakness Enumeration) as known information into the prompts. Finally, in the patch generation step, this prompt will serve as input to any conversational LLM to obtain code patches. Results: Extensive experiments validate that our method achieves excellent results in assisting LLMs to fix vulnerabilities accurately. We utilize multiple Large Language Models to validate the effectiveness of our work, repairing 143 of 547 vulnerable code using ChatGPT-4. We conducted a comparison of our approach against several existing vulnerability repair approaches (including fine-tuning-based and prompt-based), across multiple metrics. Conclusion: Our method is a novel framework that combines the Abstract Syntax Tree structure of code, providing targeted prompts of repair code for vulnerabilities. Our method demonstrates promising potential for real-world code vulnerability repair.