Journal of Software-Evolution and Process最新文献

{"title":"A Novel Vulnerability-Detection Method Based on the Semantic Features of Source Code and the LLVM Intermediate Representation","authors":"Jinfu Chen,&nbsp;Jiapeng Zhou,&nbsp;Wei Lin,&nbsp;Dave Towey,&nbsp;Saihua Cai,&nbsp;Haibo Chen,&nbsp;Jingyi Chen,&nbsp;Yemin Yin","doi":"10.1002/smr.70026","DOIUrl":"https://doi.org/10.1002/smr.70026","url":null,"abstract":"<div>\u0000 \u0000 <p>With the increasingly frequent attacks on software systems, software security is an issue that must be addressed. Within software security, automated detection of software vulnerabilities is an important subject. Most existing vulnerability detectors rely on the features of a single code type (e.g., source code or intermediate representation [IR]), which may lead to both the global features of the code slices and the memory operation information not being captured or considered. In particular, vulnerability detection based on source-code features cannot usually include some macro or type definition content. In this paper, we propose a vulnerability-detection method that combines the semantic features of source code and the low level virtual machine (LLVM) IR. Our proposed approach starts by slicing (C/C++) source files using improved slicing techniques to cover more comprehensive code information. It then extracts semantic information from the LLVM IR based on the executable source code. This can enrich the features fed to the artificial neural network (ANN) model for learning. We conducted an experimental evaluation using a publicly-available dataset of 11,381 C/C++ programs. The experimental results show the vulnerability-detection accuracy of our proposed method to reach over 96% for code slices generated according to four different slicing criteria. This outperforms most other compared detection methods.</p>\u0000 </div>","PeriodicalId":48898,"journal":{"name":"Journal of Software-Evolution and Process","volume":"37 5","pages":""},"PeriodicalIF":1.7,"publicationDate":"2025-04-29","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143888815","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"ECP: Coprocessor Architecture to Protect Program Logic Consistency","authors":"Yang Gao,&nbsp;Siqi Lu,&nbsp;Yongjuan Wang,&nbsp;Haopeng Fan,&nbsp;Qingdi Han,&nbsp;Jingsheng Li","doi":"10.1002/smr.70023","DOIUrl":"https://doi.org/10.1002/smr.70023","url":null,"abstract":"<div>\u0000 \u0000 <p>Contemporary program protection methods focus on safeguarding either program generation, storage, or execution; however, no unified protection strategy exists for ensuring the security of a full program lifecycle. In this study, we combine the static security of program generation with the dynamic security of process execution and propose a novel program logic consistency security property. An encryption core processing (ECP) architecture is presented that provides coprocessor solutions to protect the program logic consistency at the granularity of instructions and data flows. The new authenticated encryption mode in the architecture uses the offset value of the program's instructions and data in relation to the segment-based address as its encryption parameters. Lightweight cryptographic primitives are adopted to ensure that the hardware burden added by the ECP is limited, especially under <span></span><math>\u0000 <semantics>\u0000 <mrow>\u0000 <mo>×</mo>\u0000 </mrow>\u0000 <annotation>$$ times $$</annotation>\u0000 </semantics></math>64 architectures. We prove that the proposed scheme in the ECP architecture satisfies indistinguishability under chosen plaintext attack and demonstrate the effectiveness of the architecture against various attacks. Additionally, a theoretical performance analysis is provided for estimating the overhead introduced by the ECP architecture.</p>\u0000 </div>","PeriodicalId":48898,"journal":{"name":"Journal of Software-Evolution and Process","volume":"37 4","pages":""},"PeriodicalIF":1.7,"publicationDate":"2025-04-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143865784","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Community Detection of Directed Network for Software Ecosystems Based on a Two-Step Information Dissemination Model","authors":"Huijie Tu,&nbsp;Xiangjuan Yao,&nbsp;Tingting Hou,&nbsp;Dunwei Gong,&nbsp;Mengyi Yang","doi":"10.1002/smr.70025","DOIUrl":"https://doi.org/10.1002/smr.70025","url":null,"abstract":"<div>\u0000 \u0000 <p>A software ecosystem is a complex system that allows developers to cooperate with each other. Community is a universal and important topological property of networks. Detecting the communities of the software ecosystem is of great significance for analyzing its structural characteristics, discovering its hidden patterns, and predicting its behavior. Traditional community detection algorithms of complex networks are mostly for undirected networks. For the social network, the direction of information dissemination between developers cannot be ignored. In addition, the existing algorithms of community detection usually only consider direct influence between individuals while neglecting indirect relationships. To solve these problems, this paper presents a community detection method based on a two-step information dissemination model for the software ecosystem. First, a two-step information dissemination model is established to calculate the information gain of nodes. Second, a ranking method of developers' comprehensive influence is given through their influence vectors and information gains. Finally, communities are detected by taking the influential nodes as the cluster centers and the probability of information dissemination as the clustering direction. The proposed method is applied to community detection of typical software ecosystems in GitHub. The experimental results show that our method has good performance in the identification of community structure.</p>\u0000 </div>","PeriodicalId":48898,"journal":{"name":"Journal of Software-Evolution and Process","volume":"37 4","pages":""},"PeriodicalIF":1.7,"publicationDate":"2025-04-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143866021","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Requirements Engineering Model (REM): An Assessment Model for Software Vendor Organizations","authors":"Muhammad Yaseen,&nbsp;Zara Karamat","doi":"10.1002/smr.70020","DOIUrl":"https://doi.org/10.1002/smr.70020","url":null,"abstract":"<div>\u0000 \u0000 <p>Requirements engineering (RE) is important phase of software development life cycle. Among different RE phases include, requirements elicitation, requirements analysis, requirements specification, requirements validation, and requirements management. There is essential need of an assessment model where software organization can measure their level of capability to implement requirements engineering. Besides so much advances in this field, there is no such assessment model where organizations can find their level of maturity towards requirements engineering process. In this research, requirements engineering model (REM) is designed and implemented via case studies from different software organizations. For designing REM, literature review of different models was conducted, and levels of REM were finalized. In the first phase, success factors of successful software requirements implementation were identified via systematic literature review (SLR). Furthermore, the identified CSFs are organized into five levels based on Capability Maturity Model Integration (CMMI) and Software Outsourcing Vendors' Readiness Model (SOVRM). Using Motorola assessment technique, REM was evaluated via case studies from different software organizations. As a result of SLR, total of 50 success factors from different phases of requirements engineering were identified from 191 papers and then mapped to five levels of REM. Three case studies were conducted from different companies to evaluate REM. The outcome analysis of case studies shows that different organizations are on different maturity levels of requirements implementation.</p>\u0000 </div>","PeriodicalId":48898,"journal":{"name":"Journal of Software-Evolution and Process","volume":"37 4","pages":""},"PeriodicalIF":1.7,"publicationDate":"2025-04-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143866022","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Evaluation Framework for Smart Contract Fuzzers","authors":"Peixuan Feng,&nbsp;Yongjuan Wang,&nbsp;Siqi Lu,&nbsp;Qingjun Yuan,&nbsp;Gang Yu,&nbsp;Xiangyu Wang,&nbsp;Jianan Liu,&nbsp;Huaiguang Wu","doi":"10.1002/smr.70021","DOIUrl":"https://doi.org/10.1002/smr.70021","url":null,"abstract":"<div>\u0000 \u0000 <p>With the widespread application of smart contracts in economics and asset management, the security of smart contracts has been widely addressed by academia and industry. Fuzz is an effective technique for vulnerability detection. Several fuzzers are currently available for smart contracts, how to choose the most appropriate tools to test smart contracts is a problem that needs to be solved. To this end, we propose an evaluation framework for a smart contract fuzzers, which sets eight evaluation indicators from five aspects to comprehensively evaluate the usability, transparency, detection ability, branch coverage, and design of oracle of the smart contract fuzzers. In order to verify the scientificity and rationality of the framework, we selected six state-of-the-art (SOTA) smart contract fuzzers for evaluation. By evaluating the usability of six fuzzers, the level of difficulty in using them was verified; by evaluating the transparency of six fuzzers, the usability of the tool's output information during use was verified; the branch coverage and rationality of oracle design of the six fuzzers was validated by evaluating their detection ability on the dataset. The final evaluation results validated the effectiveness of our proposed framework in guiding users to choose smart contract fuzzers.</p>\u0000 </div>","PeriodicalId":48898,"journal":{"name":"Journal of Software-Evolution and Process","volume":"37 4","pages":""},"PeriodicalIF":1.7,"publicationDate":"2025-04-22","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143861710","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Manipulating a CI/CD Pipeline in an IoT Embedded Project: A Quasi-Experiment","authors":"Igor Pereira,&nbsp;Tiago Carneiro,&nbsp;Eduardo Figueiredo","doi":"10.1002/smr.70022","DOIUrl":"https://doi.org/10.1002/smr.70022","url":null,"abstract":"<div>\u0000 \u0000 <p>Given the multidisciplinary complexity of embedded Internet of Things (IoT) projects and the demand for qualified professionals, this study investigates the influence of continuous integration and continuous delivery (CI/CD) skills and developers' perceptions regarding applying these practices in this domain. We conducted a quasi-experiment with 98 students from three undergraduate courses at two Brazilian federal universities, analyzing the impact of developer skills on CI/CD. The results showed that developers with no previous CI/CD skills faced more significant difficulties in practical activities. It was interesting to note that most participants in our sample already had some experience with real software development projects. However, most have never had real experience with an embedded IoT project or CI/CD tools. The approach we followed resulted in 92% success. Attendees expressed interest in more hands-on training on CI/CD pipeline, DevOps, and embedded IoT projects. We also noticed a great need for them to have more practical experience with Git, GitHub, GitHub Actions, and GNU/Linux.</p>\u0000 </div>","PeriodicalId":48898,"journal":{"name":"Journal of Software-Evolution and Process","volume":"37 4","pages":""},"PeriodicalIF":1.7,"publicationDate":"2025-04-15","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143835891","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Explainable AI Framework for Software Defect Prediction","authors":"Bahar Gezici Geçer,&nbsp;Ayça Kolukısa Tarhan","doi":"10.1002/smr.70018","DOIUrl":"https://doi.org/10.1002/smr.70018","url":null,"abstract":"<div>\u0000 \u0000 <p>Software engineering plays a critical role in improving the quality of software systems, because identifying and correcting defects is one of the most expensive tasks in software development life cycle. For instance, determining whether a software product still has defects before distributing it is crucial. The customer's confidence in the software product will decline if the defects are discovered after it has been deployed. Machine learning-based techniques for predicting software defects have lately started to yield encouraging results. The software defect prediction system's prediction results are raised by machine learning models. More accurate models tend to be more complicated, which makes them harder to interpret. As the rationale behind machine learning models' decisions are obscure, it is challenging to employ them in actual production. In this study, we employ five different machine learning models which are random forest (RF), gradient boosting (GB), naive Bayes (NB), multilayer perceptron (MLP), and neural network (NN) to predict software defects and also provide an explainable artificial intelligence (XAI) framework to both locally and globally increase openness throughout the machine learning pipeline. While global explanations identify general trends and feature importance, local explanations provide insights into individual instances, and their combination allows for a holistic understanding of the model. This is accomplished through the utilization of Explainable AI algorithms, which aim to reduce the “black-boxiness” of ML models by explaining the reasoning behind a prediction. The explanations provide quantifiable information about the characteristics that affect defect prediction. These justifications are produced using six XAI methods, namely, SHAP, anchor, ELI5, LIME, partial dependence plot (PDP), and ProtoDash. We use the KC2 dataset to apply these methods to the software defect prediction (SDP) system, and provide and discuss the results.</p>\u0000 </div>","PeriodicalId":48898,"journal":{"name":"Journal of Software-Evolution and Process","volume":"37 4","pages":""},"PeriodicalIF":1.7,"publicationDate":"2025-04-13","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143826734","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Multilabel Vulnerability Classification in Decentralized Blockchain–Based Reputation System","authors":"Balaji Barmavat,&nbsp;Dhanaraju M,&nbsp;K. Sreerama Murthy,&nbsp;Hari Krishna Madthala,&nbsp;Satya Krupa Prakash Karey,&nbsp;Rajesh Palthya","doi":"10.1002/smr.70024","DOIUrl":"https://doi.org/10.1002/smr.70024","url":null,"abstract":"<div>\u0000 \u0000 <p>Smart contracts serve as decentralized applications essential for extensive utilization of blockchain technology across various contexts that have transitioned from the blockchain, characterized primarily by digital currency systems that emphasize the financial systems. Blockchain operates as a distributed ledger that securely records transactions using cryptographic techniques to establish a unique, chain-like data structure managed collectively by miners within the network. However, current methods for analyzing smart contracts often demand substantial processing time and face challenges in accurately detecting vulnerabilities in complex contracts. To address these limitations, this research introduces the Updated Wave search Graph Bidirectional Convolutional Neural Network (UWGBCNN), a novel approach designed to enhance smart contract security. UWGBCNN integrates a multilabel vulnerability classification mechanism, utilizing the Updated Wave Search Algorithm (UWSA) to efficiently analyze and identify patterns in smart contracts by adapting network parameters to detect vulnerabilities with speed and precision. Additionally, feature extraction is enhanced through the Bidirectional Encoder Representations from Transformer (BERT) language model, incorporating supplementary word embedding features. The proposed technique achieves superior performance, reaching a precision of 98.5%, recall of 98.6%, and an F1-score of 99.6%, surpassing current methods. This approach contributes significantly to blockchain security by minimizing financial risks associated with vulnerabilities in decentralized applications.</p>\u0000 </div>","PeriodicalId":48898,"journal":{"name":"Journal of Software-Evolution and Process","volume":"37 4","pages":""},"PeriodicalIF":1.7,"publicationDate":"2025-04-13","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143826660","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"CARLDA: An Approach for Stack Overflow API Mention Recognition Driven by Context and LLM-Based Data Augmentation","authors":"Zhang Zhang,&nbsp;Xinjun Mao,&nbsp;Shangwen Wang,&nbsp;Kang Yang,&nbsp;Tanghaoran Zhang,&nbsp;Yao Lu","doi":"10.1002/smr.70015","DOIUrl":"https://doi.org/10.1002/smr.70015","url":null,"abstract":"<div>\u0000 \u0000 <p>The recognition of Application Programming Interface (API) mentions in software-related texts is vital for extracting API-related knowledge, providing deep insights into API usage and enhancing productivity efficiency. Previous research identifies two primary technical challenges in this task: (1) differentiating APIs from common words and (2) identifying morphological variants of standard APIs. While deep learning-based methods have demonstrated advancements in addressing these challenges, they rely heavily on high-quality labeled data, leading to another significant data-related challenge: (3) the lack of such high-quality data due to the substantial effort required for labeling. To overcome these challenges, this paper proposes a context-aware API recognition method named CARLDA. This approach utilizes two key components, namely, Bidirectional Encoder Representations from Transformers (BERT) and Bidirectional Long Short-Term Memory (BiLSTM), to extract context at both the word and sequence levels, capturing syntactic and semantic information to address the first challenge. For the second challenge, it incorporates a character-level BiLSTM with an attention mechanism to grasp global character-level context, enhancing the recognition of morphological features of APIs. To address the third challenge, we developed specialized data augmentation techniques using large language models (LLMs) to tackle both in-library and cross-library data shortages. These techniques generate a variety of labeled samples through targeted transformations (e.g., replacing tokens and restructuring sentences) and hybrid augmentation strategies (e.g., combining real-world and generated data while applying style rules to replicate authentic programming contexts). Given the uncertainty about the quality of LLM-generated samples, we also developed sample selection algorithms to filter out low-quality samples (i.e., incomplete or incorrectly labeled samples). Moreover, specific datasets have been constructed to evaluate CARLDA's ability to address the aforementioned challenges. Experimental results demonstrate that (1) CARLDA significantly enhances F1 by 11.0% and the Matthews correlation coefficient (MCC) by 10.0% compared to state-of-the-art methods, showing superior overall performance and effectively tackling the first two challenges, and (2) LLM-based data augmentation techniques successfully yield high-quality labeled data and effectively alleviate the third challenge.</p>\u0000 </div>","PeriodicalId":48898,"journal":{"name":"Journal of Software-Evolution and Process","volume":"37 4","pages":""},"PeriodicalIF":1.7,"publicationDate":"2025-04-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143818558","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Process Debt: Definition, Risks, and Management","authors":"Antonio Martini,&nbsp;Viktoria Stray,&nbsp;Terese Besker,&nbsp;Nils Brede Moe,&nbsp;Jan Bosch","doi":"10.1002/smr.70017","DOIUrl":"https://doi.org/10.1002/smr.70017","url":null,"abstract":"<div>\u0000 \u0000 <p>Process debt, like technical debt, can be a source of short-term benefits but often leads to harmful consequences in the long term for a software organization. Despite its impact, the phenomenon of process debt has not been thoroughly explored in current literature, leaving a gap in understanding how it affects and is managed within organizations. This paper addresses this gap by defining process debt, describing its occurrence, the risks of its mismanagement, and showing examples of mitigation strategies. Our study began with an exploratory phase involving semi-structured interviews with sixteen practitioners across four international organizations, allowing us to gather diverse insights into the occurrence and management of process debt. Then, to deepen our understanding and validate our findings, we conducted a cross-company focus group with ten additional practitioners and analyzed fifty-eight observations and thirty-five interviews from a longitudinal case study. The analysis of the research findings led to a definition of process debt and a novel framework. We also report on the causes, consequences, and occurrence patterns of process debt over time. We present mitigation strategies and discuss which ones need further attention for future research. Our results suggest that the debt metaphor may help companies understand how to manage and improve their processes and make process-related decisions that are beneficial both in the short and long term.</p>\u0000 </div>","PeriodicalId":48898,"journal":{"name":"Journal of Software-Evolution and Process","volume":"37 4","pages":""},"PeriodicalIF":1.7,"publicationDate":"2025-04-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143809677","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}