Journal of Systems and Software最新文献

{"title":"Transfer learning for software vulnerability prediction using Transformer models","authors":"Ilias Kalouptsoglou ,&nbsp;Miltiadis Siavvas ,&nbsp;Apostolos Ampatzoglou ,&nbsp;Dionysios Kehagias ,&nbsp;Alexander Chatzigeorgiou","doi":"10.1016/j.jss.2025.112448","DOIUrl":"10.1016/j.jss.2025.112448","url":null,"abstract":"<div><div>Recently software security community has exploited text mining and deep learning methods to identify vulnerabilities. To this end, the progress in the field of Natural Language Processing (NLP) has opened a new direction in constructing Vulnerability Prediction (VP) models by employing Transformer-based pre-trained models. This study investigates the capacity of Generative Pre-trained Transformer (GPT), and Bidirectional Encoder Representations from Transformers (BERT) to enhance the VP process by capturing semantic and syntactic information in the source code. Specifically, we examine different ways of using CodeGPT and CodeBERT to build VP models to maximize the benefit of their use for the downstream task of VP. To enhance the performance of the models we explore fine-tuning, word embedding, and sentence embedding extraction methods. We also compare VP models based on Transformers trained on code from scratch or after natural language pre-training. Furthermore, we compare these architectures to state-of-the-art text mining and graph-based approaches. The results showcase that training a separate deep learning predictor with pre-trained word embeddings is a more efficient approach in VP than either fine-tuning or extracting sentence-level features. The findings also highlight the importance of context-aware embeddings in the models’ attempt to identify vulnerable patterns in the source code.</div></div>","PeriodicalId":51099,"journal":{"name":"Journal of Systems and Software","volume":"227 ","pages":"Article 112448"},"PeriodicalIF":3.7,"publicationDate":"2025-04-12","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143826079","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Is usability testing valid with prototypes where clickable hotspots are highlighted upon misclick?","authors":"Matus Krajcovic ,&nbsp;Peter Demcak ,&nbsp;Eduard Kuric","doi":"10.1016/j.jss.2025.112446","DOIUrl":"10.1016/j.jss.2025.112446","url":null,"abstract":"<div><div>In user experience design, prototypes are an indispensable tool for early diagnosis of usability issues. Designing usability testing to accommodate a prototype’s limited interactivity is essential to obtain relevant participant feedback. Hotspot Highlighting is a technique employed by all prominent prototyping tools to allow usability testers to see which areas of the prototype are clickable. The current body of knowledge lacks definite answers on how highlighting impacts usability testing results, compared to scenarios where participants complete tasks fully on their own. Can studies be treated the same, regardless of whether Hotspot Highlighting is enabled? What are the recommendations for how and when Hotspot Highlighting can or should be used? To investigate, we conduct a between-subjects experiment with 80 participants and 240 task completions in which we compare user behavior depending on the presence of Hotspot Highlighting. Its results indicate that Hotspot Highlighting can affect participant behavior before and after a highlight is displayed, leading to potentially different usability findings if left unaccounted for. The guidance of highlights changes the targets of clicks and encourages cognitively efficient finding of solutions by intentionally triggering the highlights. Considering the potential of Hotspot Highlighting to facilitate the usability testing of prototypes with limited interactivity, we discuss potential adaptations of the technique that address its current issues for more methodologically sound usability evaluation.</div></div>","PeriodicalId":51099,"journal":{"name":"Journal of Systems and Software","volume":"226 ","pages":"Article 112446"},"PeriodicalIF":3.7,"publicationDate":"2025-04-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143799405","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"An empirical study on bugs in TypeScript programming language","authors":"Ziyuan Wang,&nbsp;Yun Fang,&nbsp;Nannan Wang","doi":"10.1016/j.jss.2025.112445","DOIUrl":"10.1016/j.jss.2025.112445","url":null,"abstract":"<div><div>The TypeScript programming language adds static types to JavaScript, which can be seen as a superset of JavaScript. As special infrastructure software, programming languages may also have bugs, preventing the correct source code from being executed correctly and reliably. To deeply understand the characteristics of historical bugs in the TypeScript programming language, this paper conducts an empirical study. The study involved the versions and features of programming language affected by bugs, the symptoms caused by bugs, the efforts to fix bugs, and the root causes of bugs. By analyzing 8814 bug reports and 7974 pull requests in the repository of TypeScript, our findings reveal that programming language features most severely affected by bugs are “Name, Binding and Scope” and “data types”. The most frequent symptoms include “Behavior Error” and “Compile Error”. The most common root causes are “Missing Features”, “Wrong Control Flow”, “Data Type” errors, and “Processing” errors, all of which could be categorized into “Semantic” errors. Our findings could reveal some characteristics of bugs in TypeScript, provide potential help to developers, testers, and maintainers of TypeScript to improve the quality of TypeScript, and provide a better programming experience for users of TypeScript.</div></div>","PeriodicalId":51099,"journal":{"name":"Journal of Systems and Software","volume":"226 ","pages":"Article 112445"},"PeriodicalIF":3.7,"publicationDate":"2025-03-31","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143767764","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Improving distributed learning-based vulnerability detection via multi-modal prompt tuning","authors":"Zilong Ren ,&nbsp;Xiaolin Ju ,&nbsp;Xiang Chen ,&nbsp;Yubin Qu","doi":"10.1016/j.jss.2025.112442","DOIUrl":"10.1016/j.jss.2025.112442","url":null,"abstract":"<div><div>Software vulnerabilities pose significant threats to the integrity and reliability of complex systems, making their detection critical. In recent years, a growing body of research has explored deep learning-based approaches for identifying vulnerabilities, which have shown promising results. However, many of these methods ignore privacy and security issues. We utilize distributed learning techniques that enable local models to interact without data sharing. By aggregating these locally trained models, we can update the global model while maintaining data privacy and security. Additionally, existing methods rely on a single source of code semantic information. However, leveraging multiple modalities can capture diverse code representations and features. Specifically, graph-based representations and source code provide structural and syntactic-semantic information that complements traditional code analysis. In this study, we propose a novel function-level vulnerability detection approach MIVDL. It integrates both structured and unstructured features of source code. Then, it further combines the code token sequence with the Code Property Graph (CPG) for enhanced detection accuracy. This hybrid representation leverages the strengths of different modalities to provide a comprehensive understanding of code semantics. Furthermore, our approach employs a pre-trained model applied to distinct parts of each modality before being integrated into a single hybrid representation. This allows a unified analysis framework to utilize each modality’s unique features and strengths. Additionally, distributed learning facilitates collaborative learning and knowledge-sharing among participating entities. We evaluate MIVDL on three datasets (Devign, Reveal, and Big-Vul), and the results indicate that MIVDL outperformed eight state-of-the-art baselines by 3.04<span><math><mo>∼</mo></math></span>70.73% in terms of F1-score. Therefore, combining multi-modal prompt tuning and distributed learning can improve performance in vulnerability detection.</div></div>","PeriodicalId":51099,"journal":{"name":"Journal of Systems and Software","volume":"226 ","pages":"Article 112442"},"PeriodicalIF":3.7,"publicationDate":"2025-03-27","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143725718","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Software Self-hosting: A systematic review of quantitative research","authors":"Luka Hrgarek,&nbsp;Lili Nemec Zlatolas","doi":"10.1016/j.jss.2025.112443","DOIUrl":"10.1016/j.jss.2025.112443","url":null,"abstract":"<div><div>In an era marked by heightened concerns surrounding personal privacy and data security, software self-hosting has gained significance as a means for individuals and organizations to reclaim control over their digital assets. This systematic review aims to identify relevant research gaps in the quantitative analysis of self-hosting, primarily focusing on studies employing Structural Equation Modeling (SEM) and regression techniques. Employing a refined version of the Systematic Mapping Process, we analyzed 49 quantitative research papers whose concepts were grouped into 12 substantive groups. The findings reveal a predominant concentration on constructs related to the Technology Acceptance Model (TAM), with limited exploration of self-hosting specifically, overshadowed by an emphasis on cloud computing, the Internet of Things (IoT), and privacy aspects. Our review provides a comprehensive overview of the existing literature and highlights the need for more focused research on self-hosting itself. This systematic review serves as a foundational resource for researchers and practitioners aimed at advancing the discourse on self-hosting.</div></div>","PeriodicalId":51099,"journal":{"name":"Journal of Systems and Software","volume":"226 ","pages":"Article 112443"},"PeriodicalIF":3.7,"publicationDate":"2025-03-27","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143799406","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Software engineering team project courses with industrial customers: Students’ insights on challenges and lessons learned","authors":"Nayla Nasir,&nbsp;Muhammad Usman,&nbsp;Jürgen Börstler,&nbsp;Nina Dzamashvili Fogelström","doi":"10.1016/j.jss.2025.112441","DOIUrl":"10.1016/j.jss.2025.112441","url":null,"abstract":"<div><div>Team project courses in software engineering allow students to apply their acquired disciplinary knowledge while developing essential skills needed to work in the software industry. This paper examines the challenges and lessons learned by students in two team project courses involving industrial customers. The first course involves small teams and less complex project, whereas the second course, has larger teams and more complex projects.</div><div>Using thematic analysis, we analyzed 158 reports submitted by two cohorts of students across two successive team project courses.</div><div>As per our findings most challenges and lessons learned pertain to soft skills, such as teamwork, working in remote and hybrid setting, and collaboration with industrial customers. The results show that challenges and lessons learned evolve as students progress to the second team project course, for example, managing changes and addressing individual skill gaps were more pronounced in the first project course, while students reported greater coordination, communication, and contribution issues in the second team project course. The alignment between the challenges faced and the lessons learned suggests that addressing challenges in teamwork, collaborating with industrial customers, and working in hybrid or remote settings helped students develop effective strategies to mitigate these challenges. This process offers a valuable learning experience for the students, enriching their professional growth.</div></div>","PeriodicalId":51099,"journal":{"name":"Journal of Systems and Software","volume":"226 ","pages":"Article 112441"},"PeriodicalIF":3.7,"publicationDate":"2025-03-24","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143716177","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"A proposal and assessment of an improved heuristic for the Eager Test smell detection","authors":"Huynh Khanh Vi Tran,&nbsp;Nauman bin Ali,&nbsp;Michael Unterkalmsteiner,&nbsp;Jürgen Börstler","doi":"10.1016/j.jss.2025.112438","DOIUrl":"10.1016/j.jss.2025.112438","url":null,"abstract":"<div><h3>Context:</h3><div>The evidence for the prevalence of test smells at the unit testing level has relied on the accuracy of detection tools, which have seen intense research in the last two decades. The Eager Test smell, one of the most prevalent, is often identified using simplified detection rules that practitioners find inadequate.</div></div><div><h3>Objective:</h3><div>We aim to improve the rules for detecting the Eager Test smell.</div></div><div><h3>Methods:</h3><div>We reviewed the literature on test smells to analyze the definitions and detection rules of the Eager Test smell. We proposed a novel, unambiguous definition of the test smell and a heuristic to address the limitations of the existing rules. We evaluated our heuristic against existing detection rules by manually applying it to 300 unit test cases in Java.</div></div><div><h3>Results:</h3><div>Our review identified 56 relevant studies. We found that inadequate interpretations of original definitions of the Eager Test smell led to imprecise detection rules, resulting in a high level of disagreement in detection outcomes. Also, our heuristic detected patterns of eager and non-eager tests that existing rules missed.</div></div><div><h3>Conclusion:</h3><div>Our heuristic captures the essence of the Eager Test smell more precisely; hence, it may address practitioners’ concerns regarding the adequacy of existing detection rules.</div></div>","PeriodicalId":51099,"journal":{"name":"Journal of Systems and Software","volume":"226 ","pages":"Article 112438"},"PeriodicalIF":3.7,"publicationDate":"2025-03-24","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143776504","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"RAGVA: Engineering retrieval augmented generation-based virtual assistants in practice","authors":"Rui Yang ,&nbsp;Michael Fu ,&nbsp;Chakkrit Tantithamthavorn ,&nbsp;Chetan Arora ,&nbsp;Lisa Vandenhurk ,&nbsp;Joey Chua","doi":"10.1016/j.jss.2025.112436","DOIUrl":"10.1016/j.jss.2025.112436","url":null,"abstract":"<div><div>Retrieval-augmented generation (RAG)-based applications are gaining prominence due to their ability to leverage large language models (LLMs). These systems excel at combining retrieval mechanisms with generative capabilities, resulting in contextually relevant responses that enhance user experience. In particular, Transurban, a road operation company, replaced its rule-based virtual assistant (VA) with a RAG-based VA (RAGVA) to offer flexible customer interactions and support a wider range of scenarios. This paper presents an experience report from Transurban’s engineering team on building and deploying a RAGVA, offering a step-by-step guide for creating a conversational application and engineering a RAGVA. The report serves as a reference for future researchers and practitioners. While the engineering processes for traditional software applications are well-established, the development and evaluation of RAG-based applications are still in their early stages, with numerous emerging challenges remaining uncharted. To address this gap, we conduct a focus group study with Transurban practitioners regarding developing and evaluating their RAGVA. We identified eight challenges encountered by the engineering team and proposed eight future directions that should be explored to advance the development of RAG-based applications. This study contributes to the foundational understanding of a RAG-based conversational application and the emerging AI software engineering challenges it presents.</div></div>","PeriodicalId":51099,"journal":{"name":"Journal of Systems and Software","volume":"226 ","pages":"Article 112436"},"PeriodicalIF":3.7,"publicationDate":"2025-03-22","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143705032","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Exploring ethical values in software systems: A systematic literature review","authors":"Razieh Alidoosti ,&nbsp;Patricia Lago ,&nbsp;Maryam Razavian ,&nbsp;Antony Tang","doi":"10.1016/j.jss.2025.112430","DOIUrl":"10.1016/j.jss.2025.112430","url":null,"abstract":"<div><h3>Context:</h3><div>Ethics has attracted considerable attention in the field of software engineering. The prevalence of software-intensive systems and how they become an integral part of people’s lives makes it essential for software engineers to care about the potential impacts and injustice of software systems on people. The social and ethical implications on individuals and society play an important role in the study of software engineering ethics.</div></div><div><h3>Objective:</h3><div>The general aim of this paper is to study the state of the art in ethics in software engineering and to understand ethical considerations in software design and development.</div></div><div><h3>Method:</h3><div>We conducted a systematic literature review (SLR) with an initial sample of 623 articles, of which 85 articles were selected as primary studies.</div></div><div><h3>Result:</h3><div>We created a body of knowledge on stakeholders and software engineering ethical values. More specifically, we provided a stakeholders map to identify different types of system stakeholders and presented a value model to categorize ethical values and recognize value relations.</div></div><div><h3>Conclusion:</h3><div>This SLR sheds light on the state of software engineering ethics. It highlights challenges such as the identification of indirect stakeholders, the lack of attention to their concerns, and the need for a stakeholder classification. The review emphasizes the importance of considering stakeholders’ concerns to uncover ethical values and discusses methods for value extraction, with a focus on the value model. There are needs to address particular ethical values, resolve value conflicts, and operationalize ethical values in software design. These findings offer valuable insights for future research and practice, encouraging a comprehensive integration of ethical aspects into software engineering.</div></div>","PeriodicalId":51099,"journal":{"name":"Journal of Systems and Software","volume":"226 ","pages":"Article 112430"},"PeriodicalIF":3.7,"publicationDate":"2025-03-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143767765","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"CubeAgent: Efficient query-based video adversarial examples generation through deep reinforcement learning","authors":"Heyuan Shi ,&nbsp;Binqi Zeng ,&nbsp;Yu Zhan ,&nbsp;Rongkai Liu ,&nbsp;Yulin Yang ,&nbsp;Li Chen ,&nbsp;Chao Hu ,&nbsp;Ying Fu","doi":"10.1016/j.jss.2025.112437","DOIUrl":"10.1016/j.jss.2025.112437","url":null,"abstract":"<div><div>In commercial deep-learning-based video systems, testers utilize query-based methods to generate adversarial examples (AEs) and effectively uncover system vulnerabilities. The current research has primarily focused on selecting the key perturbation units, such as video patches, keyframes, and combinations of keyframes and regions, to add adversarial perturbation and generate AEs. Furthermore, deep reinforcement learning (DRL) frameworks have been utilized to model the results of sequence-based feedback to reduce query numbers. However, considering the pixels of spatial and temporal dimensions separately in the search process results in a large number of queries and intolerable failure rates for video AE generation. This paper proposes a new AEs perturbation unit called the “video cube”, which simultaneously extracts video pixels in neighbor frames and regions. We develop a new DRL framework called “CubeAgent”, which incorporates controllable policy actions for selecting the <em>number</em> and <em>index</em> of key video cubes segmented by time intervals. We conducted exhaustive experiments across diverse video DNN systems, utilizing the UCF101 and JESTER datasets, which conclusively demonstrated that CubeAgent can expedite the generation process by a factor of two, diminishing the average query count from 5,768 to 4,602, representing a 20% reduction, while simultaneously mitigating the average generation failure rate from 9% to 7%. The results show that CubeAgent improves the performance of adversarial example generation while achieving comparable.</div></div>","PeriodicalId":51099,"journal":{"name":"Journal of Systems and Software","volume":"226 ","pages":"Article 112437"},"PeriodicalIF":3.7,"publicationDate":"2025-03-19","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143705033","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}