Journal of Systems and Software最新文献

{"title":"VulDIAC: Vulnerability detection and interpretation based on augmented CFG and causal attention learning","authors":"Shuailin Yang,&nbsp;Jiadong Ren,&nbsp;Jiazheng Li,&nbsp;Dekai Zhang","doi":"10.1016/j.jss.2025.112595","DOIUrl":"10.1016/j.jss.2025.112595","url":null,"abstract":"<div><div>Vulnerability detection in software source code is essential for ensuring system security. Recently, deep learning methods have gained significant attention in this domain, leveraging structured information extracted from source code, and employing Graph Neural Networks (GNNs) to enhance detection performance through graph representation learning. However, conventional code graph structures exhibit limitations in capturing the comprehensive semantics of source code, and the presence of spurious features may result in incorrect correlations, which undermines the robustness and explainability of vulnerability detection models. In this paper, we propose VulDIAC, a novel framework for <strong>Vul</strong>nerability <strong>D</strong>etection and <strong>I</strong>nterpretation that integrates an <strong>A</strong>ugmented Control Flow Graph (ACFG) and a multi-task <strong>C</strong>ausal attention learning module based on Relational Graph Convolutional Networks, referred to as RGCN-CAL. The ACFG incorporates additional relational edges, such as reaching-define and dominator relationships, to better capture the control flow logic and data flow information within the code. The RGCN-CAL module emphasizes causal features while learning multi-relational graph representations. This approach enhances detection accuracy and provides fine-grained, line-level explanations. Experimental evaluations on two public datasets demonstrate that VulDIAC significantly outperforms baseline methods, achieving F1-Score improvements of 27.16% and 53.59%, respectively. Additionally, VulDIAC achieves better Top-k accuracy compared to LineVul on line-level vulnerability detection, which suggests its competitive performance and potential interpretability benefits.</div></div>","PeriodicalId":51099,"journal":{"name":"Journal of Systems and Software","volume":"231 ","pages":"Article 112595"},"PeriodicalIF":4.1,"publicationDate":"2025-08-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144895200","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Hierarchical multi-label classification for concrete defects: An industrial case study at Vermeg","authors":"Montassar Ben Messaoud ,&nbsp;Ahmed Nour ,&nbsp;Ilyes Ben Khalifa ,&nbsp;Mohamed Tounsi ,&nbsp;Mohamed Wiem Mkaouer","doi":"10.1016/j.jss.2025.112588","DOIUrl":"10.1016/j.jss.2025.112588","url":null,"abstract":"<div><div>Effective software defects management is particularly advantageous for companies that rely on service solutions, as it helps minimize risks and improve resolution monitoring. Many existing approaches have aimed at tracking, locating and classifying defects more reliably. When it comes to practice, we have found that defects are inherently organized in hierarchies based on class inclusion. Taking advantage of these established taxonomies, we report in this paper our experience of deploying a hierarchical multi-label defects classification approach, within a development team in a banking and finance software company. Overall, we gathered over 2000 defect reports, coming from their agile reporter calculation engine. The collected dataset was then balanced and enriched with synthetically generated defects using Meta’s LLM Llama 3.1 405B. Key findings reveal that our approach not only provides better interpretability of overlapping categories but also results in significantly better performance results than traditional flat feedforward neural networks and transformers-based large language models.</div></div>","PeriodicalId":51099,"journal":{"name":"Journal of Systems and Software","volume":"231 ","pages":"Article 112588"},"PeriodicalIF":4.1,"publicationDate":"2025-08-19","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144885975","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Editorial of the special issue on Quality in Software Architecture","authors":"Daniele Di Pompeo ,&nbsp;Michele Tucci ,&nbsp;André van Hoorn","doi":"10.1016/j.jss.2025.112602","DOIUrl":"10.1016/j.jss.2025.112602","url":null,"abstract":"","PeriodicalId":51099,"journal":{"name":"Journal of Systems and Software","volume":"230 ","pages":"Article 112602"},"PeriodicalIF":4.1,"publicationDate":"2025-08-15","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"145018587","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Examining the effectiveness of transformer-based smart contract vulnerability scan","authors":"Emre Balci ,&nbsp;Timucin Aydede ,&nbsp;Gorkem Yilmaz ,&nbsp;Ece Gelal Soyak","doi":"10.1016/j.jss.2025.112593","DOIUrl":"10.1016/j.jss.2025.112593","url":null,"abstract":"<div><div>Smart contracts can be used for various scenarios, from automating transactions in decentralized finance to managing supply chain logistics, or ensuring the integrity of digital assets. However, smart contracts may expose vulnerabilities that may be exploited, which can lead to financial losses and disruptions in decentralized applications. These vulnerabilities involve decision logic, branching, sequencing, and interaction with other Ethereum addresses, and therefore are challenging to detect. In this work, we study the effectiveness of smart contract vulnerability detection using deep learning. We propose VASCOT, a Vulnerability Analyzer for Smart COntracts using Transformers, which performs sequential analysis of Ethereum Virtual Machine (EVM) bytecode and incorporates a sliding window mechanism to overcome input length constraints. To assess VASCOT’s detection efficacy, we construct a dataset of 16,469 verified Ethereum contracts deployed in 2022, and annotate it using trace analysis with concrete validation to mitigate false positives. VASCOT’s performance is then compared against a state-of-the-art LSTM-based vulnerability detection model on both our dataset and an older public dataset. Our findings highlight the strengths and limitations of each model, providing insights into their detection capabilities and generalizability.</div></div>","PeriodicalId":51099,"journal":{"name":"Journal of Systems and Software","volume":"231 ","pages":"Article 112593"},"PeriodicalIF":4.1,"publicationDate":"2025-08-14","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144861075","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"PyroBuildS: Speeding up the exploration of large configuration spaces with incremental build","authors":"Georges Aaron Randrianaina ,&nbsp;Djamel Eddine Khelladi ,&nbsp;Olivier Zendra ,&nbsp;Mathieu Acher","doi":"10.1016/j.jss.2025.112592","DOIUrl":"10.1016/j.jss.2025.112592","url":null,"abstract":"<div><div>Software developers are acutely aware that software build is an essential but resource-intensive step in any software development process, all the more when building large and/or highly configurable systems, whose vast number of configuration options leads to an explosion in the number of variants to build and evaluate. A potential approach to speed up the builds of multiple configurations is to do <em>incremental build</em>, <em>i.e.</em>, to not clean the build environment and reuse previous builds when building a new configuration. Previous exploratory studies showed some benefits and limitations of incremental build, but mainly on small configurable software systems and on a limited set of close configurations. However, for <em>large configuration spaces</em>, little is known whether the large distance across configurations impacts the correctness and efficiency of incremental build.</div><div>This paper presents <span>PyroBuildS</span>, <em>a new approach to speed up incremental builds</em> while keeping reproducibility, featuring a configuration variation operator parameterized by two deny lists of problematic options and a mutation size (diversity).</div><div>We evaluate <span>PyroBuildS</span> through an empirical study on three large complex configurable systems, namely Linux, BusyBox, and ToyBox, with respectively 18637, 1078, 330 configuration options. We first show that for all configurations <span>PyroBuildS</span> produces the exact same binaries as a clean build, except for Linux with some non-reproducible random configurations. We identify the reasons why incremental build speeds up or slows down the build of large configuration spaces – a knowledge that can be integrated into <span>PyroBuildS</span>. Incremental build systematically pays off, since problematic options are avoided in the first place — something only <span>PyroBuildS</span> does. We also show that a <em>naive</em> use of incremental build on random Linux configurations backfires, taking more time than clean builds. Thus, <span>PyroBuildS</span> controls diversity to avoid too many differences across configurations to perform efficient incremental builds.</div><div>Thanks to its ability to operate over non-problematic options and close enough configurations, <span>PyroBuildS</span> significantly speeds up the exploration of large configuration spaces, with a gain in build time from 16% to 22% in all three systems with mutated configurations. Finally, with random configurations, <span>PyroBuildS</span> also speeds up the build time from 15% to 20% for ToyBox and BusyBox.</div></div>","PeriodicalId":51099,"journal":{"name":"Journal of Systems and Software","volume":"231 ","pages":"Article 112592"},"PeriodicalIF":4.1,"publicationDate":"2025-08-14","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144861074","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Do-or-die software projects in Norway during the COVID-19 pandemic","authors":"Leif Z. Knutsen,&nbsp;Ingrid Langbråten Flaatten,&nbsp;Jo Erskine Hannay","doi":"10.1016/j.jss.2025.112587","DOIUrl":"10.1016/j.jss.2025.112587","url":null,"abstract":"<div><div>The COVID-19 pandemic necessitated urgent solutions to support governmental programs that were critical to mitigating unacceptable economic, social, and health risks. We conducted a multiple case study, confirmation workshop, and survey of Norwegian public institutions that had defied conventional wisdom about public sector inertia by successfully completing important, urgent, and unexpected development efforts (do-or-die projects). We found consistent patterns credited for their accomplishments, summarized as follows: (1) antecedent capabilities for collaboration, use of expertise, and interdisciplinary problem-solving; (2) characteristics of the project mandates including specificity of goals, importance, deadlines, and tie-in with societal mission; (3) emergent development practices that empowered a core team to make decisions, benefit from organizational support, and integrate effectively with diverse stakeholders; and (4) outcomes that reinforced the practices, such as success, pride in work, transparency, and continuous capability development. We examined our findings through the theoretical lenses of complexity leadership and goal-setting and found support for the relevance of do-or-die projects in both non-urgent and urgent contexts. The findings contribute to understanding how the public sector can perform under pressure by mobilizing latent capabilities and responding with flexibility and focus. Implications are outlined for diverse fields of agile practices and principles, organizational resilience, public sector interaction, complexity leadership, goal-setting, and project studies. Our study suggests that successful do-or-die projects result from a combination of contextual alignment, clear mandates, and empowered execution — offering insight into how such performance may be fostered in and beyond crises.</div><div><em>Editor’s note: Open Science material was validated by the Journal of Systems and Software Open Science Board</em>.</div></div>","PeriodicalId":51099,"journal":{"name":"Journal of Systems and Software","volume":"231 ","pages":"Article 112587"},"PeriodicalIF":4.1,"publicationDate":"2025-08-13","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144852072","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"SAA: A framework for improving the software development process via visualization-based software analytics","authors":"Lara Merdol,&nbsp;Eray Tüzün,&nbsp;Ugur Dogrusoz","doi":"10.1016/j.jss.2025.112589","DOIUrl":"10.1016/j.jss.2025.112589","url":null,"abstract":"<div><div>Software artifacts contain crucial information about a project. Analyzing these artifacts and their relationships yields valuable insights. During a software project’s lifecycle, software tracking tools are used to monitor artifacts. Mining metadata from modern software tracking tools provides extensive data for constructing comprehensive software artifact traceability graphs. These graphs aid decision-making in software development. While prior studies have used various software artifact graphs for analysis, comprehensive graphs are underexplored. Moreover, existing studies often lack interactive visualization for exploratory analysis. A unified traceability graph with interactive visualization can illuminate a broader range of issues and enhance understanding through visual cues. This article introduces the Software Artifact Analyzer (SAA) framework, leveraging artifact traceability graphs to support diverse analyses. A sample SAA tool demonstrates framework implementation, evaluated through quantitative and qualitative methods with focus groups and surveys. Participants praised its potential to improve software processes but noted challenges in graph complexity management. Based on the surveys, the tool’s usability score was 74.5 out of 100, which is above average on the System Usability Scale (SUS), indicating its practicality. The SAA framework offers broad applicability by enabling seamless implementation of new software analysis methods, providing project decision-makers with insightful visualizations of the analysis results.</div></div>","PeriodicalId":51099,"journal":{"name":"Journal of Systems and Software","volume":"231 ","pages":"Article 112589"},"PeriodicalIF":4.1,"publicationDate":"2025-08-07","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144829824","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Testing reinforcement learning systems: A comprehensive review","authors":"Amal Sunba ,&nbsp;Jameleddine Hassine ,&nbsp;Moataz Ahmed","doi":"10.1016/j.jss.2025.112563","DOIUrl":"10.1016/j.jss.2025.112563","url":null,"abstract":"<div><div>Reinforcement Learning (RL) enables autonomous decision-making in dynamic environments, making it suited for complex, high-stakes domains like healthcare and defense systems. However, RL’s high dimensionality and non-deterministic behavior pose testing challenges. This study presents the first literature review on testing RL systems, analyzing 49 studies published between 2013 and May 2025. The review categorizes testing RL techniques based on key workflow components: testing objectives, test generation, test oracles, and test adequacy. It identifies eleven primary gaps, including the lack of validation for testing RL frameworks in real-world applications and the need for specialized testing to verify RL-specific objectives, such as fairness and generalization. Additionally, the review highlights four key challenges: stochasticity leading to inconsistent fault detection, scalability and efficiency constraints in testing adequacy, fault identification complexity due to RL-specific failure definitions, and validation limitations due to reliance on simple tasks and underdeveloped test oracles. Our analysis shows that current research focuses on single-agent RL, robustness, and safety, yet these areas still contain gaps that require further exploration. The findings highlight that testing RL has become an active research area, peaking in 2023 and 2024, with 57% of the reviewed papers published these years. The identified challenges and gaps present opportunities for future research, guiding efforts toward more comprehensive and effective methodologies for testing RL.</div></div>","PeriodicalId":51099,"journal":{"name":"Journal of Systems and Software","volume":"231 ","pages":"Article 112563"},"PeriodicalIF":4.1,"publicationDate":"2025-08-06","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144809713","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"An actionable framework to investigate and foster women inclusion in software development teams in proprietary software ecosystems","authors":"Juliana Carvalho Outão ,&nbsp;Luiz Alexandre Costa ,&nbsp;Eleni Constantinou ,&nbsp;Rodrigo Pereira dos Santos ,&nbsp;Alexander Serebrenik","doi":"10.1016/j.jss.2025.112583","DOIUrl":"10.1016/j.jss.2025.112583","url":null,"abstract":"<div><h3>Context:</h3><div>Despite growing discussion and concern, gender diversity and inclusion in Exact Sciences and Technology still require attention. Several authors observed that it is not significantly present in development teams, despite positive effects. Moreover, the rise of software ecosystems (SECO) creates opportunities for external developers and renews discussions on women’s inclusion, especially in proprietary SECO (PSECO) based on protected contributions.</div></div><div><h3>Goal:</h3><div>This work aims to propose an actionable framework to foster the inclusion of women in software development teams within PSECO. Using this framework, we identify motivations for women entering the area, barriers faced, contextual characteristics, strategies for dealing with barriers, and coping mechanisms to which women resort when strategies fail or are non-existent.</div></div><div><h3>Method:</h3><div>This study builds upon a previously conducted multivocal literature review (MLR), which identified gender-related barriers and strategies in software engineering teams in PSECO context. Using the findings from that MLR as input, we conducted semi-structured interviews with 21 women who are part of different development teams within organizations classified as keystone organizations, those responsible for the evolution and maintenance of technological platforms.</div></div><div><h3>Results:</h3><div>As a result, we developed PSECO-GDI, an actionable framework to foster the inclusion of women in software development teams within PSECO. In addition to the barriers already mapped in the literature, two new ones emerged: client resistance and lack of collaboration between business partners.</div></div><div><h3>Conclusions:</h3><div>These newly identified barriers provide a deeper understanding of how actors of different genders interact within a PSECO and how they perceive these relationships.</div><div><em>Editor’s note: Open Science material was validated by the Journal of Systems and Software Open Science Board</em>.</div></div>","PeriodicalId":51099,"journal":{"name":"Journal of Systems and Software","volume":"231 ","pages":"Article 112583"},"PeriodicalIF":4.1,"publicationDate":"2025-08-05","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144810113","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"On the effectiveness of large language models for query expansion in code search","authors":"Xiangzheng Liu ,&nbsp;Jianxun Liu ,&nbsp;Guosheng Kang ,&nbsp;Min Shi ,&nbsp;Yi Liu ,&nbsp;Yiming Yin","doi":"10.1016/j.jss.2025.112582","DOIUrl":"10.1016/j.jss.2025.112582","url":null,"abstract":"<div><div>Language Models (LMs) are deep learning models trained on massive amounts of text data. One of their main advantages is their superior language understanding capabilities. This study explores the application of Large Language Models (LLMs) understanding capabilities in code search query expansion. To this end, we collected a query corpus from multiple data sources and trained multiple LMs (GPT2, BERT) on this query corpus using a self-supervised task. The trained LM models are then used to expand the input query. We evaluate the performance of these LLMs on the CodeSearchNet dataset using two state-of-the-art code search methods (GraphCodeBERT and CoCoSoda) and compare these LLMs with currently popular expansion methods. Experimental results show that LLM-based query expansion methods outperform existing query reformulation methods in most cases.</div></div>","PeriodicalId":51099,"journal":{"name":"Journal of Systems and Software","volume":"230 ","pages":"Article 112582"},"PeriodicalIF":4.1,"publicationDate":"2025-08-05","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144770918","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}