-
Early Detection of Security-Relevant Bug Reports using Machine Learning: How Far Are We?
Authors:
Arthur D. Sawadogo,
Quentin Guimard,
Tegawendé F. Bissyandé,
Abdoul Kader Kaboré,
Jacques Klein,
Naouel Moha
Abstract:
Bug reports are common artefacts in software development. They serve as the main channel for users to communicate to developers information about the issues that they encounter when using released versions of software programs. In the descriptions of issues, however, a user may, intentionally or not, expose a vulnerability. In a typical maintenance scenario, such security-relevant bug reports are…
▽ More
Bug reports are common artefacts in software development. They serve as the main channel for users to communicate to developers information about the issues that they encounter when using released versions of software programs. In the descriptions of issues, however, a user may, intentionally or not, expose a vulnerability. In a typical maintenance scenario, such security-relevant bug reports are prioritised by the development team when preparing corrective patches. Nevertheless, when security relevance is not immediately expressed (e.g., via a tag) or rapidly identified by triaging teams, the open security-relevant bug report can become a critical leak of sensitive information that attackers can leverage to perform zero-day attacks. To support practitioners in triaging bug reports, the research community has proposed a number of approaches for the detection of security-relevant bug reports. In recent years, approaches in this respect based on machine learning have been reported with promising performance. Our work focuses on such approaches, and revisits their building blocks to provide a comprehensive view on the current achievements. To that end, we built a large experimental dataset and performed extensive experiments with variations in feature sets and learning algorithms. Eventually, our study highlights different approach configurations that yield best performing classifiers.
△ Less
Submitted 19 December, 2021;
originally announced December 2021.
-
Android Code Smells: From Introduction to Refactoring
Authors:
Sarra Habchi,
Naouel Moha,
Romain Rouvoy
Abstract:
Object-oriented code smells are well-known concepts in software engineering that refer to bad design and development practices commonly observed in software systems. With the emergence of mobile apps, new classes of code smells have been identified by the research community as mobile-specific code smells. These code smells are presented as symptoms of important performance issues or bottlenecks. D…
▽ More
Object-oriented code smells are well-known concepts in software engineering that refer to bad design and development practices commonly observed in software systems. With the emergence of mobile apps, new classes of code smells have been identified by the research community as mobile-specific code smells. These code smells are presented as symptoms of important performance issues or bottlenecks. Despite the multiple empirical studies about these new code smells, their diffuseness and evolution along change histories remains unclear. We present in this article a large-scale empirical study that inspects the introduction, evolution, and removal of Android code smells. This study relies on data extracted from 324 apps, a manual analysis of 561 smell-removing commits, and discussions with 25 Android developers. Our findings reveal that the high diffuseness of mobile-specific code smells is not a result of releasing pressure. We also found that the removal of these code smells is generally a side effect of maintenance activities as developers do not refactor smell instances even when they are aware of them.
△ Less
Submitted 14 October, 2020;
originally announced October 2020.
-
Learning to Catch Security Patches
Authors:
Arthur D. Sawadogo,
Tegawendé F. Bissyandé,
Naouel Moha,
Kevin Allix,
Jacques Klein,
Li Li,
Yves Le Traon
Abstract:
Timely patching is paramount to safeguard users and maintainers against dire consequences of malicious attacks. In practice, patching is prioritized following the nature of the code change that is committed in the code repository. When such a change is labeled as being security-relevant, i.e., as fixing a vulnerability, maintainers rapidly spread the change and users are notified about the need to…
▽ More
Timely patching is paramount to safeguard users and maintainers against dire consequences of malicious attacks. In practice, patching is prioritized following the nature of the code change that is committed in the code repository. When such a change is labeled as being security-relevant, i.e., as fixing a vulnerability, maintainers rapidly spread the change and users are notified about the need to update to a new version of the library or of the application. Unfortunately, oftentimes, some security-relevant changes go unnoticed as they represent silent fixes of vulnerabilities. In this paper, we propose a Co-Training-based approach to catch security patches as part of an automatic monitoring service of code repositories. Leveraging different classes of features, we empirically show that such automation is feasible and can yield a precision of over 90% in identifying security patches, with an unprecedented recall of over 80%. Beyond such a benchmarking with ground truth data which demonstrates an improvement over the state-of-the-art, we confirmed that our approach can help catch security patches that were not reported as such.
△ Less
Submitted 24 January, 2020;
originally announced January 2020.
-
Service-Oriented Re-engineering of Legacy JEE Applications: Issues and Research Directions
Authors:
Hafedh Mili,
Ghizlane El-Boussaidi,
Anas Shatnawi,
Yann-Gaël Guéhéneuc,
Naouel Moha,
Jean Privat,
Petko Vatlchev
Abstract:
Service-orientation views applications as orchestrations of independent software services that (1) implement functions that are reusable across many applications, (2) can be invoked remotely, and (3) are packaged to decouple potential callers from their implementation technology. As such, it enables organizations to develop quality applications faster than without services. Legacy applications are…
▽ More
Service-orientation views applications as orchestrations of independent software services that (1) implement functions that are reusable across many applications, (2) can be invoked remotely, and (3) are packaged to decouple potential callers from their implementation technology. As such, it enables organizations to develop quality applications faster than without services. Legacy applications are not service-oriented. Yet, they implement many reusable functions that could be exposed as \emph{services}. Organizations face three main issues when re-engineering legacy application to (re)use services: (1) to mine their existing applications for reusable functions that can become services, (2) to package those functions into services, and (3) to refactor legacy applications to invoke those services to ease future maintenance. In this paper, we explore these three issues and propose research directions to address them. We choose to focus on the service-oriented re-engineering of recent legacy object-oriented applications, and more specifically, on JEE applications, for several reasons. First, we wanted to focus on architectural challenges, and thus we choose to \textit{not} have to deal with programming language difference between source and target system. We chose JEE applications, in particular, because they embody the range of complexities that one can encounter in recent legacy applications, namely, multi-language systems, multi-tier applications, the reliance on external configuration files, and the reliance on frameworks and container services during runtime. These characteristics pose unique challenges for the three issues mentioned above.
△ Less
Submitted 3 June, 2019;
originally announced June 2019.
-
Static Code Analysis of Multilanguage Software Systems
Authors:
Anas Shatnawi,
Hafedh Mili,
Manel Abdellatif,
Yann-Gaël Guéhéneuc,
Naouel Moha,
Geoffrey Hecht,
Ghizlane El Boussaidi,
Jean Privat
Abstract:
Identifying dependency call graphs of multilanguage software systems using static code analysis is challenging. The different languages used in develo** today's systems often have different lexical, syntactical, and semantic rules that make thorough analysis difficult. Also, they offer different modularization and dependency mechanisms, both within and between components. Finally, they promote a…
▽ More
Identifying dependency call graphs of multilanguage software systems using static code analysis is challenging. The different languages used in develo** today's systems often have different lexical, syntactical, and semantic rules that make thorough analysis difficult. Also, they offer different modularization and dependency mechanisms, both within and between components. Finally, they promote and--or require varieties of frameworks offering different sets of services, which introduce hidden dependencies, invisible with current static code analysis approaches. In this paper, we identify five important challenges that static code analysis must overcome with multilanguage systems and we propose requirements to handle them. Then, we present solutions of these requirements to handle JEE applications, which combine server-side Java source code with a number of client-side Web dialects (e.g., JSP, JSF) while relying on frameworks (e.g., Web and EJB containers) that create hidden dependencies. Finally, we evaluate our implementations of the solutions by develo** a set of tools to analyze JEE applications to build a dependency call graph and by applying these tools on two sample JEE applications. Our evaluation shows that our tools can solve the identified challenges and improve the recall in the identification of multilanguage dependencies compared to standard JEE static code analysis and, thus, indirectly that the proposed requirements are useful to build multilanguage static code analysis.
△ Less
Submitted 3 June, 2019;
originally announced June 2019.
-
What Should You Know Before Develo** a Service Identification Approach
Authors:
Anas Shatnawi,
Hafedh Mili,
Manel Abdellatif,
Ghizlane El Boussaidi,
Yann-Gaël Guéhéneuc,
Naouel Moha,
Jean Privat
Abstract:
In this paper, we answer a set of research questions that are required to develop service identification approach based on the analysis of object- oriented software. Such research questions are: (1) what is a service, (2) how are services different from software components, (3) what are types of services, (4) what are existing service identification approaches that consider service types into acco…
▽ More
In this paper, we answer a set of research questions that are required to develop service identification approach based on the analysis of object- oriented software. Such research questions are: (1) what is a service, (2) how are services different from software components, (3) what are types of services, (4) what are existing service identification approaches that consider service types into account, and (5) how to identify services based on the object-oriented source code with respect to their types. Our methodology is based on performing a literature review to identify the answers of these research questions. Also, we propose a taxonomy of service types.
△ Less
Submitted 14 March, 2018;
originally announced March 2018.
-
Identifying KDM Model of JSP Pages
Authors:
Anas Shatnawi,
Hafedh Mili,
Manel Abdellatif,
Ghizlane El Boussaidi,
Jean Privat,
Yann-Gaël Guéhéneuc,
Naouel Moha
Abstract:
In this report, we propose our approach that identifies a KDM model of JSP pages. Our approach is based on two main steps. The first one aims to reduce the problem space by translating JSP pages into Java Servlets where we can use existing tools to identify a KDM model. The second step aims to complete the resulting KDM model by identifying dependencies of JSP tags that are not codified by the tra…
▽ More
In this report, we propose our approach that identifies a KDM model of JSP pages. Our approach is based on two main steps. The first one aims to reduce the problem space by translating JSP pages into Java Servlets where we can use existing tools to identify a KDM model. The second step aims to complete the resulting KDM model by identifying dependencies of JSP tags that are not codified by the translation step.
△ Less
Submitted 14 March, 2018;
originally announced March 2018.
-
A Static Program Slicing Approach for Output Stream Objects in JEE Applications
Authors:
Anas Shatnawi,
Hafedh Mili,
Manel Abdellatif,
Jean Privat,
Yann-Gaël Guéhéneuc,
Naouel Moha,
Ghizlane El Boussaidi
Abstract:
In this paper, we propose a program slicing approach for the output stream object in JEE applications. Our approach is based on extracting a dependency call graph from KDM models of JEE applications. Then, it applies breath-first search algorithm to identify the program slice as a graph reachability problem. The proposed approach is implemented as an extension of our DeJEE tool.
In this paper, we propose a program slicing approach for the output stream object in JEE applications. Our approach is based on extracting a dependency call graph from KDM models of JEE applications. Then, it applies breath-first search algorithm to identify the program slice as a graph reachability problem. The proposed approach is implemented as an extension of our DeJEE tool.
△ Less
Submitted 14 March, 2018;
originally announced March 2018.
-
How to Implement Dependencies in Server Pages of JEE Web Applications
Authors:
Anas Shatnawi,
Hafedh Mili,
Manel Abdellatif,
Ghizlane El Boussaidi,
Yann-Gaël Guéhéneuc,
Naouel Moha,
Jean Privat
Abstract:
Java Enterprise Edition (JEE) applications are implemented in terms of a set of components developed based on several JEE technologies includ- ing, but not limited to, Servlet, JSP, JSF, EJB, JavaBeans. These JEE technologies rely on a varied set of communication mechanisms to commu- nicate between each others. Examples of these communication mechanisms are HTTP requests, Remote Method Invocation…
▽ More
Java Enterprise Edition (JEE) applications are implemented in terms of a set of components developed based on several JEE technologies includ- ing, but not limited to, Servlet, JSP, JSF, EJB, JavaBeans. These JEE technologies rely on a varied set of communication mechanisms to commu- nicate between each others. Examples of these communication mechanisms are HTTP requests, Remote Method Invocation (RMI), Java DateBase Connectivity (JDBC), etc. These communication mechanisms represent program dependencies between JEE components. However, one communi- cation mechanism can be implemented following different implementation ways by different JEE technologies. Therefore, to be able to detect related dependencies, we identify these implementation ways used by a set of JEE technologies. In this technical report, we focus on the Web tier technologies that are Servlets, JSPs and JSFs. Also, we present how these technologies access the JavaBeans and Manage Beans components.
△ Less
Submitted 14 March, 2018;
originally announced March 2018.
