Abstract:Usability and the use of automated static analysis tools in the software development process have been an evolving subject of research in the last decades. Several studies shed light on issues like high false positive rates and low comprehensibility, which hinder tool adoption for even software engineers. Yet, the tools' perceived usefulness and ease of use play a much larger role when it comes to untrained software developers, as is usually the case in scientific software development. In this paper, we outlin… Show more
“…• Classical hypotheses of empirical software engineering, like on the correlation of repository metrics as code churn and the number of found vulnerabilities or bugs [12], can be tested for the CWA case study. • The usage of static analysis tools can be investigated, answering questions like how effective certain tools-or combinations thereof-were in uncovering bugs or vulnerabilities [5] or how understandable and usable their reports were [7]. • Characteristics of the vulnerability management in the CWA app development process can be analyzed quantitatively, using metrics like mean time to fix [6], or qualitatively, using fault tree analysis.…”
Section: Store Results With Commit Hashesmentioning
confidence: 99%
“…The usability of static analysis is known to be influenced by factors such as false-positive ratio, understandable and actionable analysis results, and integration with developer workflow [7,16]. Experiences in large-scale application of static analysis shows, that integration with developer workflow and reporting bugs as soon as possible is important.…”
Section: Code Audit With Static Analysismentioning
confidence: 99%
“…Due to the various involved static analysis tools and their differing report formatting and output granularity, the tools' findings need to be consolidated such that, for example, duplicated findings can be identified. The tools' reports are therefore parsed to extract the locations and types of found bugs or vulnerabilities; the latter is additionally normalized using the Common Weakness Enumeration (CWE) 7 and other bug ontologies. Interlinking the tools findings with provenance information is done via the respective snapshot's commit hash.…”
Section: Retrospective Code Analysis For Open Source Software Projectsmentioning
Software repositories contain information about source code, software development processes, and team interactions. We combine provenance of the development process with code security analysis to automatically discover insights. This provides fast feedback on the software's design and security issues, which we evaluate on projects that are developed under time pressure, such as Germany's COVID-19 contact tracing app 'Corona-Warn-App'. CCS CONCEPTS • Security and privacy → Software security engineering; • Software and its engineering → Software libraries and repositories; Software defect analysis; • Information systems → Data mining; • Human-centered computing → Open source software.
“…• Classical hypotheses of empirical software engineering, like on the correlation of repository metrics as code churn and the number of found vulnerabilities or bugs [12], can be tested for the CWA case study. • The usage of static analysis tools can be investigated, answering questions like how effective certain tools-or combinations thereof-were in uncovering bugs or vulnerabilities [5] or how understandable and usable their reports were [7]. • Characteristics of the vulnerability management in the CWA app development process can be analyzed quantitatively, using metrics like mean time to fix [6], or qualitatively, using fault tree analysis.…”
Section: Store Results With Commit Hashesmentioning
confidence: 99%
“…The usability of static analysis is known to be influenced by factors such as false-positive ratio, understandable and actionable analysis results, and integration with developer workflow [7,16]. Experiences in large-scale application of static analysis shows, that integration with developer workflow and reporting bugs as soon as possible is important.…”
Section: Code Audit With Static Analysismentioning
confidence: 99%
“…Due to the various involved static analysis tools and their differing report formatting and output granularity, the tools' findings need to be consolidated such that, for example, duplicated findings can be identified. The tools' reports are therefore parsed to extract the locations and types of found bugs or vulnerabilities; the latter is additionally normalized using the Common Weakness Enumeration (CWE) 7 and other bug ontologies. Interlinking the tools findings with provenance information is done via the respective snapshot's commit hash.…”
Section: Retrospective Code Analysis For Open Source Software Projectsmentioning
Software repositories contain information about source code, software development processes, and team interactions. We combine provenance of the development process with code security analysis to automatically discover insights. This provides fast feedback on the software's design and security issues, which we evaluate on projects that are developed under time pressure, such as Germany's COVID-19 contact tracing app 'Corona-Warn-App'. CCS CONCEPTS • Security and privacy → Software security engineering; • Software and its engineering → Software libraries and repositories; Software defect analysis; • Information systems → Data mining; • Human-centered computing → Open source software.
“…В [7,8] розглянуто загальні питання до побудови спеціального програмного забезпечення наукового призначення, показано можливість використання мови C++ для таких задач. В [8] висвітлюються дуже важливі питання використання спеціального програмного забезпечення на кшталт статичних аналізаторів у розробці наукового програмного забезпечення, особливості використання мов зі статичної та динамічною типізацією.…”
Section: прикладне програмне забезпечення для моделювання параметрів ...unclassified
An applied scientific and technical problem of constructing software for studying the parameters of quartz piezoelectric elements with an interelectrode gap has been solved. An analytical review of the issues arising during parameter modeling, the main approaches to constructing scientific software using universal mathematical packages and narrowly specialized programs, have been conducted. The structure of software components has been developed using object-oriented design and programming principles. A subroutine library for calculating the physical parameters of quartz elements in the Python programming language has been developed. The software can be expanded by using additional refined mathematical models. Figs.: 3. Bibl.: 14 titles.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.