Scientific Developers v/s Static Analysis Tools: Vision and Position Paper

Abstract: Usability and the use of automated static analysis tools in the software development process have been an evolving subject of research in the last decades. Several studies shed light on issues like high false positive rates and low comprehensibility, which hinder tool adoption for even software engineers. Yet, the tools' perceived usefulness and ease of use play a much larger role when it comes to untrained software developers, as is usually the case in scientific software development. In this paper, we outlin… Show more

“…• Classical hypotheses of empirical software engineering, like on the correlation of repository metrics as code churn and the number of found vulnerabilities or bugs [12], can be tested for the CWA case study. • The usage of static analysis tools can be investigated, answering questions like how effective certain tools-or combinations thereof-were in uncovering bugs or vulnerabilities [5] or how understandable and usable their reports were [7]. • Characteristics of the vulnerability management in the CWA app development process can be analyzed quantitatively, using metrics like mean time to fix [6], or qualitatively, using fault tree analysis.…”

“…The usability of static analysis is known to be influenced by factors such as false-positive ratio, understandable and actionable analysis results, and integration with developer workflow [7,16]. Experiences in large-scale application of static analysis shows, that integration with developer workflow and reporting bugs as soon as possible is important.…”

“…Due to the various involved static analysis tools and their differing report formatting and output granularity, the tools' findings need to be consolidated such that, for example, duplicated findings can be identified. The tools' reports are therefore parsed to extract the locations and types of found bugs or vulnerabilities; the latter is additionally normalized using the Common Weakness Enumeration (CWE) 7 and other bug ontologies. Interlinking the tools findings with provenance information is done via the respective snapshot's commit hash.…”

Towards automated, provenance-driven security audit for git-based repositories: applied to germany's corona-warn-app: vision paper

“…• Classical hypotheses of empirical software engineering, like on the correlation of repository metrics as code churn and the number of found vulnerabilities or bugs [12], can be tested for the CWA case study. • The usage of static analysis tools can be investigated, answering questions like how effective certain tools-or combinations thereof-were in uncovering bugs or vulnerabilities [5] or how understandable and usable their reports were [7]. • Characteristics of the vulnerability management in the CWA app development process can be analyzed quantitatively, using metrics like mean time to fix [6], or qualitatively, using fault tree analysis.…”

“…The usability of static analysis is known to be influenced by factors such as false-positive ratio, understandable and actionable analysis results, and integration with developer workflow [7,16]. Experiences in large-scale application of static analysis shows, that integration with developer workflow and reporting bugs as soon as possible is important.…”

“…Due to the various involved static analysis tools and their differing report formatting and output granularity, the tools' findings need to be consolidated such that, for example, duplicated findings can be identified. The tools' reports are therefore parsed to extract the locations and types of found bugs or vulnerabilities; the latter is additionally normalized using the Common Weakness Enumeration (CWE) 7 and other bug ontologies. Interlinking the tools findings with provenance information is done via the respective snapshot's commit hash.…”

Towards automated, provenance-driven security audit for git-based repositories: applied to germany's corona-warn-app: vision paper

“…В [7,8] розглянуто загальні питання до побудови спеціального програмного забезпечення наукового призначення, показано можливість використання мови C++ для таких задач. В [8] висвітлюються дуже важливі питання використання спеціального програмного забезпечення на кшталт статичних аналізаторів у розробці наукового програмного забезпечення, особливості використання мов зі статичної та динамічною типізацією.…”

Applied software for modeling parameters of sensors based on quartz piezoelectric elements

Provenance-Based Security Audits and Its Application to COVID-19 Contact Tracing Apps