首页 | 本学科首页   官方微博 | 高级检索  
     

面向软件安全性缺陷的开发者推荐方法
引用本文:孙小兵,周澄,杨辉,李斌.面向软件安全性缺陷的开发者推荐方法[J].软件学报,2018,29(8):2294-2305.
作者姓名:孙小兵  周澄  杨辉  李斌
作者单位:扬州大学 信息工程学院, 江苏 扬州 225123;上海市数据科学重点实验室, 复旦大学, 上海 201203,扬州大学 信息工程学院, 江苏 扬州 225123,扬州大学 信息工程学院, 江苏 扬州 225123,扬州大学 信息工程学院, 江苏 扬州 225123
基金项目:国家自然科学基金(61402396,61472344);国家自然科学基金国际合作与交流项目(61611540347);南京大学软件新技术国家重点实验室开放课题(KFKT2016B21)资助;江苏省青蓝工程项目;扬州市自然科学资金(YZ2017113).
摘    要:软件开发与维护过程中常会出现一些安全性缺陷,这些安全性缺陷会给软件和用户带来很大的风险.安全性缺陷在修复过程中,其修复级别和质量要求往往高于一般性的缺陷,因此,推荐出富有安全性经验的开发者及时有效地修复这些安全性缺陷非常重要.现有的开发者推荐技术在推荐开发者时仅仅考虑了开发者的历史开发内容,很少考虑到开发人员的安全性缺陷修复经验和修复质量等因素,所以这些技术不适用于安全性缺陷的开发者推荐.本文针对安全性缺陷的修复提出了一种有效的软件开发者推荐方法SecDR.SecDR在推荐开发者时不仅考虑了开发者的历史开发内容(与安全性相关),还分析了开发者的修复质量和历史修复缺陷的复杂度等因素.此外,SecDR还实现了开发者的多经验级别推荐:推荐初级开发者修复简单的安全性缺陷,高级开发者修复复杂的安全性缺陷.本文在三个开源项目(Mozilla,Libgdx,ElasticSearch)上分别对SecDR推荐开发者进行有效性验证.通过对比实验证明,SecDR针对安全性缺陷推荐开发者相比于其他方法(如:DR_PSF)的推荐精度平均高出19%~42%.另外,实验对比了SecDR与实际开发人员的分配情况,结果显示SecDR可以更好地规避不合理的软件开发者的推荐.

关 键 词:安全性缺陷  开发者推荐  缺陷库  缺陷分配  软件维护
收稿时间:2017/7/17 0:00:00
修稿时间:2018/1/12 0:00:00

Developer Recommendation for Software Security Bugs
SUN Xiao-Bing,ZHOU Cheng,YANG Hui and LI Bin.Developer Recommendation for Software Security Bugs[J].Journal of Software,2018,29(8):2294-2305.
Authors:SUN Xiao-Bing  ZHOU Cheng  YANG Hui and LI Bin
Affiliation:School of Information Engineering, Yangzhou University, Yangzhou 225127, China;Shanghai Key Laboratory of Data Science. Fudan University;, Shanghai 201203, China,School of Information Engineering, Yangzhou University, Yangzhou 225127, China,School of Information Engineering, Yangzhou University, Yangzhou 225127, China and School of Information Engineering, Yangzhou University, Yangzhou 225127, China
Abstract:Security bugs are commonly emerged bugs during the software development and maintenance, which cause security risks during software deployment. Security bugs need to be fixed with high quality and patched faster than other types of bugs. Recommending developers to fix security bugs is one of the important tasks during the security bug fixing process. Some developer recommendation techniques have been proposed to fix the bugs, but most of these techniques did not recommend developers considering their security experience and fixing quality. In this paper, we propose a novel approach, SecDR (Security Developer Recommendation), to recommend developers considering their fixing quality and fixing complexity of their historical fixed security bugs. In addition, SecDR recommends junior developers for simple bugs, and recommends senior developers for complex bugs. An empirical study on three open source subjects (Mozilla, Libgdx and ElasticSearch) are conducted to evaluate the effectiveness of SecDR. In our study, SecDR is also compared with the state-of-art developer recommendation technique, DR_PSF, to evaluate the effectiveness of developer recommendation. Results show that the accuracy of SecDR is improved over DR_PSF, and the gain values range from 19% to 42%. Moreover, we also compare the results of SecDR with actual developer allocation, and results show that SecDR can effectively recommend developers, which is even better than the developer allocation in the real bug assignment environment.
Keywords:security bug fix  developer recommendation  bug repository  bug assignment  software maintenance
点击此处可从《软件学报》浏览原始摘要信息
点击此处可从《软件学报》下载全文
设为首页 | 免责声明 | 关于勤云 | 加入收藏

Copyright©北京勤云科技发展有限公司  京ICP备09084417号