共查询到20条相似文献,搜索用时 0 毫秒
1.
软件静态缺陷检测是软件安全领域中的一个研究热点.随着使用C/C++语言编写的软件规模和复杂度的逐渐提高, 软件迭代速度的逐渐加快, 由于静态软件缺陷检测不需要运行目标代码即可发现其中潜藏的缺陷, 因而在工业界和学术界受到了更广泛的关注.近年来涌现大量使用软件静态分析技术的检测工具, 并在不同领域的软件项目中发挥了不可忽视的作用, 但是开发者仍然对静态缺陷检测工具缺乏信心.高误报率是C/C++静态缺陷检测工具难以普及的首要原因.因此, 我们选择现有较为完善的开源C/C++静态缺陷检测工具, 在Juliet基准测试集和37个良好维护的开源软件项目上对特定类型缺陷的检测效果进行了深入研究, 结合检测工具的具体实现归纳了导致静态缺陷检测工具产生误报的关键原因.同时, 我们通过研究静态缺陷检测工具的版本迁移轨迹, 总结出了当下静态分析工具的发展方向和未来趋势, 有助未来静态分析技术的优化和发展, 从而实现静态缺陷检测工具的普及应用. 相似文献
2.
随着开源软件项目的蓬勃发展,软件抄袭俨然已成为软件生态环境健康发展的威胁之一,其得到越来越多的研究人员、教育人员、开源社区及软件企业的关注,软件抄袭检测对于软件知识产权保护具有重要意义。本文对软件抄袭检测的研究现状和进展进行综述。首先介绍软件抄袭检测的意义和威胁模型;然后,根据应用场景和技术手段,从源代码抄袭检测、无源码场景下基于软件水印和基于软件胎记的抄袭检测三个方面,对现有软件抄袭检测技术进行阐述和比较;最后,通过分析软件抄袭检测研究存在的问题及其面临的挑战和实际需求,对未来研究方向进行了展望。 相似文献
3.
4.
Many techniques have been developed over the years to detect code clones in different software systems to maintain security measures. These techniques often require the source code to compare the subject system against a very large data set of big code. This paper presents index-based features extraction technique (IBFET) to detect code clones at a very large-scale level to billions of LOC at file level granularity. We performed preprocessing, indexing, and clone detection for more than 324 billion of LOC using a Hadoop distributed environment, which is quite faster and more efficient as compared to existing distributed indexing and clone detection techniques; meanwhile, it detects all three types of clones efficiently. The MapReduce rule of divide and conquer is used for a count and retrieve the similar features between different systems. We evaluated the execution time, scalability, precision, and recall of IBFET by using a well-known clone detection data set IJaDataset and BigCloneBench; furthermore, we compared the results with other state-of-the-art tools. Our approach is faster, flexible, scalable, and provides accurate results with high authenticity and can be implemented at a large-scale level. 相似文献
5.
软件测试性计算方法研究 总被引:1,自引:1,他引:0
在软件开发和评估过程中,软件测试性是一个越来越需要考虑的重要因素,对于软件测试性的计算则是指导软件进行有效测试的理论工具。目前,对软件测试性有几种不同的理解,从而导致测试性计算方法的不同。从探索这些不同定义间关系的角度出发,分类介绍了一些测试性计算方法,并分析了这两类方法之间的区别和联系。这种讨论有助于促进对软件测试性的理解,并能根据不同的情况选择不同的计算方法。 相似文献
6.
检测剽窃的源代码,在验证学生的作业中很重要。代码的相似度度量是剽窃检测的关键技术。首先本文介绍了源代码剽窃检测技术在国内外的发展情况,然后提出了一种改进的基于Karp-Rabin和GST算法的程序源代码相似度测量方法。 相似文献
7.
代码质量度量是软件质量分析的一个重要研究方向。静态分析方法因其具有成本低、容易实现而且不依赖于程序特定的运行环境的优点,在当前软件网络化、服务化的趋势下倍受关注。针对Java代码质量度量进行研究,使用Ant工具整合各种开源的静态测试工具,并制定基于静态分析的Java代码质量综合评价方案,可支持包括代码规模、规范性、可维护性、可扩展性和潜在危险等方面的综合检测,为项目的开发者、管理者和使用者提供了实用的代码质量评价方法。 相似文献
8.
GEORGE TRIANTAFYLLOS STAMATIS VASSILIADIS JOS
G. DELGADO-FRIAS 《Journal of Software: Evolution and Process》1996,8(3):199-224
In this paper, we report the findings of an investigation undertaken at IBM to determine whether or not existing software metrics are applicable to the microcode of large computer systems. As part of this investigation, we calculated several metrics from the microcode developed for the IBM 4381 and IBM 9370 computer systems, and used them as predictive parameters for a number of existing error prediction models. The microcode used in this case study exceeds 1.2 million lines of code written in 12 languages and comprises the microcode for the IBM ES/4381 and IBM ES/9370 computer systems. Our results suggest that only a few of the existing metrics are linearly independent, and that none of the metrics examined can be used in a regression model as a reliable error predictor. 相似文献
9.
Supaporn Kansomkeat Wanchai Rivepiboon 《Software Testing, Verification and Reliability》2008,18(4):193-219
Object‐oriented component engineering is increasingly used for system development, partly because it emphasizes portability and reusability. Each time a component is used, it must be retested in the new environment. Unfortunately, the data abstraction that components usually use results in low testability. First, internal variables cannot be directly set. Second, even though a test input may trigger a fault, the failure does not propagate to the output. This paper presents a technique to increase object‐oriented component testability, thereby making it easier to detect faults. Components are often sealed so that source code is not available. The program analysis is performed at the Java component bytecode level. A component's bytecode is analysed to create a control and data flow graph, which is then used to increase component testability by increasing both controllability and observability. We have implemented this technique and applied it to several components. Experimental results reveal that fault detection can be increased by using our increasing testability process. Copyright © 2008 John Wiley & Sons, Ltd. 相似文献
10.
软件测试是保证软件质量的重要手段。软件测试呈现向软件开发的前期发展、与软件开发的设计阶段和编码阶段相融合的发展趋势。软件的易测试性逐渐受到人们重视。合约式设计是一种有效的软件易测试性设计方法。本文介绍了软件易测试性设计的基本思想和主要方法,提出一种新的合约式设计方法,对现有各种基于Java语言的合约式设计工工具进行比较,开发了一种新的合约式设计工具,并通过实验验证了方法的有效性。 相似文献
11.
In this paper, we investigate how to incorporate program complexity measures with a software quality model. We collect software complexity metrics and fault counts from each build during the testing phase of a large commercial software system. Though the data are limited in quantity, we are able to predict the number of faults in the next build. The technique we used is called times series analysis and forecasting. The methodology assumes that future predictions are based on the history of past observations. We will show that the combined complexity quality model is an improvement over the simpler quality only model. Finally, we explore how the testing process used in this development may be improved by using these predictions and suggest areas for future research. 相似文献
12.
Software security can be improved by identifying and correcting vulnerabilities. In order to reduce the cost of rework, vulnerabilities should be detected as early and efficiently as possible. Static automated code analysis is an approach for early detection. So far, only few empirical studies have been conducted in an industrial context to evaluate static automated code analysis. A case study was conducted to evaluate static code analysis in industry focusing on defect detection capability, deployment, and usage of static automated code analysis with a focus on software security. We identified that the tool was capable of detecting memory related vulnerabilities, but few vulnerabilities of other types. The deployment of the tool played an important role in its success as an early vulnerability detector, but also the developers perception of the tools merit. Classifying the warnings from the tool was harder for the developers than to correct them. The correction of false positives in some cases created new vulnerabilities in previously safe code. With regard to defect detection ability, we conclude that static code analysis is able to identify vulnerabilities in different categories. In terms of deployment, we conclude that the tool should be integrated with bug reporting systems, and developers need to share the responsibility for classifying and reporting warnings. With regard to tool usage by developers, we propose to use multiple persons (at least two) in classifying a warning. The same goes for making the decision of how to act based on the warning. Copyright © 2012 John Wiley & Sons, Ltd. 相似文献
13.
Jun-Ru Chang Chao-Jung Hsu Tsung-Han Tsai 《International journal of systems science》2013,44(12):2314-2333
The rapid development of technology provides high performance and reliability for the hardware system; based on this, software engineers can focus their developed software on more convenience and ultra-high reliability. To reach this goal, the testing stage of software development life cycle usually takes more time and effort due to the growing complexity of the software. How to build software that can be tested efficiently has become an important topic in addition to enhancing and developing new testing methods. Thus, research on software testability has been conducted and various methods have been developed. In the past, a dynamic technique for estimating program testability was proposed and called propagation, infection and execution (PIE) analysis. Previous research studies have shown that PIE analysis can complement software testing. However, this method requires a lot of computational overhead in estimating the testability of software components. In this article, we propose an extended PIE (EPIE) method to accelerate the conventional PIE analysis, based on generating group testability as a substitute for statement testability. Our proposed method can be systematically separated into three steps: breaking a program into blocks, dividing the blocks into groups and marking target statements. Experiments and evaluations with the Siemens suite, together with cost-effectiveness analysis, clearly show that the number of analysed statements can be effectively decreased, and the calculated values of testability are still acceptable. 相似文献
14.
从理论上阐述了软件静态分析的概念、意义及分类,以及静态分析器与编译器的不同,并详细、系统地介绍了一个静态分析器的设计与实现。描述了它的关于软件系统信息和模块信息提取功能,又从实现的角度介绍了该分析器程序的系统结构及数据结构。初步的实践证明上述静态分析器可以提高数据采集效率,能够对程序系统信息及模块信息进行有效提取。 相似文献
15.
Software metrics are used to evaluate the software developmentprocess and the quality of the resultingproduct. We used five metrics during the testing phase of the Shuttle Mission Control Center (MCC) Upgrade (MCCU) at the National Aeronautics and Space Administration's (NASA) Johnson Space Center. All but one metric provided useful information. Based on our experience we recommend using metrics during the test phase of software development and propose additional candidate metrics for further study. 相似文献
16.
17.
Harry M. Sneed 《Journal of Software: Evolution and Process》1995,7(6):405-419
There are many approaches to try to comprehend software. Code can be statically analysed and its structure and content displayed as lists, tables or graphs. Most of the literature on software comprehension deals with this approach. Code can also be dynamically executed and its reaction to impulses from outside registered and documented. This is a useful approach to understanding object-orientated systems. A third approach is not to deal with the code at all, but instead to extract information from existing documents and to combine it into a whole. The problem here is that important documents are often missing and those that are available are out of date. A fourth approach is to interview the experts and to aggregate their views of the software, how it is composed and how it functions as opposed to how it should be composed and how it should function. All of these approaches have been examined and reported on by the participants of the ESPRIT DOCKET Project (1992). A fifth approach to software understanding, the one to be presented here, is that of comprehension through numbers by software managers, i.e. using metrics to support the decision making process. 相似文献
18.
19.
在基于软件产品度量值的缺陷预测中, 度量值主要是基于两个层次:类/文件层次和包/组件层次。类级别的预测模型通常会有更好的预测效率, 而包级别的模型往往能得到更好的查全率及查准率。提出综合类级别和包级别度量值进行缺陷预测的方法, 在类级别预测的基础上, 使用包级别预测的信息对类级别进行调整, 在类级别预测中融合包级别预测中所隐含的问题域信息。通过基于Eclipse3.0系统的实验发现, 该方法能够有效改善缺陷预测的效果。与类级别的缺陷预测模型相比, 综合包级别度量值的缺陷预测方法提高了5%到8%的查全率。同时在预测效率上, 测试出50%的缺陷, 使用该方法可以有效减少3.6%到9.84%的代码检查量。 相似文献
20.
源代码相似程度分析在软件工程和计算机教学等领域都有重要的应用.软件工程领域的源代码盗窃和著作权纠纷仲裁,计算机教学领域的学生作业作弊分析都需要源代码相似程度的分析.良好的源代码相似程序分析软件还可以应用于相似代码聚类和搜索引擎的源代码搜索领域.尽管源代码相似程度分析问题由来已久,但是这个问题并没有令人十分满意和惊喜的研究结果.源代码有其特殊结构,使用传统的纯文本相似度分析显然是不合适的.将首先介绍这个问题的研究历史和进展,简单分析这个问题的难点所在,继而介绍一个新的基于程序控制流图分析的源代码相似程度分析系统,并给出其算法和实现细节.文章最后将分析这个方法的优劣所在,讨论这个方法的进一步改进方向. 相似文献