共查询到20条相似文献,搜索用时 31 毫秒
1.
Capra Eugenio Francalanci Chiara Merlo Francesco 《IEEE transactions on pattern analysis and machine intelligence》2008,34(6):765-782
The relationship among software design quality, development effort, and governance practices is a traditional research problem. However, the extent to which consolidated results on this relationship remain valid for open source (OS) projects is an open research problem. An emerging body of literature contrasts the view of open source as an alternative to proprietary software and explains that there exists a continuum between closed and open source projects. This paper hypothesizes that as projects approach the OS end of the continuum, governance becomes less formal. In turn a less formal governance is hypothesized to require a higher-quality code as a means to facilitate coordination among developers by making the structure of code explicit and facilitate quality by removing the pressure of deadlines from contributors. However, a less formal governance is also hypothesized to increase development effort due to a more cumbersome coordination overhead. The verification of research hypotheses is based on empirical data from a sample of 75 major OS projects. Empirical evidence supports our hypotheses and suggests that software quality, mainly measured as coupling and inheritance, does not increase development effort, but represents an important managerial variable to implement the more open governance approach that characterizes OS projects which, in turn, increases development effort. 相似文献
2.
3.
在程序理解和软件逆向工程研究中,找到准确和快速地描述软件的设计模式和待识别源代码的方法,对于构建合理的设计模式识别框架和高效的识别算法是至关重要的。运用无向图的邻接表和连通分量的原理,提出类与类之间关联度的概念,由待识别源代码构建一个关联类集合,旨在减小设计模式识别算法的搜索空间;根据设计模式的特征,提出基于关联度和特征约束的设计模式识别算法。对Junit、JHotDraw和JreFactory 3个开源应用程序进行的设计模式识别表明,该算法能够准确高效地完成对源代码设计模式的识别。 相似文献
4.
一种基于安全状态跟踪检查的漏洞静态检测方法 总被引:4,自引:0,他引:4
现有的采用基于源代码分析的漏洞静态检测方法中存在的主要问题是误报率和漏报率较高.主要原因之一是缺乏对数据合法性检查与非可信数据源等程序安全相关元素的精确有效的识别分析.文中提出了一种基于数据安全状态跟踪和检查的安全漏洞静态检测方法.该方法对漏洞状态机模型的状态空间进行了扩展,使用对应多个安全相关属性的向量标识变量安全状态,细化了状态转换的粒度以提供更为精确的程序安全行为识别;在漏洞状态机中引入了对合法性检查的识别,有效降低了误报的发生;建立了系统化的非可信数据鉴别方法,可防止由于 遗漏非可信数据源而产生的漏报.基于此方法的原型系统的检测实验表明:文中方法能够有效检测出软件系统中存在的缓冲区溢出等安全漏洞,误报率明显降低,并能避免现有主流静态检测方法中存在的一些严重漏报. 相似文献
5.
The security of software systems can be threatened by many internal and external threats, including data leakages due to timing channels. Even if developers manage to avoid security threats in the source code or bytecode during development and testing, new threats can arise as the compiler generates machine codes from representations at the binary code level during execution on the processor or due to operating system specifics. Current approaches either do not allow the neutralization of timing channels to be achieved comprehensively with a sufficient degree of security or require an unjustifiable amount of time and/or resources. Herein, a method is demonstrated for the protected execution of software based on a secure virtual execution environment (VEE) that combines the results from dynamic and static analyses to find timing channels through the application of code transformations. This solution complements other available techniques to prevent timing channels from being exploited. This approach helps control the appearance and neutralization of timing channels via just-in-time code modifications during all stages of program development and usage. This work demonstrates the identification of threats using timing channels as an example. The approach presented herein can be expanded to the neutralization of other types of threats. 相似文献
6.
7.
在软件开发的编程现场,有大量与当前开发任务相关的信息,比如代码上下文信息、用户开发意图等.如果能够根据已有的编程现场上下文给开发人员推荐当前代码行,不仅能够帮助开发人员更好地完成开发任务,还能提高软件开发的效率.而已有的一些方法通常是进行代码修复或者补全,又或者只是基于关键词匹配的搜索方法,很难达到推荐完整代码行的要求.针对上述问题,一种可行的解决方案是基于已有的海量源码数据,利用深度学习析取代码行的相关上下文因子,挖掘隐含的上下文信息,为精准推荐提供基础.因此,提出了一种基于深度学习的编程现场上下文深度感知的代码行推荐方法,能够在已有的大规模代码数据集中学习上下文之间潜在的关联关系,利用编程现场已有的源码数据和任务数据得到当前可能的代码行,并推荐Top-N给编程人员.代码行深度感知使用RNN Encoder-Decoder,该框架能够将编程现场已有的若干行上文代码行进行编码,得到一个包含已有代码行上下文信息的向量,然后根据该向量进行解码,得到预测的Top-N代码行输出.利用在开源平台上收集的大规模代码行数据集,对方法进行实验并测试,结果显示,该方法能够根据已有的上下文推荐相关的代码行给开发人员,Top-10的推荐准确率有60%左右,并且MRR值在0.3左右,表示用户满意的推荐项排在N个推荐结果中比较靠前的位置. 相似文献
8.
9.
由于软件代码复用和第三方SDK的广泛使用,开源组件普遍存在于物联网设备固件中.威胁固件的安全漏洞往往存在于组件的某些特定版本中,识别物联网设备固件中开源二进制组件的版本信息,对于物联网的安全评估与应急响应意义重大.现有的基于版本字符串的版本信息提取方法不适用于组件版本字符串缺失的情况.设计和实现了一种不依赖于版本字符串的开源组件版本识别方法Protues.该方法的核心思想是通过开源组件相邻版本源码间的差异构造一条版本差异链,从而将版本识别问题转化为待查组件在版本差异链上的滑动查询问题.进一步地,为了提高识别准确率,采用条件判断表达式来表征版本差异链上的节点.为了验证该方法的实用性,对来自于4种开源组件Samba,Msmtp,Nginx和Libgcrypt的共428个二进制文件进行了版本识别实验,实验结果表明,该方法能够准确识别的版本数达到418个,识别准确率约为98%. 相似文献
10.
针对在高层次综合(HLS)过程中性能提升、功耗降低困难等问题,提出了一种面向高层次综合的自定义指令自动识别方法。在高层次综合过程之前实现对自定义指令的枚举和选择,从而为高层次综合提供通用的自定义指令识别方法。首先,将高层次源代码转换为控制数据流图(CDFG),实现了对源代码的预处理;其次,基于控制数据流图内的数据流图(DFG),采用子图枚举算法以自底而上的方式枚举出所有连通凸子图,有效提高了用户可灵活修改约束条件的能力;然后,分别从面积、性能和代码量三个角度考虑,利用子图选择算法选择部分最佳子图作为最终的自定义指令;最后,用所选的自定义指令重新生成新代码作为高层次综合工具的输入。与传统高层次综合相比,采用基于出现频率的模式选择可平均减少19.1%的面积,采用基于关键路径的子图选择可平均减少22.3%的时延。此外,与TD算法相比,所提算法的枚举效率平均提升70.8%。实验结果表明,自定义指令自动识别方法使高层次综合在电路设计中能够显著地提升性能,减少面积和代码量。 相似文献
11.
Nico Zazworka Antonio Vetro’ Clemente Izurieta Sunny Wong Yuanfang Cai Carolyn Seaman Forrest Shull 《Software Quality Journal》2014,22(3):403-426
Software systems accumulate technical debt (TD) when short-term goals in software development are traded for long-term goals (e.g., quick-and-dirty implementation to reach a release date versus a well-refactored implementation that supports the long-term health of the project). Some forms of TD accumulate over time in the form of source code that is difficult to work with and exhibits a variety of anomalies. A number of source code analysis techniques and tools have been proposed to potentially identify the code-level debt accumulated in a system. What has not yet been studied is if using multiple tools to detect TD can lead to benefits, that is, if different tools will flag the same or different source code components. Further, these techniques also lack investigation into the symptoms of TD “interest” that they lead to. To address this latter question, we also investigated whether TD, as identified by the source code analysis techniques, correlates with interest payments in the form of increased defect- and change-proneness. Comparing the results of different TD identification approaches to understand their commonalities and differences and to evaluate their relationship to indicators of future TD “interest.” We selected four different TD identification techniques (code smells, automatic static analysis issues, grime buildup, and Modularity violations) and applied them to 13 versions of the Apache Hadoop open source software project. We collected and aggregated statistical measures to investigate whether the different techniques identified TD indicators in the same or different classes and whether those classes in turn exhibited high interest (in the form of a large number of defects and higher change-proneness). The outputs of the four approaches have very little overlap and are therefore pointing to different problems in the source code. Dispersed Coupling and Modularity violations were co-located in classes with higher defect-proneness. We also observed a strong relationship between Modularity violations and change-proneness. Our main contribution is an initial overview of the TD landscape, showing that different TD techniques are loosely coupled and therefore indicate problems in different locations of the source code. Moreover, our proxy interest indicators (change- and defect-proneness) correlate with only a small subset of TD indicators. 相似文献
12.
Georgia Frantzeskou Author Vitae Stephen MacDonell Author Vitae 《Journal of Systems and Software》2008,81(3):447-460
The use of Source Code Author Profiles (SCAP) represents a new, highly accurate approach to source code authorship identification that is, unlike previous methods, language independent. While accuracy is clearly a crucial requirement of any author identification method, in cases of litigation regarding authorship, plagiarism, and so on, there is also a need to know why it is claimed that a piece of code is written by a particular author. What is it about that piece of code that suggests a particular author? What features in the code make one author more likely than another? In this study, we describe a means of identifying the high-level features that contribute to source code authorship identification using as a tool the SCAP method. A variety of features are considered for Java and Common Lisp and the importance of each feature in determining authorship is measured through a sequence of experiments in which we remove one feature at a time. The results show that, for these programs, comments, layout features and package-related naming influence classification accuracy whereas user-defined naming, an obvious programmer related feature, does not appear to influence accuracy. A comparison is also made between the relative feature contributions in programs written in the two languages. 相似文献
13.
Williams C.C. Hollingsworth J.K. 《IEEE transactions on pattern analysis and machine intelligence》2005,31(6):466-480
We describe a method to use the source code change history of a software project to drive and help to refine the search for bugs. Based on the data retrieved from the source code repository, we implement a static source code checker that searches for a commonly fixed bug and uses information automatically mined from the source code repository to refine its results. By applying our tool, we have identified a total of 178 warnings that are likely bugs in the Apache Web server source code and a total of 546 warnings that are likely bugs in Wine, an open-source implementation of the Windows API. We show that our technique is more effective than the same static analysis that does not use historical data from the source code repository. 相似文献
14.
陈谊楠 《电脑编程技巧与维护》2012,(4):35-36,57
目前传统的Web应用程序访问数据库的方法是SQL代码嵌入在domain/business类中,一旦系统出现改动,就要修改源代码。目前比较通用的方法是SQL代码写在独立的一个或多个数据类中或在存储过程中,这种方法能压缩源代码。提出了通用数据类的概念。采用通用数据类,使程序开发人员摆脱开SQL和事务,达到了快速开发的目的。利用ADO.NET和XML技术实现了数据访问层的思想,并实现了事务集中处理。 相似文献
15.
Polymorphism is one of the most important features offered by object-oriented programming languages, since it allows to extend/modify the behavior of a class without altering its source code, in accordance to the Open/Closed Principle. However, there is a lack of methods and tools for the identification of places in the code of an existing system that could benefit from the employment of polymorphism. In this paper we propose a technique that extracts refactoring suggestions introducing polymorphism. The approach ensures the behavior preservation of the code and the applicability of the refactoring suggestions based on the examination of a set of preconditions. 相似文献
16.
17.
The identification of the transmissivity, T, of a confined aquifer, for which the 2D flow condition holds, can be obtained with the differential system method when several sets of data are available. If we consider stationary flow conditions, the necessary data are at least two couples of piezometric heads and source terms such that the two hydraulic gradients are not parallel at any point, and the value of T at one point only. The method has been implemented in the computer code dsm.f90, developed with the FORTRAN 90 programming language. The computer code allows the user to input several sets of data, an initial estimate of the T field or alternatively several starting points for the integration of the differential system. Moreover, the code performs several checks to identify the T field in a robust way and to avoid unphysical results, e.g. negative or very large values of T. 相似文献
18.
There has been an ongoing trend toward collaborative software development using open and shared source code published in large software repositories on the Internet. While traditional source code analysis techniques perform well in single project contexts, new types of source code analysis techniques are ermerging, which focus on global source code analysis challenges. In this article, we discuss how the Semantic Web, can become an enabling technology to provide a standardized, formal, and semantic rich representations for modeling and analyzing large global source code corpora. Furthermore, inference services and other services provided by Semantic Web technologies can be used to support a variety of core source code analysis techniques, such as semantic code search, call graph construction, and clone detection. In this paper, we introduce SeCold, the first publicly available online linked data source code dataset for software engineering researchers and practitioners. Along with its dataset, SeCold also provides some Semantic Web enabled core services to support the analysis of Internet-scale source code repositories. We illustrated through several examples how this linked data combined with Semantic Web technologies can be harvested for different source code analysis tasks to support software trustworthiness. For the case studies, we combine both our linked-data set and Semantic Web enabled source code analysis services with knowledge extracted from StackOverflow, a crowdsourcing website. These case studies, we demonstrate that our approach is not only capable of crawling, processing, and scaling to traditional types of structured data (e.g., source code), but also supports emerging non-structured data sources, such as crowdsourced information (e.g., StackOverflow.com) to support a global source code analysis context. 相似文献
19.
代码克隆检测在剽窃检测、版权侵犯调查、软件演化分析、代码压缩、错误检测,以及寻找bug,发现复用模式等方面有重要作用。现有的代码克隆检测工具算法复杂,或需要消耗大量的计算资源,不适用于规模巨大的代码数据。为了能够在大规模的数据上检测代码克隆,提出了一种新的代码克隆检测算法。该算法结合数据消重中的基于内容可变长度分块(content-defined chunking,CDC)思想和网页查重中的Simhash算法思想,采用了对代码先分块处理再模糊匹配的方法。在一个包含多种开源项目,超过5亿个代码文件,共约10 TB代码内容的数据源上,实现了该算法。通过实验,比较了不同分块长度对代码克隆检测率和所需要时间的影响,验证了新算法可以运用于大规模代码克隆检测,并且能够检测出一些级别3的克隆代码,达到了较高的准确率。 相似文献
20.
开源代码托管平台为软件开发行业带来了活力和机遇,但存在诸多安全隐患.开源代码的不规范性、项目依赖库的复杂性、漏洞披露平台收集漏洞的被动性等问题都影响着开源项目及引入开源组件的闭源项目的 安全,大部分漏洞修复行为无法及时被察觉和识别,进而将各类项目的 安全风险直接暴露给攻击者.为了全面且及时地发现开源项目中的漏洞修复行为... 相似文献