面向软件安全性缺陷的开发者推荐方法
作者:
作者简介:

孙小兵(1985-),男,江苏姜堰人,博士,副教授,CCF高级会员,主要研究领域为软件工程;杨辉(1990-),男,硕士,主要研究领域为软件技术;周澄(1985-),女,博士生,讲师,CCF学生会员,主要研究领域为智能软件分析;李斌(1965-),男,博士,教授,博士生导师,CCF高级会员,主要研究领域为软件技术

通讯作者:

孙小兵,E-mail:xbsun@yzu.edu.cn;李斌,E-mail:lb@yzu.edu.cn

基金项目:

国家自然科学基金(61402396,61472344,61611540347);计算机软件新技术国家重点实验室(南京大学)开放课题(KFKT2018B12);江苏省青蓝工程;中国博士后科学基金(2015M571489);扬州市自然科学基金(YZ2017113)


Developer Recommendation for Software Security Bugs
Author:
Fund Project:

National Natural Science Foundation of China (61402396, 61472344, 61611540347); Open Funds of State Key Laboratory for Novel Software Technology (Nanjing University) (KFKT2018B12); Jiangsu Qin Lan Project; China Postdoctoral Science Foundation (2015M571489); Natural Science Foundation of Yangzhou City (YZ2017113)

  • 摘要
  • | |
  • 访问统计
  • |
  • 参考文献 [20]
  • |
  • 相似文献 [20]
  • | | |
  • 文章评论
    摘要:

    软件开发与维护过程中常会出现一些安全性缺陷,这些安全性缺陷会给软件和用户带来很大的风险.安全性缺陷在修复过程中,其修复级别和质量要求往往高于一般性的缺陷,因此,推荐出富有安全性经验的开发者及时、有效地修复这些安全性缺陷非常重要.现有的开发者推荐技术在推荐开发者时仅仅考虑了开发者的历史开发内容,很少考虑到开发人员的安全性缺陷修复经验和修复质量等因素,所以这些技术不适用于安全性缺陷的开发者推荐.针对安全性缺陷的修复,提出了一种有效的软件开发者推荐方法SecDR.SecDR在推荐开发者时不仅考虑了开发者的历史开发内容(与安全性相关),还分析了开发者的修复质量和历史修复缺陷的复杂度等因素.此外,SecDR还实现了开发者的多经验级别推荐:推荐初级开发者修复简单的安全性缺陷、高级开发者修复复杂的安全性缺陷.在3个开源项目(Mozilla,Libgdx,ElasticSearch)上分别对SecDR推荐开发者进行有效性验证.对比实验表明,SecDR针对安全性缺陷推荐开发者相比于其他方法(如DR_PSF)的推荐精度平均高出19%~42%.另外,实验对比了SecDR与实际开发人员的分配情况,结果显示,SecDR可以更好地规避不合理的软件开发者的推荐.

    Abstract:

    Security bugs are commonly emerged bugs during the software development and maintenance, which cause security risks during software deployment. Security bugs need to be fixed with high quality and patched faster than other types of bugs. Recommending developers to fix security bugs is one of the important tasks during the security bug fixing process. Some developer recommendation techniques have been proposed to fix the bugs, but most of these techniques did not recommend developers considering their security experience and bug fixing quality. In this paper, an approach, SecDR (security developer recommendation), is proposed to recommend developers by considering the historical data on the quality and complexity of their security bug fixes. In addition, SecDR recommends junior developers for simple bugs, and recommends senior developers for complex bugs. An empirical study on three open source subjects (Mozilla, Libgdx and ElasticSearch) are conducted to evaluate the effectiveness of SecDR. In this study, SecDR is also compared with the state-of-art developer recommendation technique, DR_PSF, to evaluate the effectiveness of developer recommendation. Results show that the accuracy of SecDR is improved over DR_PSF with gain values ranging from 19% to 42%. Moreover, the results of SecDR is also compared with actual developer allocation, and results show that SecDR can effectively recommend developers, which is even better than the developer allocation in the real bug assignment environment.

    参考文献
    [1] Gegick M, Rotella P, Xie T. Identifying security bug reports via text mining:An industrial case study. In:Proc. of the 7th Int'l Working Conf. on Mining Software Repositories. 2010. 11-20.
    [2] Zaman S, Adams B, Hassan AE. Security versus performance bugs:A case study on firefox. In:Proc. of the 8th Working Conf. on Mining Software Repositories. 2011. 93-102.
    [3] Witschey J, Zielinska O, Welk A, Murphy-Hill E, Mayhorn C, Zimmermann T. Quantifying developers' adoption of security tools. In:Proc. of the 10th Joint Meeting on Foundations of Software Engineering (ESEC/FSE 2015). 2015. 260-271.
    [4] Mitropoulos D, Gousios G, Spinellis D. Measuring the occurrence of security-related bugs through software evolution. In:Proc. of the 16th Panhellenic Conf. on Informatics. 2012. 117-122.
    [5] Shokripour R, Anvik J, Kasirun ZM, Zamani S. A time-based approach to automatic bug report assignment. Journal of Systems and Software, 2015,102:109-122.
    [6] Yang H, Sun X, Li B, Hu J. Recommending developers with supplementary information for issue request resolution. In:Proc. of the 38th Int'l Conf. on Software Engineering Companion. 2016. 707-709.
    [7] Yang H, Sun XB, Li B, Duan YC. DR_PSF:Enhancing developer recommendation by leveraging personalized source-code files. In:Proc. of the 40th IEEE Computer Society Int'l Conf. on Computers, Software and Applications. 2016. 239-244.
    [8] Sun X, Liu X, Hu J, Zhu J. Empirical studies on the nlp techniques for source code data preprocessing. In:Proc. of the 3rd Int'l Workshop on Evidential Assessment of Software Technologies (EAST 2014). 2014. 32-39.
    [9] Porter MF. An Algorithm for Suffix Stripping. Morgan Kaufmann Publishers, Inc., 1997. 130-137.
    [10] Sun X, Yang H, Leung H, Li B, Li HJ, Liao L. Effectiveness of exploring historical commits for developer recommendation:An empirical study. Frontier of Computer Science, 2018,12(3):528-544.
    [11] Hossen H, Kagdi HH, Poshyvanyk D. Amalgamating source code authors, maintainers, and change proneness to triage change requests. In:Proc. of the 22nd Int'l Conf. on Program Comprehension (ICPC 2014). 2014. 130-141.
    [12] Zhang W, Han G, Wang Q. Butter:An approach to bug triage with topic modeling and heterogeneous network analysis. In:Proc. of the 2014 Int'l Conf. on Cloud Computing and Big Data (CCBD 2014). 2014. 62-69.
    [13] Wang S, Zhang W, Wang Q. FixerCache:Unsupervised caching active developers for diverse bug triage. In:Proc. of the 8th ACM/IEEE Int'l Symp. on Empirical Software Engineering and Measurement (ESEM 2014). 2014. 25:1-25:10.
    [14] Zhang W, Wang S, Wang Q. Ksap:An approach to bug report assignment using KNN search and heterogeneous proximity. Information and Software Technology, 2016,70:68-84.
    [15] Xia X, Lo D, Wang X, Zhou B. Dual analysis for recommending developers to resolve bugs. Journal of Software:Evolution and Process, 2015,27(3):195-220.
    [16] Mitropoulos D, Gousios G, Spinellis D. Measuring the occurrence of security-related bugs through software evolution. In:Proc. of the 16th Panhellenic Conf. on Informatics. 2012. 117-122.
    [17] Yin Z, Yuan D, Zhou Y, Pasupathy S, Bairavasundaram L. How do fixes become bugs? In:Proc. of the 19th ACM SIGSOFT Symp. and the 13th European Conf. on Foundations of Software Engineering (ESEC/FSE 2011). 2011. 26-36.
    [18] Zhang T, Yang G, Lee B, Lua EK. A novel developer ranking algorithm for automatic bug triage using topic model and developer relations. In:Proc. of the 21st Asia-Pacific Software Engineering Conf. (APSEC 2014). 2014. 223-230.
    [19] Xia X, Lo D, Wang X, Zhou B. Accurate developer recommendation for bug resolution. In:Proc. of the 20th Working Conf. on Reverse Engineering (WCRE 2013). 2013. 72-81.
    [20] Sun X, Yang H, Xia X, Li B. Enhancing developer recommendation with supplementary information via mining historical commits. Journal of Systems and Software, 2017,134:355-368.
    引证文献
    网友评论
    网友评论
    分享到微博
    发 布
引用本文

孙小兵,周澄,杨辉,李斌.面向软件安全性缺陷的开发者推荐方法.软件学报,2018,29(8):2294-2305

复制
分享
文章指标
  • 点击次数:4741
  • 下载次数: 5848
  • HTML阅读次数: 3049
  • 引用次数: 0
历史
  • 收稿日期:2017-07-17
  • 最后修改日期:2018-01-12
  • 在线发布日期: 2018-03-13
文章二维码
您是第19894485位访问者
版权所有:中国科学院软件研究所 京ICP备05046678号-3
地址:北京市海淀区中关村南四街4号,邮政编码:100190
电话:010-62562563 传真:010-62562533 Email:jos@iscas.ac.cn
技术支持:北京勤云科技发展有限公司

京公网安备 11040202500063号