微信服务号

微信订阅号

2025-4-3- 10
Home > Archive>Volume 29, Issue 8, 2018 >2294-2305. DOI:10.13328/j.cnki.jos.005523
PDF HTML XML Export Cite reminder
Developer Recommendation for Software Security Bugs
Author:
Affiliation:

Fund Project:

National Natural Science Foundation of China (61402396, 61472344, 61611540347); Open Funds of State Key Laboratory for Novel Software Technology (Nanjing University) (KFKT2018B12); Jiangsu Qin Lan Project; China Postdoctoral Science Foundation (2015M571489); Natural Science Foundation of Yangzhou City (YZ2017113)

  • Article
    • | |
  • Metrics
    • |
  • Reference [20]
    • |
  • Related [20]
    • | | |
  • Comments
    Abstract:

    Security bugs are commonly emerged bugs during the software development and maintenance, which cause security risks during software deployment. Security bugs need to be fixed with high quality and patched faster than other types of bugs. Recommending developers to fix security bugs is one of the important tasks during the security bug fixing process. Some developer recommendation techniques have been proposed to fix the bugs, but most of these techniques did not recommend developers considering their security experience and bug fixing quality. In this paper, an approach, SecDR (security developer recommendation), is proposed to recommend developers by considering the historical data on the quality and complexity of their security bug fixes. In addition, SecDR recommends junior developers for simple bugs, and recommends senior developers for complex bugs. An empirical study on three open source subjects (Mozilla, Libgdx and ElasticSearch) are conducted to evaluate the effectiveness of SecDR. In this study, SecDR is also compared with the state-of-art developer recommendation technique, DR_PSF, to evaluate the effectiveness of developer recommendation. Results show that the accuracy of SecDR is improved over DR_PSF with gain values ranging from 19% to 42%. Moreover, the results of SecDR is also compared with actual developer allocation, and results show that SecDR can effectively recommend developers, which is even better than the developer allocation in the real bug assignment environment.

    Reference
    [1] Gegick M, Rotella P, Xie T. Identifying security bug reports via text mining:An industrial case study. In:Proc. of the 7th Int'l Working Conf. on Mining Software Repositories. 2010. 11-20.
    [2] Zaman S, Adams B, Hassan AE. Security versus performance bugs:A case study on firefox. In:Proc. of the 8th Working Conf. on Mining Software Repositories. 2011. 93-102.
    [3] Witschey J, Zielinska O, Welk A, Murphy-Hill E, Mayhorn C, Zimmermann T. Quantifying developers' adoption of security tools. In:Proc. of the 10th Joint Meeting on Foundations of Software Engineering (ESEC/FSE 2015). 2015. 260-271.
    [4] Mitropoulos D, Gousios G, Spinellis D. Measuring the occurrence of security-related bugs through software evolution. In:Proc. of the 16th Panhellenic Conf. on Informatics. 2012. 117-122.
    [5] Shokripour R, Anvik J, Kasirun ZM, Zamani S. A time-based approach to automatic bug report assignment. Journal of Systems and Software, 2015,102:109-122.
    [6] Yang H, Sun X, Li B, Hu J. Recommending developers with supplementary information for issue request resolution. In:Proc. of the 38th Int'l Conf. on Software Engineering Companion. 2016. 707-709.
    [7] Yang H, Sun XB, Li B, Duan YC. DR_PSF:Enhancing developer recommendation by leveraging personalized source-code files. In:Proc. of the 40th IEEE Computer Society Int'l Conf. on Computers, Software and Applications. 2016. 239-244.
    [8] Sun X, Liu X, Hu J, Zhu J. Empirical studies on the nlp techniques for source code data preprocessing. In:Proc. of the 3rd Int'l Workshop on Evidential Assessment of Software Technologies (EAST 2014). 2014. 32-39.
    [9] Porter MF. An Algorithm for Suffix Stripping. Morgan Kaufmann Publishers, Inc., 1997. 130-137.
    [10] Sun X, Yang H, Leung H, Li B, Li HJ, Liao L. Effectiveness of exploring historical commits for developer recommendation:An empirical study. Frontier of Computer Science, 2018,12(3):528-544.
    [11] Hossen H, Kagdi HH, Poshyvanyk D. Amalgamating source code authors, maintainers, and change proneness to triage change requests. In:Proc. of the 22nd Int'l Conf. on Program Comprehension (ICPC 2014). 2014. 130-141.
    [12] Zhang W, Han G, Wang Q. Butter:An approach to bug triage with topic modeling and heterogeneous network analysis. In:Proc. of the 2014 Int'l Conf. on Cloud Computing and Big Data (CCBD 2014). 2014. 62-69.
    [13] Wang S, Zhang W, Wang Q. FixerCache:Unsupervised caching active developers for diverse bug triage. In:Proc. of the 8th ACM/IEEE Int'l Symp. on Empirical Software Engineering and Measurement (ESEM 2014). 2014. 25:1-25:10.
    [14] Zhang W, Wang S, Wang Q. Ksap:An approach to bug report assignment using KNN search and heterogeneous proximity. Information and Software Technology, 2016,70:68-84.
    [15] Xia X, Lo D, Wang X, Zhou B. Dual analysis for recommending developers to resolve bugs. Journal of Software:Evolution and Process, 2015,27(3):195-220.
    [16] Mitropoulos D, Gousios G, Spinellis D. Measuring the occurrence of security-related bugs through software evolution. In:Proc. of the 16th Panhellenic Conf. on Informatics. 2012. 117-122.
    [17] Yin Z, Yuan D, Zhou Y, Pasupathy S, Bairavasundaram L. How do fixes become bugs? In:Proc. of the 19th ACM SIGSOFT Symp. and the 13th European Conf. on Foundations of Software Engineering (ESEC/FSE 2011). 2011. 26-36.
    [18] Zhang T, Yang G, Lee B, Lua EK. A novel developer ranking algorithm for automatic bug triage using topic model and developer relations. In:Proc. of the 21st Asia-Pacific Software Engineering Conf. (APSEC 2014). 2014. 223-230.
    [19] Xia X, Lo D, Wang X, Zhou B. Accurate developer recommendation for bug resolution. In:Proc. of the 20th Working Conf. on Reverse Engineering (WCRE 2013). 2013. 72-81.
    [20] Sun X, Yang H, Xia X, Li B. Enhancing developer recommendation with supplementary information via mining historical commits. Journal of Systems and Software, 2017,134:355-368.
    Cited by
    Comments
    Comments
    分享到微博
    Submit
Get Citation

孙小兵,周澄,杨辉,李斌.面向软件安全性缺陷的开发者推荐方法.软件学报,2018,29(8):2294-2305

Copy
Share
Article Metrics
  • Abstract:4715
  • PDF: 5758
  • HTML: 2993
  • Cited by: 0
History
  • Received:July 17,2017
  • Revised:January 12,2018
  • Online: March 13,2018
Links:Institute of Software, CASChina Computer FederationCASNSFC
You are the first2032017Visitors
Copyright: Institute of Software, Chinese Academy of Sciences Beijing ICP No. 05046678-4
Address:4# South Fourth Street, Zhong Guan Cun, Beijing 100190,Postal Code:100190
Phone:010-62562563 Fax:010-62562533 Email:jos@iscas.ac.cn
Technical Support:Beijing Qinyun Technology Development Co., Ltd.

Beijing Public Network Security No. 11040202500063