面向软件安全性缺陷的开发者推荐方法
|
摘要
软件开发与维护过程中常会出现一些安全性缺陷,这些安全性缺陷会给软件和用户带来很大的风险.安全性缺陷在修复过程中,其修复级别和质量要求往往高于一般性的缺陷,因此,推荐出富有安全性经验的开发者及时、有效地修复这些安全性缺陷非常重要.现有的开发者推荐技术在推荐开发者时仅仅考虑了开发者的历史开发内容,很少考虑到开发人员的安全性缺陷修复经验和修复质量等因素,所以这些技术不适用于安全性缺陷的开发者推荐.针对安全性缺陷的修复,提出了一种有效的软件开发者推荐方法 SecDR.SecDR在推荐开发者时不仅考虑了开发者的历史开发内容(与安全性相关),还分析了开发者的修复质量和历史修复缺陷的复杂度等因素.此外,SecDR还实现了开发者的多经验级别推荐:推荐初级开发者修复简单的安全性缺陷、高级开发者修复复杂的安全性缺陷.在3个开源项目(Mozilla,Libgdx,Elastic Search)上分别对SecDR推荐开发者进行有效性验证.对比实验表明,SecDR针对安全性缺陷推荐开发者相比于其他方法(如DR_PSF)的推荐精度平均高出19%~42%.另外,实验对比了SecDR与实际开发人员的分配情况,结果显示,SecDR可以更好地规避不合理的软件开发者的推荐.
Security bugs are commonly emerged bugs during the software development and maintenance, which cause security risks during software deployment. Security bugs need to be fixed with high quality and patched faster than other types of bugs. Recommending developers to fix security bugs is one of the important tasks during the security bug fixing process. Some developer recommendation techniques have been proposed to fix the bugs, but most of these techniques did not recommend developers considering their security experience and bug fixing quality. In this paper, an approach, Sec DR(security developer recommendation), is proposed to recommend developers by considering the historical data on the quality and complexity of their security bug fixes. In addition, Sec DR recommends junior developers for simple bugs, and recommends senior developers for complex bugs. An empirical study on three open source subjects(Mozilla, Libgdx and Elastic Search) are conducted to evaluate the effectiveness of Sec DR. In this study, Sec DR is also compared with the state-of-art developer recommendation technique, DR_PSF, to evaluate the effectiveness of developer recommendation. Results show that the accuracy of Sec DR is improved over DR_PSF with gain values ranging from 19% to 42%. Moreover, the results of Sec DR is also compared with actual developer allocation, and results show that Sec DR can effectively recommend developers, which is even better than the developer allocation in the real bug assignment environment.
Security bugs are commonly emerged bugs during the software development and maintenance, which cause security risks during software deployment. Security bugs need to be fixed with high quality and patched faster than other types of bugs. Recommending developers to fix security bugs is one of the important tasks during the security bug fixing process. Some developer recommendation techniques have been proposed to fix the bugs, but most of these techniques did not recommend developers considering their security experience and bug fixing quality. In this paper, an approach, Sec DR(security developer recommendation), is proposed to recommend developers by considering the historical data on the quality and complexity of their security bug fixes. In addition, Sec DR recommends junior developers for simple bugs, and recommends senior developers for complex bugs. An empirical study on three open source subjects(Mozilla, Libgdx and Elastic Search) are conducted to evaluate the effectiveness of Sec DR. In this study, Sec DR is also compared with the state-of-art developer recommendation technique, DR_PSF, to evaluate the effectiveness of developer recommendation. Results show that the accuracy of Sec DR is improved over DR_PSF with gain values ranging from 19% to 42%. Moreover, the results of Sec DR is also compared with actual developer allocation, and results show that Sec DR can effectively recommend developers, which is even better than the developer allocation in the real bug assignment environment.
引文
[1]Gegick M,Rotella P,Xie T.Identifying security bug reports via text mining:An industrial case study.In:Proc.of the 7th Int’l Working Conf.on Mining Software Repositories.2010.11-20.
[2]Zaman S,Adams B,Hassan AE.Security versus performance bugs:A case study on firefox.In:Proc.of the 8th Working Conf.on Mining Software Repositories.2011.93-102.
[3]Witschey J,Zielinska O,Welk A,Murphy-Hill E,Mayhorn C,Zimmermann T.Quantifying developers’adoption of security tools.In:Proc.of the 10th Joint Meeting on Foundations of Software Engineering(ESEC/FSE 2015).2015.260-271.
[4]Mitropoulos D,Gousios G,Spinellis D.Measuring the occurrence of security-related bugs through software evolution.In:Proc.of the 16th Panhellenic Conf.on Informatics.2012.117-122.
[5]Shokripour R,Anvik J,Kasirun ZM,Zamani S.A time-based approach to automatic bug report assignment.Journal of Systems and Software,2015,102:109-122.
[6]Yang H,Sun X,Li B,Hu J.Recommending developers with supplementary information for issue request resolution.In:Proc.of the 38th Int’l Conf.on Software Engineering Companion.2016.707-709.
[7]Yang H,Sun XB,Li B,Duan YC.DR_PSF:Enhancing developer recommendation by leveraging personalized source-code files.In:Proc.of the 40th IEEE Computer Society Int’l Conf.on Computers,Software and Applications.2016.239-244.
[8]Sun X,Liu X,Hu J,Zhu J.Empirical studies on the nlp techniques for source code data preprocessing.In:Proc.of the 3rd Int’l Workshop on Evidential Assessment of Software Technologies(EAST 2014).2014.32-39.
[9]Porter MF.An Algorithm for Suffix Stripping.Morgan Kaufmann Publishers,Inc.,1997.130-137.
[10]Sun X,Yang H,Leung H,Li B,Li HJ,Liao L.Effectiveness of exploring historical commits for developer recommendation:An empirical study.Frontier of Computer Science,2018,12(3):528-544.
[11]Hossen H,Kagdi HH,Poshyvanyk D.Amalgamating source code authors,maintainers,and change proneness to triage change requests.In:Proc.of the 22nd Int’l Conf.on Program Comprehension(ICPC 2014).2014.130-141.
[12]Zhang W,Han G,Wang Q.Butter:An approach to bug triage with topic modeling and heterogeneous network analysis.In:Proc.of the 2014 Int’l Conf.on Cloud Computing and Big Data(CCBD 2014).2014.62-69.
[13]Wang S,Zhang W,Wang Q.Fixer Cache:Unsupervised caching active developers for diverse bug triage.In:Proc.of the 8th ACM/IEEE Int’l Symp.on Empirical Software Engineering and Measurement(ESEM 2014).2014.25:1-25:10.
[14]Zhang W,Wang S,Wang Q.Ksap:An approach to bug report assignment using KNN search and heterogeneous proximity.Information and Software Technology,2016,70:68-84.
[15]Xia X,Lo D,Wang X,Zhou B.Dual analysis for recommending developers to resolve bugs.Journal of Software:Evolution and Process,2015,27(3):195-220.
[16]Mitropoulos D,Gousios G,Spinellis D.Measuring the occurrence of security-related bugs through software evolution.In:Proc.of the 16th Panhellenic Conf.on Informatics.2012.117-122.
[17]Yin Z,Yuan D,Zhou Y,Pasupathy S,Bairavasundaram L.How do fixes become bugs?In:Proc.of the 19th ACM SIGSOFT Symp.and the 13th European Conf.on Foundations of Software Engineering(ESEC/FSE 2011).2011.26-36.
[18]Zhang T,Yang G,Lee B,Lua EK.A novel developer ranking algorithm for automatic bug triage using topic model and developer relations.In:Proc.of the 21st Asia-Pacific Software Engineering Conf.(APSEC 2014).2014.223-230.
[19]Xia X,Lo D,Wang X,Zhou B.Accurate developer recommendation for bug resolution.In:Proc.of the 20th Working Conf.on Reverse Engineering(WCRE 2013).2013.72-81.
[20]Sun X,Yang H,Xia X,Li B.Enhancing developer recommendation with supplementary information via mining historical commits.Journal of Systems and Software,2017,134:355-368.
[2]Zaman S,Adams B,Hassan AE.Security versus performance bugs:A case study on firefox.In:Proc.of the 8th Working Conf.on Mining Software Repositories.2011.93-102.
[3]Witschey J,Zielinska O,Welk A,Murphy-Hill E,Mayhorn C,Zimmermann T.Quantifying developers’adoption of security tools.In:Proc.of the 10th Joint Meeting on Foundations of Software Engineering(ESEC/FSE 2015).2015.260-271.
[4]Mitropoulos D,Gousios G,Spinellis D.Measuring the occurrence of security-related bugs through software evolution.In:Proc.of the 16th Panhellenic Conf.on Informatics.2012.117-122.
[5]Shokripour R,Anvik J,Kasirun ZM,Zamani S.A time-based approach to automatic bug report assignment.Journal of Systems and Software,2015,102:109-122.
[6]Yang H,Sun X,Li B,Hu J.Recommending developers with supplementary information for issue request resolution.In:Proc.of the 38th Int’l Conf.on Software Engineering Companion.2016.707-709.
[7]Yang H,Sun XB,Li B,Duan YC.DR_PSF:Enhancing developer recommendation by leveraging personalized source-code files.In:Proc.of the 40th IEEE Computer Society Int’l Conf.on Computers,Software and Applications.2016.239-244.
[8]Sun X,Liu X,Hu J,Zhu J.Empirical studies on the nlp techniques for source code data preprocessing.In:Proc.of the 3rd Int’l Workshop on Evidential Assessment of Software Technologies(EAST 2014).2014.32-39.
[9]Porter MF.An Algorithm for Suffix Stripping.Morgan Kaufmann Publishers,Inc.,1997.130-137.
[10]Sun X,Yang H,Leung H,Li B,Li HJ,Liao L.Effectiveness of exploring historical commits for developer recommendation:An empirical study.Frontier of Computer Science,2018,12(3):528-544.
[11]Hossen H,Kagdi HH,Poshyvanyk D.Amalgamating source code authors,maintainers,and change proneness to triage change requests.In:Proc.of the 22nd Int’l Conf.on Program Comprehension(ICPC 2014).2014.130-141.
[12]Zhang W,Han G,Wang Q.Butter:An approach to bug triage with topic modeling and heterogeneous network analysis.In:Proc.of the 2014 Int’l Conf.on Cloud Computing and Big Data(CCBD 2014).2014.62-69.
[13]Wang S,Zhang W,Wang Q.Fixer Cache:Unsupervised caching active developers for diverse bug triage.In:Proc.of the 8th ACM/IEEE Int’l Symp.on Empirical Software Engineering and Measurement(ESEM 2014).2014.25:1-25:10.
[14]Zhang W,Wang S,Wang Q.Ksap:An approach to bug report assignment using KNN search and heterogeneous proximity.Information and Software Technology,2016,70:68-84.
[15]Xia X,Lo D,Wang X,Zhou B.Dual analysis for recommending developers to resolve bugs.Journal of Software:Evolution and Process,2015,27(3):195-220.
[16]Mitropoulos D,Gousios G,Spinellis D.Measuring the occurrence of security-related bugs through software evolution.In:Proc.of the 16th Panhellenic Conf.on Informatics.2012.117-122.
[17]Yin Z,Yuan D,Zhou Y,Pasupathy S,Bairavasundaram L.How do fixes become bugs?In:Proc.of the 19th ACM SIGSOFT Symp.and the 13th European Conf.on Foundations of Software Engineering(ESEC/FSE 2011).2011.26-36.
[18]Zhang T,Yang G,Lee B,Lua EK.A novel developer ranking algorithm for automatic bug triage using topic model and developer relations.In:Proc.of the 21st Asia-Pacific Software Engineering Conf.(APSEC 2014).2014.223-230.
[19]Xia X,Lo D,Wang X,Zhou B.Accurate developer recommendation for bug resolution.In:Proc.of the 20th Working Conf.on Reverse Engineering(WCRE 2013).2013.72-81.
[20]Sun X,Yang H,Xia X,Li B.Enhancing developer recommendation with supplementary information via mining historical commits.Journal of Systems and Software,2017,134:355-368.