SCG News

Analysis of Developer Information Needs on Collaborative Platforms

Mathias Birrer. Analysis of Developer Information Needs on Collaborative Platforms. Masters thesis, University of Bern, July 2020. Details.


Developer information needs are diverse, and so are the sources to satisfy those needs. Besides internal sources, developers frequently use external sources of information (e.g., Q&A sites, mailing lists). Researchers use data from these sources to gain insights into developer information needs and build solutions to support the development process. However, along with the opportunities, the diversity of external sources poses challenges for research. In this thesis, we identify and describe various external sources used by researchers to investigate developer information needs. We analyze the methodology of relevant literature to extract common practices, identify challenges, and assess data extraction and preprocessing reproducibility. To further increase knowledge about developer information needs and the process of analyzing these information needs, we conduct a case study about Code Comment Convention questions using data from multiple sources. The case study follows best practices identified in the relevant literature and is conducted with the help of a self-developed prototype tool. The prototype tool is designed to help researchers extract, manage, and preprocess a dataset from multiple sources in a documented and reproducible way.

Posted by scg at 20 July 2020, 11:15 am comment link

Moldable scenario builder

Ivan Kravchenko. Moldable scenario builder. Masters thesis, University of Bern, June 2020. Details.


Current behavior-driven development (BDD) practices promise to engage more stakeholders in an agile software development process through the use of behavior specifications of the software product. However, current capabilities for behavior specification restrict possible feedback as they fail to reliably connect the specification with the corresponding implementation. We analyzed 14 BDD tools to observe their limitations for facilitating feedback between multiple stake- holders. We observed that the existing BDD tools differ in characteristics regarding their support for a ubiquitous language and specification format. Despite the recent attempts to write more natural language specifications, the existing tools are largely developer-oriented and limit the engagement of other participants. The analyzed tools focus mostly on asserting input values against desired business output for a BDD scenario and much less on manipulating the output itself. To tackle the aforementioned limitations, we present our prototype solution “Moldable scenario editor” implemented in the Pharo environment. To achieve this, we allow BDD scenarios to return objects and adapt their representation to the perspective of non-technical stakeholders. We strive to engage more participants in the agile software development process by giving them different ways to experiment with behavior specifications within an IDE. For instance, we use an embedded rich text editor to illustrate how plain textual specifications can leverage the corresponding implementation. Similarly, with a combination of graphical elements, we allow users to experiment with domain objects i.e., compose new BDD tests without having to code. We speculate that such an approach can bind behavior specifications more closely to the implementation, and facilitate effective collaboration among team members.

Posted by scg at 16 July 2020, 4:15 pm comment link

CryptoExplorer: An Interactive Web Platform Supporting Secure Use of Cryptography APIs

Mohammadreza Hazhirpasand, Mohammad Ghafari, and Oscar Nierstrasz. CryptoExplorer: An Interactive Web Platform Supporting Secure Use of Cryptography APIs. In 27th edition of the IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER), p. 632-636, March 2020. Details.


Research has shown that cryptographic APIs are hard to use. Consequently, developers resort to using code examples available in online information sources that are often not secure. We have developed a web platform, named CryptoExplorer, stocked with numerous real-world secure and insecure examples that developers can explore to learn how to use cryptographic APIs properly. This platform currently provides 3 263 secure uses, and 5 897 insecure uses of Java Cryptography Architecture mined from 2 324 Java projects on GitHub. A preliminary study shows that CryptoExplorer provides developers with secure crypto API use examples instantly, developers can save time compared to searching on the internet for such examples, and they learn to avoid using certain algorithms in APIs by studying misused API examples. We have a pipeline to regularly mine more projects, and, on request, we offer our dataset to researchers.

Posted by scg at 2 June 2020, 10:15 am comment link

Threats to Validity in TDD Research

Timm Gross. Threats to Validity in TDD Research. Bachelor’s thesis, University of Bern, May 2020. Details.


Context: Test driven development (TDD) is an iterative software development technique where unit tests are defined before production code. Recent quantitative empirical investigations into the effects of TDD have been contrasting and inconclusive. Additionally studies have shown that TDD is not as widely used as expected. At the same time the body of research contains anecdotal evidence about the usefulness of TDD in practice. This makes it difficult for decision makers in development teams to use the research as the basis for the decision of whether or not to apply TDD. Objective: We present a study designed to uncover the threats to validity in previous studies that prevent them being usable in decision making processes. In order to do that we first studied what values practitioners associate with software testing. Method: We first conducted 15 hours of ethnographically informed qualitative interviews with a small development team to capture the perceived benefits of testing. Then we analysed the threats to validity mentioned in the body of research in a literature review. Results: The interviewed developers put equal emphasis on quality related aspects (i.e. productivity, internal and external code quality) and non quality related aspects (i.e. collaboration, confidence, knowledge transfer, etc.) of testing. In contrast the analyzed research papers focus almost exclusively on quality related aspects of TDD. In addition we identified the common threats to validity in the following areas: participants selection, task selection, context of the study, threats to validity regarding quality, length of observation, amount of iteration, comparisons to other techniques, measuring the adherence to TDD and a lack of qualitative research. Conclusion: Contrasting the views of practitioners on testing and the common threats to validity in TDD research allows us to highlight opportunities for further research. Especially for researchers aiming to provide scientific support for decision making processes of how and when to apply TDD in practice, this study summarizes important aspects to consider.

Posted by scg at 27 May 2020, 9:15 am comment link

An Investigation into Vulnerability Databases

Brian Schweigler. An Investigation into Vulnerability Databases. Bachelor’s thesis, University of Bern, May 2020. Details.


The vulnerability databases’ affiliations and contributions are non-trivial and have not yet been studied in depth. This raises a major concern regarding the correctness of the data used in numerous existing studies. To investigate this problem, we first collected publicly available data from the websites of five major database providers, and then we normalized and correlated the individual entries to track them within different vulnerability databases. 370,298 security reports were extracted, 89% of which were accessible at more than one provider. Surprisingly, many reports were inconsistent with respect to scores and detail descriptions. In the scoring system CVSS version 3.0, for example, we found on average a difference of 0.8 on NVD and Snyk, whereas CVSS version 2.0 remains largely consistent with a difference of only 0.1 between NVD and RAPID7. Furthermore, we discovered that the security-related popularity differs for widely used software, and we show that shared code bases but not library usages can be predicted by aggregating security reports over periods of time. Finally in visualizations, software release cycles become visible.

Posted by scg at 25 May 2020, 1:47 pm comment link
<< 1 2 3 4 5 6 7 8 9 10 >>
Last changed by admin on 21 April 2009