检索结果-内蒙古大学图书馆

A Survey on Modern Code Review: Progresses, Challenges and Opportunities

学校读者我要写书评

暂无评论

arXiv 2024年

作者： Yang, Zezhou Gao, Cuiyun Guo, Zhaoqiang Li, Zhenhao Liu, Kui Xia, Xin Zhou, Yuming Harbin Institute of Technology Shenzhen China Software Engineering Application Technology Lab Huawei Hangzhou China State Key Laboratory for Novel Software Technology Nanjing University Nanjing China

Over the past decade, modern code review (MCR) has been deemed as a crucial practice of software quality assurance, which is applied to improve software quality and transfer development knowledge within a software team. Despite its importance, MCR is often a complicated and time-consuming activity for practitioners. In recent years, many studies that are dedicated to the comprehension and the improvement of MCR have been explored so that the MCR activity can be carried out more conveniently and efficiently. To provide researchers and practitioners a clear understanding of the current research status on MCR, this paper conducts a systematic literature review of the past years. Given the collected 231 surveyed papers, this paper makes the following five contributions: First, we analyze the research trends of related MCR studies. Second, we provide a taxonomy for the current MCR, encompassing both Improvement Techniques and Understanding Studies. Third, we present the concrete research progress of each novel MCR methodology and prototype tool. Fourth, we exploit the main empirical insights from empirical study and user study that are helpful to improve MCR. Finally, we sum up unsolved challenges and outline several possible research opportunities in the future. Copyright © 2024, The Authors. All rights reserved.

关键词： Computer software selection and evaluation

Identify and Update Test Cases when Production Code Changes: A Transformer-Based Approach 23

学校读者我要写书评

暂无评论

Identify and Update Test Cases when Production Code Changes:...

Proceedings of the 38th IEEE/ACM International Conference on Automated software engineering

作者： Xing Hu Zhuang Liu Xin Xia Zhongxin Liu Tongtong Xu Xiaohu Yang School of Software Technology Zhejiang University Ningbo China College of Computer Science and Technology Zhejiang University Hangzhou China Software Engineering Application Technology Lab Huawei Hangzhou China

ISBN: (纸本)9798350329964

software testing is one of the most essential parts of the software lifecycle and requires a substantial amount of time and effort. During the software evolution, test cases should coevolve with the production code. However, the co-evolution of test cases often fails due to tight project schedules and other reasons. Obsolete test cases improve the cost of software maintenance and may fail to reveal faults and even lead to future bugs. Therefore, it is essential to detect and update these obsolete test cases in time. In this paper, we propose a novel approach Ceprot (Co-Evolution of Production-Test Code) to identify outdated test cases and update them automatically according to changes in the production code. Ceprot consists of two stages, i.e., obsolete test identification and updating. Specifically, given a production code change and a corresponding test case, Ceprot first identifies whether the test case should be updated. If the test is identified as obsolete, Ceprot will update it to a new version of test case. To evaluate the effectiveness of the two stages, we construct two datasets. Our dataset focuses on method-level production code changes and updates on their obsolete test cases. The experimental results show that Ceprot can effectively identify obsolete test cases with precision and recall of 98.3% and 90.0%, respectively. In addition, test cases generated by Ceprot are identical to the ground truth for 12.3% of samples that are identified as obsolete by Ceprot. We also conduct dynamic evaluation and human evaluation to measure the effectiveness of the updated test cases by Ceprot. 48.0% of updated test cases can be compiled and the average coverage of updated cases is 34.2% which achieves 89% coverage improvement over the obsolete tests. We believe that this study can motivate the co-evolution of production and test code.

关键词： test code maintenance

Ppt4j: Patch Presence Test for Java Binaries 24

学校读者我要写书评

暂无评论

Ppt4j: Patch Presence Test for Java Binaries

44th ACM/IEEE International Conference on software engineering, ICSE 2024

作者： Pan, Zhiyuan Hu, Xing Xia, Xin Zhan, Xian Lo, David Yang, Xiaohu Zhejiang University The State Key Laboratory of Blockchain and Data Security Hangzhou China Huawei Software Engineering Application Technology Lab Hangzhou China The Hong Kong Polytechnic University Hong Kong School of Computing and Information Systems Singapore Management University Singapore

ISBN: (纸本)9798400702174

The number of vulnerabilities reported in open source software has increased substantially in recent years. Security patches provide the necessary measures to protect software from attacks and vulnerabilities. In practice, it is difficult to identify whether patches have been integrated into software, especially if we only have binary files. Therefore, the ability to test whether a patch is applied to the target binary, a.k.a. patch presence test, is crucial for practitioners. However, it is challenging to obtain accurate semantic information from patches, which could lead to incorrect results. In this paper, we propose a new patch presence test framework named Ppt4j (Patch Presence Test forJava Binaries). Ppt4j is designed for open-source Java libraries. It takes Java binaries (i.e. bytecode files) as input, extracts semantic information from patches, and uses feature-based techniques to identify patch lines in the binaries. To evaluate the effectiveness of our proposed approach Ppt4j, we construct a dataset with binaries that include 110 vulnerabilities. The results show that Ppt4j achieves an F1 score of 98.5% with reasonable efficiency, improving the baseline by 14.2%. Furthermore, we conduct an in-the-wild evaluation of Ppt4j on JetBrains IntelliJ IDEA. The results suggest that a third-party library included in the software is not patched for two CVEs, and we have reported this potential security problem to the vendor. © 2024 ACM.

关键词： Open source software

Dual Prompt-Based Few-Shot Learning for Automated Vulnerability Patch Localization

学校读者我要写书评

暂无评论

Dual Prompt-Based Few-Shot Learning for Automated Vulnerabil...

IEEE International Conference on software Analysis, Evolution and Reengineering (SANER)

作者： Junwei Zhang Xing Hu Lingfeng Bao Xin Xia Shanping Li The State Key Laboratory of Blockchain and Data Security Zhejiang University Hangzhou China Software Engineering Application Technology Lab Huawei China

ISBN: (数字)9798350330663

ISBN: (纸本)9798350330670

Vulnerabilities are disclosed with corresponding patches so that users can remediate them in time. However, there are instances where patches are not released with the disclosed vulnerabilities, causing hidden dangers, especially if dependent software remains uninformed about the affected code repository. Hence, it is crucial to automatically locate security patches for disclosed vulnerabilities among a multitude of commits. Despite the promising performance of existing learning-based localization approaches, they still suffer from the following limitations: (1) They cannot perform well in data scarcity scenarios. Most neural models require extensive datasets to capture the semantic correlations between the vulnerability description and code commits, while the number of disclosed vulnerabilities with patches is limited. (2) They struggle to capture the deep semantic correlations between the vulnerability description and code commits due to inherent differences in semantics and characters between code changes and commit messages. It is difficult to use one model to capture the semantic correlations between vulnerability descriptions and code commits. To mitigate these two limitations, in this paper, we propose a novel security patch localization approach named Prom VPat, which utilizes the dual prompt tuning channel to capture the semantic correlation between vulnerability descriptions and commits, especially in data scarcity (i.e., few-shot) scenarios. We first input the commit message and code changes with the vulnerability description into the prompt generator to generate two new inputs with prompt templates. Then, we adopt a pre-trained language model (i.e., PLM) as the encoder, utilize the prompt tuning method to fine-tune the encoder, and generate two correlation probabilities as the semantic features. In addition, we extract 26 handcrafted features from the vulnerability descriptions and the code commits. Finally, we utilize the attention mechanism to fuse the

关键词： Location awareness Codes Correlation Semantics PROM Feature extraction software

Light gradient boosting machine with optimized hyperparameters for identification of malicious access in IoT network

学校读者我要写书评

暂无评论

Digital Communications and Networks 2023年第1期9卷 125-137页

作者： Debasmita Mishra Bighnaraj Naik Janmenjoy Nayak Alireza Souri Pandit Byomakesha Dash S.Vimal Department of Computer Application Veer Surendra Sai University of TechnologyBurlaSambalpur768018OdishaIndia Department of Computer Science Maharaja Sriram Chandra Bhanja Deo(MSCB)UniversityBaripada757003OdishaIndia Department of Software Engineering HaliçUniversity34394IstanbulTurkey Department of Information Technology Aditya Institute of Technology and Management(AITAM)Tekkali532201Andhra PradeshIndia Data Analytics Lab Department of Artificial Intelligence and Data ScienceRamco Institute of TechnologyNorth Venganallur VillageRajapalayam 626117 Virudhunagar DistrictTamilnaduIndia

In this paper,an advanced and optimized Light Gradient Boosting Machine(LGBM)technique is proposed to identify the intrusive activities in the Internet of Things(IoT)*** followings are the major contributions:i)An optimized LGBM model has been developed for the identification of malicious IoT activities in the IoT network;ii)An efficient evolutionary optimization approach has been adopted for finding the optimal set of hyper-parameters of LGBM for the projected ***,a Genetic Algorithm(GA)with k-way tournament selection and uniform crossover operation is used for efficient exploration of hyper-parameter search space;iii)Finally,the performance of the proposed model is evaluated using state-of-the-art ensemble learning and machine learning-based model to achieve overall generalized performance and *** outcomes reveal that the proposed approach is superior to other considered methods and proves to be a robust approach to intrusion detection in an IoT environment.

关键词： IoT security Ensemble method Light gradient boosting machine Machine learning Intrusion detection

Investigating White-Box Attacks for On-Device Models

学校读者我要写书评

暂无评论

Investigating White-Box Attacks for On-Device Models

International Conference on software engineering (ICSE)

作者： Mingyi Zhou Xiang Gao Jing Wu Kui Liu Hailong Sun Li Li Monash University Melbourne VIC Australia Beihang University Beijing China Huawei Software Engineering Application Technology Lab China Beihang University Beijing Yunnan Key Laboratory of Software Engineering China

ISBN: (数字)9798400702174

ISBN: (纸本)9798350382143

Numerous mobile apps have leveraged deep learning capabilities. However, on-device models are vulnerable to attacks as they can be easily extracted from their corresponding mobile apps. Although the structure and parameters information of these models can be accessed, existing on-device attacking approaches only generate black-box attacks (i.e., indirect white-box attacks), which are less effective and efficient than white-box strategies. This is because mobile deep learning (DL) frameworks like TensorFlow Lite (TFLite) do not support gradient computing (referred to as non-debuggable models), which is necessary for white-box attacking algorithms. Thus, we argue that existing findings may underestimate the harm-fulness of on-device attacks. To validate this, we systematically analyze the difficulties of transforming the on-device model to its debuggable version and propose a Reverse engineering framework for On-device Models (REOM), which automatically reverses the compiled on-device TFLite model to its debuggable version, enabling attackers to launch white-box attacks. Our empirical results show that our approach is effective in achieving automated transformation (i.e., 92.6%) among 244 TFLite models. Compared with previous attacks using surrogate models, REOM enables attackers to achieve higher attack success rates (10.23%→89.03%) with a hun-dred times smaller attack perturbations (1.0→0.01). Our findings emphasize the need for developers to carefully consider their model deployment strategies, and use white-box methods to evaluate the vulnerability of on-device models. Our artifacts 1 1 https://***/zhoumingyi/REOM are available.

关键词： Deep learning Analytical models Computational modeling Atmospheric modeling Reverse engineering Transforms Mobile applications

Investigating White-Box Attacks for On-Device Models

学校读者我要写书评

暂无评论

arXiv 2024年

作者： Zhou, Mingyi Liu, Kui Gao, Xiang Sun, Hailong Wu, Jing Li, Li Monash University MelbourneVIC Australia Huawei Software Engineering Application Technology Lab China Beihang University Beijing China Beihang University Beijing Yunnan Key Laboratory of Software Engineering China

Numerous mobile apps have leveraged deep learning capabilities. However, on-device models are vulnerable to attacks as they can be easily extracted from their corresponding mobile apps. Although the structure and parameters information of these models can be accessed, existing on-device attacking approaches only generate black-box attacks (i.e., indirect white-box attacks), which are less effective and efficient than white-box strategies. This is because mobile deep learning (DL) frameworks like TensorFlow Lite (TFLite) do not support gradient computing (referred to as non-debuggable models), which is necessary for white-box attacking algorithms. Thus, we argue that existing findings may underestimate the harmfulness of on-device attacks. To validate this, we systematically analyze the difficulties of transforming the on-device model to its debuggable version and propose a Reverse engineering framework for On-device Models (REOM), which automatically reverses the compiled on-device TFLite model to its debuggable version, enabling attackers to launch white-box attacks. Our empirical results show that our approach is effective in achieving automated transformation (i.e., 92.6%) among 244 TFLite models. Compared with previous attacks using surrogate models, REOM enables attackers to achieve higher attack success rates (10.23%→89.03%) with a hundred times smaller attack perturbations (1.0→0.01). Our findings emphasize the need for developers to carefully consider their model deployment strategies, and use white-box methods to evaluate the vulnerability of on-device models. Our artifacts 1 are available. Copyright © 2024, The Authors. All rights reserved.

关键词： Deep learning

Distinguishing LLM-generated from Human-written Code by Contrastive Learning

学校读者我要写书评

暂无评论

arXiv 2024年

作者： Xu, Xiaodan Ni, Chao Guo, Xinrong Liu, Shaoxuan Wang, Xiaoya Liu, Kui Yang, Xiaohu State Key Laboratory of Blockchain and Data Security Zhejiang University Hangzhou China Software Engineering Application Technology Lab Huawei Hangzhou China

Large language models (LLMs), such as ChatGPT released by OpenAI, have attracted significant attention from both industry and academia due to their demonstrated ability to generate high-quality content for various tasks. Despite the impressive capabilities of LLMs, there are growing concerns regarding their potential risks in various fields, such as news, education, and software engineering. Recently, several commercial and open-source LLM-generated content detectors have been proposed, which, however, are primarily designed for detecting natural language content without considering the specific characteristics of program code. This paper aims to fill this gap by proposing a novel ChatGPT-generated code detector, CodeGPTSensor, based on a contrastive learning framework and a semantic encoder built with UniXcoder. To assess the effectiveness of CodeGPTSensor on differentiating ChatGPT-generated code from human-written code, we first curate a large-scale Human and Machine comparison Corpus (HMCorp), which includes 550K pairs of human-written and ChatGPT-generated code (i.e., 288K Python code pairs and 222K Java code pairs). Based on the HMCorp dataset, our qualitative and quantitative analysis of the characteristics of ChatGPT-generated code reveals the challenge and opportunity of distinguishing ChatGPT-generated code from human-written code with their representative features. Our experimental results indicate that CodeGPTSensor can effectively identify ChatGPT-generated code, outperforming all selected baselines. Copyright © 2024, The Authors. All rights reserved.

关键词： Contrastive Learning

Code Change Intention, Development Artifact and History Vulnerability: Putting Them Together for Vulnerability Fix Detection by LLM

学校读者我要写书评

暂无评论

arXiv 2025年

作者： Yang, Xu Zhu, Wenhan Pacheco, Michael Zhou, Jiayuan Wang, Shaowei Hu, Xing Liu, Kui University of Manitoba WinnipegMB Canada Huawei Canada Canada Zhejiang University Hangzhou China Huawei Software Engineering Application Technology Lab Hangzhou China

Detecting vulnerability fix commits in open-source software is crucial for maintaining software security. To help OSS identify vulnerability fix commits, several automated approaches are developed. However, existing approaches like VulFixMiner and CoLeFunDa, focus solely on code changes, neglecting essential context from development artifacts. Tools like Vulcurator, which integrates issue reports, fail to leverage semantic associations between different development artifacts (e.g., pull requests and history vulnerability fixes). Moreover, they miss vulnerability fixes in tangled commits and lack explanations, limiting practical use. Hence to address those limitations, we propose LLM4VFD, a novel framework that leverages Large Language Models (LLMs) enhanced with Chain-of-Thought reasoning and In-Context Learning to improve the accuracy of vulnerability fix detection. LLM4VFD comprises three components: (1) Code Change Intention, which analyzes commit summaries, purposes, and implications using Chain-of-Thought reasoning;(2) Development Artifact, which incorporates context from related issue reports and pull requests;(3) Historical Vulnerability, which retrieves similar past vulnerability fixes to enrich context. More importantly, on top of the prediction, LLM4VFD also provides a detailed analysis and explanation to help security experts understand the rationale behind the decision. We evaluated LLM4VFD against state-of-the-art techniques, including Pre-trained Language Model-based approaches and vanilla LLMs, using a newly collected dataset, BigVulFixes. Experimental results demonstrate that LLM4VFD significantly outperforms the best-performed existing approach by 68.1%–145.4%. Furthermore, We conducted a user study with security experts, showing that the analysis generated by LLM4VFD improves the efficiency of vulnerability fix identification. © 2025, CC BY.

关键词： Open source software