基于模糊推理的构件度量

高质量的构件是软件高效开发的基本保障。现有构件度量的研究主要针对构件的可信性和复用性等构件外部质量,而针对构件内部质量的度量研究不多,缺少综合评价构件内部质量的方法。本文提出一种基于模糊推理的构件内部质量度量方法,通过模糊化处理构件代码的静态分析结果,以及模拟专家的模糊推理过程,确定构件的综合内部质量。这种方法应用在构件迭代开发过程中,实现构件质量的自动度量,大大提高构件度量的时效性。     

基于用户评论的代码质量识别与分析

随着IT社区和代码托管平台的发展,针对代码的用户评论数量急剧增加。用户在使用代码后给出的评论中包含丰富的静态和动态代码质量信息,对其进行提取与分析将有助于开发者了解用户关注的代码质量信息,以有针对性地提升代码质量,还有助于用户选择满足要求的代码。为此,文中提出了包含静态特性和动态特性的代码质量模型,以及识别并分析用户评论中代码质量信息的方法。首先,根据评价对象和评价句型规则识别出具有代码质量的用户评论;然后,应用评价对象和评价观点抽取代码质量属性表现;最后,通过分析代码质量属性表现和情感倾向给出代码静态和动态质量的相关结果。实验结果表明,所提方法能够有效地分析用户评论中的代码质量信息。     

基于LDRA Testbed的软件静态测试研究与实现

介绍了软件静态测试的基本概念与方法,以及如何利用测试工具LDRA Testbed进行软件静态测试,并对LDRA Testbed的静态测试原理进行了研究。最后结合实例实现了使用LDRA Testbed对C代码进行静态测试,并得到了静态测试质量报告、度量报告。     

基于多线程Java程序安全行为模型的静态检查对策探析

本文通过参数化扩展上下文无关文法作为其安全相关行为模型的抽象表示,针对Java多线程序研究,总结出了从多线程Java程序自动生成安全相关行为模型的方法,该方法应用到携带模型代码方法的实现框架中,形象的描述了静态检查该模型是否满足安全策略的实现,同时为安全执行非信任多线程Java移动代码提供了有效支持。本文合理的使用静态分析多线程Java程序的措施,来进行相关安全性的检查,从中来考察出多线程Java程序的相关安全行为。     

基于动静结合的Android恶意代码行为相似性检测

针对同种族恶意软件行为具有相似性的特点进行研究,提出通过静态分析和动态运行程序相结合的方式度量软件行为的相似性。通过反编译和soot代码转换框架获取程序控制流图,利用行为子图匹配算法从静态方面对程序行为相似性进行度量;通过自动化测试框架运行程序,利用文本无关压缩算法将捕获到的trace文件压缩后进行相似性度量。该检测方法综合静态检测执行效率高和动态检测准确率高的优点,实验分析表明,该检测技术能够准确度量程序之间行为的相似性,在准确率上相较于Androidguard有大幅提升。     

面向对象软件度量因子的幂律分布研究

结合幂律分布的研究方法对面向对象软件度量的结果进行研究,探讨不同结构层次软件度量中出现的长尾分布现象。基于4个大型Java开源项目,分别对类代码长度、类属性个数和类方法数这3个影响软件质量的主要度量因子进行度量。度量结果拟合幂律分布,采用极大似然估计法对拟合的幂律分布形状参数进行估计,并使用基于拔靴法的假设检验方法评估拟合效果。通过对3个度量因子统计结果研究发现,幂律分布存在于大部分统计结果的尾部。利用度量因子拟合的幂律分布函数,在互补累积分布图中找到偏离拟合幂律分布函数较远的类,可以在这些类中发现代码质量问题。     

新产品&新工具

Sonar是一个用于管理代码质量的开源系统,可以从架构测试、代码复杂度、单元测试、代码风格、注释、代码复用、潜在缺陷等几个方面对代码质量进行全面的评估和管理。可以通过插件系统对系统功能进行扩充,内置支持Java语言,通过插件可以支持SQL和C＋＋。新的2．O版本增加了新的“组件DSM服务”;增加了资源浏览器的设计页签：引入了一个新的“设计”组件用于显示项目面板;增加了用于SonarWebService的JavaAPI库;增加了对Java程序进行设计分析、架构和面向对象度量等功能;可通过删除不受欢迎的依赖从而避免包之间的循环调用。此外还包括了大量的更新和Bug修复。     

开源社区评审过程度量体系及其实证研究

在开源社区中,不同开发人员提交的代码水平参差不齐,需要代码评审检查提交代码质量.决策者是代码评审的关键人物,审核提交代码,发现软件缺陷.代码评审情况会对开源软件质量产生影响,因此需要建立评审过程度量体系,了解代码评审情况,促进提高开源软件项目质量.现有的软件过程度量方法主要考虑提交代码和评审评论活动,缺乏考虑决策活动,难以充分度量人员的评审行为.引入决策者因素,提出了一个开源社区评审过程度量体系,包括评审活动指标和人员分布指标.评审活动指标包含评审次数、评审信息长度、评审代码改动行数以及评审时间.人员分布指标主要考虑改动者、评论者和决策者的比例和数量.然后,收集了3个热门开源项目数据,分析评审过程度量指标与软件缺陷数量的关系.通过实证研究分析发现：决策者数量,少改动、少评论、少决策者的比例等决策者相关指标和软件缺陷数量中等正相关.同时,与不考虑决策者的度量体系进行对比分析,发现含有决策者的度量体系与软件缺陷的相关性更高.实证研究结果验证了评审过程度量体系的有效性,说明增加决策者相关指标的必要性.     

基于Java构造器和Static关键字的研究

Java语言通过构造器完成数据初始化,在继承过程中子类可以调用父类的构造器。Static关键字可以定义静态属性、静态方法和静态代码块,也可以实现数据初始化,但与构造器有所不同。通过对构造器和Static关键字使用方法的研究,分析单态模式实现的过程。     

面向方面软件动态耦合的度量

耦合性是两个模块间相互作用的测度。面向方面编程是一种新的编程范型,它支持关注点的分离。目前,对于面向方面软件耦合度量的常用方法是对软件进行结构分析和静态代码分析。然而,由于系统中的动态绑定以及代码中大量无用的方面代码导致静态度量结果无法精确地反映程序运行时的实际耦合。首先提出适用于面向方面软件的动态耦合度量框架。接着,在该框架的基础上,根据不同的耦合关系类型,形式化定义了动态耦合度量指标集,并验证数学属性。最后,讨论了动态耦合度量工具的实现。     

Software assessment using metrics: A comparison across large C++ and Java systems

This paper presents an assessment method to evaluate the quality of object oriented software systems. The assessment method is based on source code abstraction, object–oriented metrics and graphical representation. The metrics used and the underlying model representing the software are presented. The assessment method experiment is part of an industrial research effort with the Bell Canada Quality Engineering and Research Group. It helps evaluators assess the quality and risks associated with software by identifying code fragments presenting unusual characteristics. The assessment method evaluates object–oriented software systems at three levels of granularity: system level, class level and method level. One large C++ and eight Java software systems, for a total of over one million lines of code, are presented as case studies. A critical analysis of the results is presented comparing the systems and the two languages.     

Java语言编码过程中的质量保证方法和工具

在基于Java软件产品开发过程申,如何保证编码阶段的质量,是软件开发人员关注的关键问题之一.软件质量中的方法和工具是保证软件质量的关键,介绍了软件质量的基本概念和模型,说明了基于Java语言编码过程质量保证的关键方法和工具.     

Software assessment using metrics: A comparison across large C++ and Java systems

This paper presents an assessment method to evaluate the quality of object oriented software systems. The assessment method is based on source code abstraction, object–oriented metrics and graphical representation. The metrics used and the underlying model representing the software are presented. The assessment method experiment is part of an industrial research effort with the Bell Canada Quality Engineering and Research Group. It helps evaluators assess the quality and risks associated with software by identifying code fragments presenting unusual characteristics. The assessment method evaluates object–oriented software systems at three levels of granularity: system level, class level and method level. One large C++ and eight Java software systems, for a total of over one million lines of code, are presented as case studies. A critical analysis of the results is presented comparing the systems and the two languages. This revised version was published online in June 2006 with corrections to the Cover Date.     

Open source tools for measuring the Internal Quality of Java software products. A survey

Collecting metrics and indicators to assess objectively the different products resulting during the lifecycle of a software project is a research area that encompasses many different aspects, apart from being highly demanded by companies and software development teams.Focusing on software products, one of the most used methods by development teams for measuring Internal Quality is the static analysis of the source code. This paper works in this line and presents a study of the state-of-the-art open source software tools that automate the collection of these metrics, particularly for developments in Java. These tools have been compared according to certain criteria defined in this study.     

On the capability of static code analysis to detect security vulnerabilities

Context: Static analysis of source code is a scalable method for discovery of software faults and security vulnerabilities. Techniques for static code analysis have matured in the last decade and many tools have been developed to support automatic detection.Objective: This research work is focused on empirical evaluation of the ability of static code analysis tools to detect security vulnerabilities with an objective to better understand their strengths and shortcomings.Method: We conducted an experiment which consisted of using the benchmarking test suite Juliet to evaluate three widely used commercial tools for static code analysis. Using design of experiments approach to conduct the analysis and evaluation and including statistical testing of the results are unique characteristics of this work. In addition to the controlled experiment, the empirical evaluation included case studies based on three open source programs.Results: Our experiment showed that 27% of C/C++ vulnerabilities and 11% of Java vulnerabilities were missed by all three tools. Some vulnerabilities were detected by only one or combination of two tools; 41% of C/C++ and 21% of Java vulnerabilities were detected by all three tools. More importantly, static code analysis tools did not show statistically significant difference in their ability to detect security vulnerabilities for both C/C++ and Java. Interestingly, all tools had median and mean of the per CWE recall values and overall recall across all CWEs close to or below 50%, which indicates comparable or worse performance than random guessing. While for C/C++ vulnerabilities one of the tools had better performance in terms of probability of false alarm than the other two tools, there was no statistically significant difference among tools’ probability of false alarm for Java test cases.Conclusions: Despite recent advances in methods for static code analysis, the state-of-the-art tools are not very effective in detecting security vulnerabilities.     

The EMISQ method and its tool support-expert-based evaluation of internal software quality

There is empirical evidence that internal software quality, e.g., the quality of source code, has great impact on the overall quality of software. Besides well-known manual inspection and review techniques for source code, more recent approaches utilize tool-based static code analysis for the evaluation of internal software quality. Despite the high potential of code analyzers the application of tools alone cannot replace well-founded expert opinion. Knowledge, experience and fair judgment are indispensable for a valid, reliable quality assessment, which is accepted by software developers and managers. The EMISQ method (Evaluation Method for Internal Software Quality), guides the assessment process for all stakeholders of an evaluation project. The method is supported by the Software Product Quality Reporter (SPQR), a tool which assists evaluators with their analysis and rating tasks and provides support for generating code quality reports. The application of SPQR has already proved its usefulness in various code assessment projects around the world. This paper introduces the EMISQ method and describes the tool support needed for an efficient and effective evaluation of internal software quality.     

A language-independent approach to the extraction of dependencies between source code entities

ContextSoftware networks are directed graphs of static dependencies between source code entities (functions, classes, modules, etc.). These structures can be used to investigate the complexity and evolution of large-scale software systems and to compute metrics associated with software design. The extraction of software networks is also the first step in reverse engineering activities.ObjectiveThe aim of this paper is to present SNEIPL, a novel approach to the extraction of software networks that is based on a language-independent, enriched concrete syntax tree representation of the source code.MethodThe applicability of the approach is demonstrated by the extraction of software networks representing real-world, medium to large software systems written in different languages which belong to different programming paradigms. To investigate the completeness and correctness of the approach, class collaboration networks (CCNs) extracted from real-world Java software systems are compared to CCNs obtained by other tools. Namely, we used Dependency Finder which extracts entity-level dependencies from Java bytecode, and Doxygen which realizes language-independent fuzzy parsing approach to dependency extraction. We also compared SNEIPL to fact extractors present in language-independent reverse engineering tools.ResultsOur approach to dependency extraction is validated on six real-world medium to large-scale software systems written in Java, Modula-2, and Delphi. The results of the comparative analysis involving ten Java software systems show that the networks formed by SNEIPL are highly similar to those formed by Dependency Finder and more precise than the comparable networks formed with the help of Doxygen. Regarding the comparison with language-independent reverse engineering tools, SNEIPL provides both language-independent extraction and representation of fact bases.ConclusionSNEIPL is a language-independent extractor of software networks and consequently enables language-independent network-based analysis of software systems, computation of design software metrics, and extraction of fact bases for reverse engineering activities.     

Object‐oriented processing of Java source code

Code transformation and analysis tools provide support for software engineering tasks such as style checking, testing, calculating software metrics as well as reverse‐ and re‐engineering. In this paper we describe the architecture and the applications of JTransform, a general Java source code processing and transformation framework. It consists of a Java parser generating a configurable parse tree and various visitors (transformers, tree evaluators) which produce different kinds of outputs. While our framework is written in Java, the paper further opens an opportunity for a new generation of XML‐based source code tools. Copyright © 2004 John Wiley & Sons, Ltd.     

基于贝叶斯网络的克隆代码有害性预测

在软件开发过程中,程序员的复制、粘贴活动会产生大量的克隆代码,而那些发生不一致变化的克隆代码往往对程序是有害的。为了解决该问题,有效地发现程序中的有害克隆代码,提出一种基于贝叶斯网络的克隆有害性预测方法。首先,结合软件缺陷研究领域与克隆演化领域的相关研究成果,提出了两大类表征克隆代码信息的特征,分别是静态特征和演化特征;其次,通过贝叶斯网络核心算法来构建克隆有害性预测模型;最后,预测有害克隆代码发生的可能性。在5款C语言开源软件共99个版本上对克隆有害性预测模型的性能进行评估,实验结果表明该方法能够有效地实现对克隆代码有害性的预测,降低有害克隆代码对软件的威胁,提高软件质量。     

The evolution of Java build systems

Build systems are responsible for transforming static source code artifacts into executable software. While build systems play such a crucial role in software development and maintenance, they have been largely ignored by software evolution researchers. However, a firm understanding of build system aging processes is needed in order to allow project managers to allocate personnel and resources to build system maintenance tasks effectively, and reduce the build maintenance overhead on regular development activities. In this paper, we study the evolution of build systems based on two popular Java build languages (i.e., ANT and Maven) from two perspectives: (1) a static perspective, where we examine the complexity of build system specifications using software metrics adopted from the source code domain; and (2) a dynamic perspective, where the complexity and coverage of representative build runs are measured. Case studies of the build systems of six open source build projects with a combined history of 172 releases show that build system and source code size are highly correlated, with source code restructurings often requiring build system restructurings. Furthermore, we find that Java build systems evolve dynamically in terms of duration and recursive depth of the directory hierarchy.