Understanding, Analysis, and Handling of Software Architecture Erosion

Architecture erosion occurs when a software system's implemented architecture diverges from the intended architecture over time. Studies show erosion impacts development, maintenance, and evolution since it accumulates imperceptibly. Identifying early symptoms like architectural smells enables managing erosion through refactoring. However, research lacks comprehensive understanding of erosion, unclear which symptoms are most common, and lacks detection methods. This thesis establishes an erosion landscape, investigates symptoms, and proposes identification approaches. A mapping study covers erosion definitions, symptoms, causes, and consequences. Key findings: 1) "Architecture erosion" is the most used term, with four perspectives on definitions and respective symptom types. 2) Technical and non-technical reasons contribute to erosion, negatively impacting quality attributes. Practitioners can advocate addressing erosion to prevent failures. 3) Detection and correction approaches are categorized, with consistency and evolution-based approaches commonly mentioned.An empirical study explores practitioner perspectives through communities, surveys, and interviews. Findings reveal associated practices like code review and tools identify symptoms, while collected measures address erosion during implementation. Studying code review comments analyzes erosion in practice. One study reveals architectural violations, duplicate functionality, and cyclic dependencies are most frequent. Symptoms decreased over time, indicating increased stability. Most were addressed after review. A second study explores violation symptoms in four projects, identifying 10 categories. Refactoring and removing code address most violations, while some are disregarded.Machine learning classifiers using pre-trained word embeddings identify violation symptoms from code reviews. Key findings: 1) SVM with word2vec achieved highest performance. 2) fastText embeddings worked well. 3) 200-dimensional embeddings outperformed 100/300-dimensional. 4) Ensemble classifier improved performance. 5) Practitioners found results valuable, confirming potential.An automated recommendation system identifies qualified reviewers for violations using similarity detection on file paths and comments. Experiments show common methods perform well, outperforming a baseline approach. Sampling techniques impact recommendation performance

Mining Architectural Information: A Systematic Mapping Study

Context: Mining Software Repositories (MSR) has become an essential activity in software development. Mining architectural information to support architecting activities, such as architecture understanding and recovery, has received a significant attention in recent years. However, there is an absence of a comprehensive understanding of the state of research on mining architectural information. Objective: This work aims to identify, analyze, and synthesize the literature on mining architectural information in software repositories in terms of architectural information and sources mined, architecting activities supported, approaches and tools used, and challenges faced. Method: A Systematic Mapping Study (SMS) has been conducted on the literature published between January 2006 and November 2021. Results: Of the 79 primary studies finally selected, 8 categories of architectural information have been mined, among which architectural description is the most mined architectural information; 12 architecting activities can be supported by the mined architectural information, among which architecture understanding is the most supported activity; 81 approaches and 52 tools were proposed and employed in mining architectural information; and 4 types of challenges in mining architectural information were identified. Conclusions: This SMS provides researchers with promising future directions and help practitioners be aware of what approaches and tools can be used to mine what architectural information from what sources to support various architecting activities.Comment: 68 pages, 5 images, 15 tables, Manuscript submitted to a Journal (2022

An empirical study of the systemic and technical migration towards microservices

Context: As many organizations modernize their software architecture and transition to the cloud, migrations towards microservices become more popular. Even though such migrations help to achieve organizational agility and effectiveness in software development, they are also highly complex, long-running, and multi-faceted. Objective: In this study we aim to comprehensively map the journey towards microservices and describe in detail what such a migration entails. In particular, we aim to discuss not only the technical migration, but also the long-term journey of change, on a systemic level. Method: Our research method is an inductive, qualitative study on two data sources. Two main methodological steps take place – interviews and analysis of discussions from StackOverflow. The analysis of both, the 19 interviews and 215 StackOverflow discussions, is based on techniques found in grounded theory. Results: Our results depict the migration journey, as it materializes within the migrating organization, from structural changes to specific technical changes that take place in the work of engineers. We provide an overview of how microservices migrations take place as well as a deconstruction of high level modes of change to specific solution outcomes. Our theory contains 2 modes of change taking place in migration iterations, 14 activities and 53 solution outcomes of engineers. One of our findings is on the architectural change that is iterative and needs both a long and short term perspective, including both business and technical understanding. In addition, we found that a big proportion of the technical migration has to do with setting up supporting artifacts and changing the paradigm that software is developed

Advanced Security Analysis for Emergent Software Platforms

Emergent software ecosystems, boomed by the advent of smartphones and the Internet of Things (IoT) platforms, are perpetually sophisticated, deployed into highly dynamic environments, and facilitating interactions across heterogeneous domains. Accordingly, assessing the security thereof is a pressing need, yet requires high levels of scalability and reliability to handle the dynamism involved in such volatile ecosystems. This dissertation seeks to enhance conventional security detection methods to cope with the emergent features of contemporary software ecosystems. In particular, it analyzes the security of Android and IoT ecosystems by developing rigorous vulnerability detection methods. A critical aspect of this work is the focus on detecting vulnerable and unsafe interactions between applications that share common components and devices. Contributions of this work include novel insights and methods for: (1) detecting vulnerable interactions between Android applications that leverage dynamic loading features for concealing the interactions; (2) identifying unsafe interactions between smart home applications by considering physical and cyber channels; (3) detecting malicious IoT applications that are developed to target numerous IoT devices; (4) detecting insecure patterns of emergent security APIs that are reused from open-source software. In all of the four research thrusts, we present thorough security analysis and extensive evaluations based on real-world applications. Our results demonstrate that the proposed detection mechanisms can efficiently and effectively detect vulnerabilities in contemporary software platforms. Advisers: Hamid Bagheri and Qiben Ya

Evaluation of a Secure Smart Contract Development in Ethereum

In the Ethereum Blockchain, Smart Contracts are the standard programs that can perform operations in the network using the platform currency (ether) and data. Once these contracts are deployed, the user cannot change their state in the system. This immutability means that, if the contract has any vulnerabilities, it cannot be erased or modified. Ensuring that a contract is safe in the network requires the knowledge of developers to avoid these problems. Many tools explore and analyse the contract security and behaviour and, as a result, detect the vulnerabilities present. This thesis aims to analyse and integrate different security analysis tools in the smart contract development process allowing for better knowledge and awareness of best practices and tools to test and verify contracts, providing a safer smart contract to deploy. The development of the final solution that allows the integration of security analysis tools in smart contracts was performed in two stages. In the first stage, approaches, patterns and tools to develop smart contracts were studied and compared, by running them on a standard set of vulnerable contracts, to understand how effective they are in detecting vulnerabilities. Seven existing tools were found that can support the detection of vulnerabilities during the development process. In the second stage, it is introduced a framework called EthSential. EthSential was designed and implemented to initially integrate the security analysis tools, Mythril, Securify and Slither, with two ways to use, command line and Visual Studio Code. EthSential is published and publicly available through PyPI and Visual Studio Code extensions. To evaluate the solution, two software testing methods and a usability and satisfaction questionnaire were performed. The results were positive in terms of software testing. However, in terms of usability and satisfaction of the developers, the overall results did not meet expectations, concluding that improvements should be made in the future to increase the developers’ satisfaction and usability.Em Ethereum, contratos inteligentes são programas que permitem realizar operações na rede utilizando a moeda digital (ether) e os dados armazenados na mesma. Assim que estes contratos são enviados para a plataforma, o utilizador é impedido de alterar seu estado. Esta imutabilidade faz com que se o contrato tiver alguma vulnerabilidade, não poderá ser apagado ou modificado. Para garantir que um contrato seja considerado seguro, requer um conhecimento dos programadores em lidar com estas vulnerabilidades. Existem muitas ferramentas que exploram e analisam a segurança e o comportamento do contrato de forma a detectar as vulnerabilidades presentes. Esta tese tem como objectivo analisar e integrar diferentes ferramentas de análise de segurança no processo de desenvolvimento de contratos inteligentes. De forma a permitir um melhor conhecimento e consciência das melhores práticas é necessário analisar as ferramentas de teste e verificação de contratos, proporcionando assim um contrato mais seguro. O desenvolvimento da solução final foi realizado em duas fases. Na primeira fase, foram estudadas abordagens, padrões e ferramentas para desenvolver contratos inteligentes, e comparar essas ferramentas, executando-as num conjunto de contratos vulneráveis, para entender o quão eficaz são na detecção de vulnerabilidades. Neste estudo foram encontradas sete ferramentas que podem apoiar a detecção de vulnerabilidades durante o processo de desenvolvimento. Na segunda fase, é apresentada uma aplicação denominada EthSential. A aplicação foi desenhada e implementada de forma a integrar, inicialmente, as ferramentas de análise de segurança Mythril, Securify e Slither. A aplicação permite duas formas de uso, através da linha de comandos e através das extensões do Visual Studio Code. A aplicação foi publicada e disponibilizada publicamente através das ferramentas PyPI e Visual Studio Code. Para avaliar a solução, foram realizados dois métodos de teste de software e um questionário de usabilidade e satisfação. Os resultados finais foram considerados positivos em termos de teste de software. No entanto, em termos de usabilidade e satisfação dos programados, os resultados não correspoderam às expectativas. Concluindo assim que algumas melhorias devem ser feitas no futuro para aumentar a satisfação dos programadores e a respectiva usabilidade da solução

Use and misuse of the term "Experiment" in mining software repositories research

The significant momentum and importance of Mining Software Repositories (MSR) in Software Engineering (SE) has fostered new opportunities and challenges for extensive empirical research. However, MSR researchers seem to struggle to characterize the empirical methods they use into the existing empirical SE body of knowledge. This is especially the case of MSR experiments. To provide evidence on the special characteristics of MSR experiments and their differences with experiments traditionally acknowledged in SE so far, we elicited the hallmarks that differentiate an experiment from other types of empirical studies and characterized the hallmarks and types of experiments in MSR. We analyzed MSR literature obtained from a small-scale systematic mapping study to assess the use of the term experiment in MSR. We found that 19% of the papers claiming to be an experiment are indeed not an experiment at all but also observational studies, so they use the term in a misleading way. From the remaining 81% of the papers, only one of them refers to a genuine controlled experiment while the others stand for experiments with limited control. MSR researchers tend to overlook such limitations, compromising the interpretation of the results of their studies. We provide recommendations and insights to support the improvement of MSR experiments.This work has been partially supported by the Spanish project: MCI PID2020-117191RB-I00.Peer ReviewedPostprint (author's final draft

Deployment and Operation of Complex Software in Heterogeneous Execution Environments

This open access book provides an overview of the work developed within the SODALITE project, which aims at facilitating the deployment and operation of distributed software on top of heterogeneous infrastructures, including cloud, HPC and edge resources. The experts participating in the project describe how SODALITE works and how it can be exploited by end users. While multiple languages and tools are available in the literature to support DevOps teams in the automation of deployment and operation steps, still these activities require specific know-how and skills that cannot be found in average teams. The SODALITE framework tackles this problem by offering modelling and smart editing features to allow those we call Application Ops Experts to work without knowing low level details about the adopted, potentially heterogeneous, infrastructures. The framework offers also mechanisms to verify the quality of the defined models, generate the corresponding executable infrastructural code, automatically wrap application components within proper execution containers, orchestrate all activities concerned with deployment and operation of all system components, and support on-the-fly self-adaptation and refactoring

Migrations to Microservices-Based Architectures - a Tale of Technical and Organizational Change

As software systems evolve and scale faster than the foundations on which they are structured on, software architecture migrations to modern, cutting edge paradigms of development are becoming common. An example of such a paradigm is Microservices-based Architectures (MSAs). With MSAs, organizations can manage the complexity of their software and deploy individual pieces autonomously and independently.\ua0However, migrating towards microservices entails a lot of complexity. The evolution of the structures that a migration predisposes is multifaceted, with a socio-technical nature.Therefore, this thesis aims to first of all understand the process in which decisions are made by engineers to migrate their software architecture towards microservices. In addition, this thesis targets to aggregate the migration journey of organizations that change their software architecture to microservices. Finally, it is demonstrated how an organization\u27s operations implement different processes for software architecture migrations and development methodologies

Kollaboratives Reengineering und Modularisieren von Softwaresystemen

Software systems evolve over their lifetime. Changing requirements make it inevitable for developers to modify and extend the underlying code base. Specific requirements emerge in the context of open source software where everybody can contribute and requirements can change over time. In particular, research software is often not structured with a maintainable and extensible architecture. Furthermore, often databases are employed for retrieving, storing, and processing application data. Insufficient knowledge of the actual structure and behavior of such software systems and related databases can entail further challenges. Thus, understanding these software systems embodies a crucial task, which needs to be addressed in an appropriate way to face inevitable challenges while performing software changes. Approaches based on alternative display and interaction concepts can support this task by offering a more immersive user experience. In this thesis, we introduce three complementary approaches to support the evolution and particularly understanding of software systems in different aspects. Our main contributions are (i) an approach named CORAL for enabling collaborative reengineering and modularization of software systems, (ii) a gesture-based, collaborative, and multi-user-featuring Virtual Reality approach named ExplorViz VR for the software city metaphor, and (iii) a database behavior live-visualization approach named RACCOON for database comprehension of software systems. An extensive case study shows that our CORAL approach is capable of supporting reengineering and modularization processes. Furthermore, several lab experiments demonstrate the high usability, and efficiency and effectiveness for solving comprehension tasks when using the visualization within our multi-user VR approach ExplorViz VR. All implementations are available as open-source software on www.explorviz.net. Additionally, we provide an extensive experimental package of our latest VR evaluation to facilitate the verifiability and reproducibility of our results