1,061 research outputs found
The impact of surface features on choice of (in)secure answers by Stackoverflow readers
Existing research has shown that developers will use StackOverflow to answer programming questions: but what draws them to one particular answer over any other? The choice of answer they select can mean the difference between a secure application and insecure one, as the quality of supposedly secure answers can vary. Prior work has studied people posting on Stack Overflow—a two-way communication between the original poster and the Stack Overflow community. Instead, we study the situation of one-way communication, where people only read a Stack Overflow thread without being actively involved in it, sometimes long after a thread has closed. We report on a mixed-method study including a controlled between-groups experiment and qualitative analysis of participants' rationale (N=1188), investigating whether explanation detail, answer scoring, accepted answer marks, as well as the security of the code snippet itself affect the answers participants accept. Our findings indicate that explanation detail affects what answers participants reading a thread select (p0.05)—the inverse of what research has shown for those asking and answering questions. The qualitative analysis of participants' rationale further explains how several cognitive biases underpin these findings. Correspondence bias, in particular, plays an important role in instilling readers with a false sense of confidence in an answer through the way it looks, regardless of whether it works, is secure, or if the community agrees with it. As a result, we argue that StackOverflow's use as a knowledge base by people not actively involved in threads'when there is only one-way-communication—may inadvertently contribute to the spread of insecure code, as the community's voting mechanisms hold little power to deter them from answers
PyVerDetector: A Chrome Extension Detecting the Python Version of Stack Overflow Code Snippets
Over the years, Stack Overflow (SO) has accumulated numerous code snippets, with developers going to SO for problem solutions and code references. However, in the case of the Python programming language, Python 3 is not necessarily backward compatible with Python 2. The major implication of this versioning problem is that code written in Python 2 may not be interpreted by Python 3 without modifications. This issue may affect the usability of Python code snippets on SO. We investigate how many Python code snippets on SO suffer from version compatibility issues, and find that about 10% of the snippets exhibit this problem. Moreover, of the code snippets that are interpretable only by Python 2 or Python 3, less than 17% are tagged with the Python version.In this paper, we present a Chrome extension called PyVerDetector. This extension allows the user to select a given version of Python and verifies whether the code snippets on a given SO question are compatible with the user's selected Python version, providing error messages if not. The tool parses snippets and can determine versioning errors due to differences in syntax and also provides the user with a list of Python versions capable of interpreting each code snippet.Yang S., Kanda T., Pizzolotto D., et al. PyVerDetector: A Chrome Extension Detecting the Python Version of Stack Overflow Code Snippets. IEEE International Conference on Program Comprehension 2023-May, 25 (2023); https://doi.org/10.1109/ICPC58990.2023.00013
Understanding Architecture Erosion: The Practitioners' Perceptive
As software systems evolve, their architecture is meant to adapt accordingly
by following the changes in requirements, the environment, and the
implementation. However, in practice, the evolving system often deviates from
the architecture, causing severe consequences to system maintenance and
evolution. This phenomenon of architecture erosion has been studied extensively
in research, but not yet been examined from the point of view of developers. In
this exploratory study, we look into how developers perceive the notion of
architecture erosion, its causes and consequences, as well as tools and
practices to identify and control architecture erosion. To this end, we
searched through several popular online developer communities for collecting
data of discussions related to architecture erosion. Besides, we identified
developers involved in these discussions and conducted a survey with 10
participants and held interviews with 4 participants. Our findings show that:
(1) developers either focus on the structural manifestation of architecture
erosion or on its effect on run-time qualities, maintenance and evolution; (2)
alongside technical factors, architecture erosion is caused to a large extent
by non-technical factors; (3) despite the lack of dedicated tools for detecting
architecture erosion, developers usually identify erosion through a number of
symptoms; and (4) there are effective measures that can help to alleviate the
impact of architecture erosion.Comment: The 29th IEEE/ACM International Conference on Program Comprehension
(ICPC
Does Collaborative Editing Help Mitigate Security Vulnerabilities in Crowd-Shared IoT Code Examples?
Background: With the proliferation of crowd-sourced developer forums,
software developers are increasingly sharing more coding solutions to
programming problems with others in forums. The decentralized nature of
knowledge sharing on sites has raised the concern of sharing security
vulnerable code, which then can be reused into mission critical software
systems - making those systems vulnerable in the process. Collaborative editing
has been introduced in forums like Stack Overflow to improve the quality of the
shared contents. Aim: In this paper, we investigate whether code editing can
mitigate shared vulnerable code examples by analyzing IoT code snippets and
their revisions in three Stack Exchange sites: Stack Overflow, Arduino, and
Raspberry Pi. Method:We analyze the vulnerabilities present in shared IoT C/C++
code snippets, as C/C++ is one of the most widely used languages in
mission-critical devices and low-powered IoT devices. We further analyse the
revisions made to these code snippets, and their effects. Results: We find
several vulnerabilities such as CWE 788 - Access of Memory Location After End
of Buffer, in 740 code snippets . However, we find the vast majority of posts
are not revised, or revisions are not made to the code snippets themselves (598
out of 740). We also find that revisions are most likely to result in no change
to the number of vulnerabilities in a code snippet rather than deteriorating or
improving the snippet. Conclusions: We conclude that the current collaborative
editing system in the forums may be insufficient to help mitigate
vulnerabilities in the shared code.Comment: 10 pages, 14 figures, ESEM2
Identifying Roles of Software Developers from their Answers on Stack Overflow
Stack Overflow is the world’s largest community of software developers. Users ask and answer questions on various tagged topics of software development. The set of questions a site user answers is representative of their knowledge base, or “wheelhouse”. It is proposed that clustering users by their wheelhouse yields communities of similar software developers by skill-set. These communities represent the different roles within software development and could be used as the basis to define roles at any point in time in an ever-evolving landscape of software development. A network graph of site users, linked if they answered questions on the same topic, was created. Eight distinct communities were identified using the Louvain method. The modularity of this set of communities was 0.46, indicating the presence of community structure that is unlikely to occur randomly. This partition was validated with the results of previous research that used data from the same time period. By extracting the top 5 tags from each identified community, the harmonic F1-score between the communities and the external dataset was found to be 0.75. It was statistically proven with 95% confidence that the communities identified were not identical to the results from the previous research. Nonetheless, there exists a strong similarity to the previous research. Hence, it was suggested that Stack Overflow data could be used to identify and define roles within software development. Upon applying this method to 2021 data, a previously unknown community of experts in R, C and Rust was identified. The method used in this research could be applied directly to any of the 177 Stack Exchange sites and could be used to form the basis of job roles for a wide range of industries
- …