7,410 research outputs found
Vulnerable Open Source Dependencies: Counting Those That Matter
BACKGROUND: Vulnerable dependencies are a known problem in today's
open-source software ecosystems because OSS libraries are highly interconnected
and developers do not always update their dependencies. AIMS: In this paper we
aim to present a precise methodology, that combines the code-based analysis of
patches with information on build, test, update dates, and group extracted from
the very code repository, and therefore, caters to the needs of industrial
practice for correct allocation of development and audit resources. METHOD: To
understand the industrial impact of the proposed methodology, we considered the
200 most popular OSS Java libraries used by SAP in its own software. Our
analysis included 10905 distinct GAVs (group, artifact, version) when
considering all the library versions. RESULTS: We found that about 20% of the
dependencies affected by a known vulnerability are not deployed, and therefore,
they do not represent a danger to the analyzed library because they cannot be
exploited in practice. Developers of the analyzed libraries are able to fix
(and actually responsible for) 82% of the deployed vulnerable dependencies. The
vast majority (81%) of vulnerable dependencies may be fixed by simply updating
to a new version, while 1% of the vulnerable dependencies in our sample are
halted, and therefore, potentially require a costly mitigation strategy.
CONCLUSIONS: Our case study shows that the correct counting allows software
development companies to receive actionable information about their library
dependencies, and therefore, correctly allocate costly development and audit
resources, which is spent inefficiently in case of distorted measurements.Comment: This is a pre-print of the paper that appears, with the same title,
in the proceedings of the 12th International Symposium on Empirical Software
Engineering and Measurement, 201
Arc-swift: A Novel Transition System for Dependency Parsing
Transition-based dependency parsers often need sequences of local shift and
reduce operations to produce certain attachments. Correct individual decisions
hence require global information about the sentence context and mistakes cause
error propagation. This paper proposes a novel transition system, arc-swift,
that enables direct attachments between tokens farther apart with a single
transition. This allows the parser to leverage lexical information more
directly in transition decisions. Hence, arc-swift can achieve significantly
better performance with a very small beam size. Our parsers reduce error by
3.7--7.6% relative to those using existing transition systems on the Penn
Treebank dependency parsing task and English Universal Dependencies.Comment: Accepted at ACL 201
Toward Visualization and Analysis of Traceability Relationships in Distributed and Offshore Software Development Projects
Offshore software development projects provoke new issues to the collaborative endeavor of software development due to their global distribution and involvement of various people, processes, and tools. These problems relate to the geographical distance and the associated time-zone differences; cultural, organizational, and process issues; as well as language problems. However, existing tool support is neither adequate nor grounded in empirical observations. This paper presents two empirical studies of global software development teams and their usage of tools. The results are then used to motivate and inform the construction of more useful software development tools. The focus is on issues that are tool-related but have not yet been solved by existing tools. The two software tools presented as solutions, Ariadne and TraVis, explicitly address yet unresolved issues in global software development and also integrate with prevalent other solutions
Computing Multi-Relational Sufficient Statistics for Large Databases
Databases contain information about which relationships do and do not hold
among entities. To make this information accessible for statistical analysis
requires computing sufficient statistics that combine information from
different database tables. Such statistics may involve any number of {\em
positive and negative} relationships. With a naive enumeration approach,
computing sufficient statistics for negative relationships is feasible only for
small databases. We solve this problem with a new dynamic programming algorithm
that performs a virtual join, where the requisite counts are computed without
materializing join tables. Contingency table algebra is a new extension of
relational algebra, that facilitates the efficient implementation of this
M\"obius virtual join operation. The M\"obius Join scales to large datasets
(over 1M tuples) with complex schemas. Empirical evaluation with seven
benchmark datasets showed that information about the presence and absence of
links can be exploited in feature selection, association rule mining, and
Bayesian network learning.Comment: 11pages, 8 figures, 8 tables, CIKM'14,November 3--7, 2014, Shanghai,
Chin
MANAGING OBSOLETE KNOWLEDGE: TOWARDS A CLARIFIED AND CONTEXTUALIZED CONCEPTION OF UNLEARNING
The paper aims at clarifying, specifying, and contextualizing the concept of organizational unlearning in the IS literature, through a systematic analysis of the concept. We suggest a definition of unlearning as an intentional practice in order to reduce the possible negative impacts of obsolete knowledge. Reviewing the IS literature based on the suggested definition, we identify four dominant views of unlearning. Using this definition, we empirically explore how organizations apply unlearning in the case of disruptive IT changes. The insight from the empirical study shows a wide range of unlearning practices which are applied to different organizational and technical factors. In addition, we identify six characteristics of the IS context which have direct bearings on applying unlearning practices. Using these empirical insights, we suggest how the concept of unlearning can be clearly defined and specifically operationalized in order to avoid common misunderstanding of this concept. We conclude by commenting on how the dominant views of unlearning in the IS literature can be completed and enriched
- …