Automated Oracle Generation via Denotational Semantics

Software failure detection is typically done by comparing the running behaviors from a software under test (SUT) against its expected behaviors, called test oracles. In this paper, we present a formal approach to specifying test oracles in denotational semantics for systems with structured inputs. The approach introduces formal semantic evaluation rules, based on the denotational semantics methodology, defined on each productive grammar rule. We extend our grammar-based test generator, GENA, with automated test oracle generation. We provide three case studies of software testing: (i) a benchmark of Java programs on arithmetic calculations, (ii) an open source software on license identification, and (ii) selenium-based web testing. Experimental results demonstrate the effectiveness of our approach and illustrate the success of the application on the software testing

Risk Mitigation in Corporate Participation with Open Source Communities: Protection and Compliance in an Open Source Supply Chain

Open source communities exist in large part through increasing participation from for-profit corporations. The balance between the seemingly conflicting ideals of open source communities and corporations creates a number of complex challenges for both. In this paper, we focus on corporate risk mitigation and the mandates on corporate participation in open source communities in light of open source license requirements. In response to these challenges, we aim to understand risk mitigation options within the dialectic of corporate participation with open source communities. Rather than emphasizing risk mitigation as ad hoc and emergent process focused on bottom lines and shareholder interests, our interest is in formalized instruments and project management processes that can help corporations mitigate risks associated with participation in open source communities through shared IT projects. Accordingly, we identify two key risk domains that corporations must be attendant to: property protection and compliance. In addition, we discuss risk mitigation sourcing, arguing that tools and processes for mitigating open source project risk do not stem solely from a corporation or solely from an open source community. Instead they originate from the interface between the two and can be paired in a complementary fashion in an overall project management process of risk mitigation. This work has been funded through the National Science Foundation VOSS-IOS Grant: 112264

Getting Started with Corporate Open Source Governance: A Case Study Evaluation of Industry Best Practices

Ope​n source software usage in companies is on the rise, often resulting in lower development costs, higher quality, and quick availability of code. However, using open source software in products comes with legal, business, and technical risks. Experienced companies prevent and address these risks through corporate open source governance. In our previous work, we studied how top-tier companies got started with corporate open source governance. We proposed a set of industry best practices on the topic, using the practical format of interconnected context-problem-solution patterns. In this study, we put the proposed state-of-the-art practices to the test by evaluating their real-life application in a case study at a Germany-based multibillion-dollar corporation with products in four distinct industries and more than 17000 employees worldwide. In the course of two and a half years, we conducted 35 semi-structured employee interviews and workshops in five divisions of the company to assess the initial situation of open source governance, the process of getting started with governance following our recommendations, and the outcomes. In this paper, we report the results of this longitudinal case study by presenting the artifacts created while getting started with open source governance, as well as the transferability evaluation of the proposed best practices, both individually and collectively

Efficient Prior Publication Identification for Open Source Code

Free/Open Source Software (FOSS) enables large-scale reuse of preexisting software components. The main drawback is increased complexity in software supply chain management. A common approach to tame such complexity is automated open source compliance, which consists in automating the verication of adherence to various open source management best practices about license obligation fulllment, vulnerability tracking, software composition analysis, and nearby concerns.We consider the problem of auditing a source code base to determine which of its parts have been published before, which is an important building block of automated open source compliance toolchains. Indeed, if source code allegedly developed in house is recognized as having been previously published elsewhere, alerts should be raised to investigate where it comes from and whether this entails that additional obligations shall be fullled before product shipment.We propose an ecient approach for prior publication identication that relies on a knowledge base of known source code artifacts linked together in a global Merkle direct acyclic graph and a dedicated discovery protocol. We introduce swh-scanner, a source code scanner that realizes the proposed approach in practice using as knowledge base Software Heritage, the largest public archive of source code artifacts. We validate experimentally the proposed approach, showing its eciency in both abstract (number of queries) and concrete terms (wall-clock time), performing benchmarks on 16 845 real-world public code bases of various sizes, from small to very large

Automated Software License and Copyright Analysis

The complex interactions of software licensing and intellectual property prove daunting hurdles for many individuals and businesses looking to open source software solutions. The financial reproductions for misusing a piece of open source software is high, and require great attention. Many resources are required to determine a software packages copyright holders and licensing information. The cost of such an analysis may become too costly to justify the use of the open source solution. The existing tools for analyzing software projects licenses and copyrights are lacking, and much hand vetting is required. If these tool could be improved then free and open source software would be more transparent and less costly to companies and individuals looking for open source alternative. This thesis describes a new approach to automated software license analysis and copyright analysis, which results show are more accurate and easier to maintain than previous methods. The use of machine learning and information extraction result in algorithms that produce abstract models of software licenses and copyrights based on hand labelled data. We will show that these models are more general and robust than previous techniques, and result in better accuracy

XScan: An Integrated Tool for Understanding Open Source Community-Based Scientific Code

Many scientific communities have adopted community-based models that integrate multiple components to simulate whole system dynamics. The community software projects’ complexity, stems from the integration of multiple individual software components that were developed under different application requirements and various machine architectures, has become a challenge for effective software system understanding and continuous software development. The paper presents an integrated software toolkit called X-ray Software Scanner (in abbreviation, XScan) for a better understanding of large-scale community-based scientific codes. Our software tool provides support to quickly summarize the overall information of scientific codes, including the number of lines of code, programming languages, external library dependencies, as well as architecture-dependent parallel software features. The XScan toolkit also realizes a static software analysis component to collect detailed structural information and provides an interactive visualization and analysis of the functions. We use a large-scale community-based Earth System Model to demonstrate the workflow, functions and visualization of the toolkit. We also discuss the application of advanced graph analytics techniques to assist software modular design and component refactoring

REUSE Software: Making Copyright and Licensing Compliance Easier for Everyone

Best practices for displaying data and metadata pertaining to software licensing and copyright are currently unharmonized. The multiple competing licensing requirements for communicating the chosen license of a software project and its copyright holders increase the compliance burden on project maintainers, especially for smaller free and open source (FOSS) ones. The "REUSE Software" initiative aims to remediate this situation by defining a set of easy-to-implement best practices for declaring copyright and licensing in an unambiguous, human- and machine-readable way, so that the information is preserved when the file is copied and reused by third parties. REUSE specifications facilitate management policies for digital commons, improving data and metadata communication for individuals, communities, governments, and businesses