Usability improvements to JavaScript/ECMAScript

JavaScript je nejpopulárnějši programovaci jazyk na světě a je nedilnou součásti dnešnich webových stránek. Nicméně, i přes jeho popularitu je zdrojem frustrace pro vývojáře, kteři s timto jazykem pracuji. Tato práce identifikuje hlavni problémy tohoto jazyka jako nedostatek konzistence základnich vlastnosti ja-zyka, což často vede k neintuitivni sémantice. Tento problém je dlouho známý a byl již částečně vyřešen několika jazyky, jazykovými extenzemi, striktnim módem a lintery. Tato práce představuje JonScript, jazyk, který má jednoduchou syntaxi, jednoduše se použivá, a je kompatibilni s existujicimi knihovnami v JavaScriptu. Jeho výhody spočivaji v univerzálnim použiti arrow funkci, funktorovými výrazy, přetěžováni operátorů, automatickým použitim operátoru async a pattern matchingu. Také zjednodušuje a zavádi konzis-tenci k funkcionalitě známé z JavaScriptu: syntax stringů, dědičnost, vytvářeni třidnich instanci a výrazům obsahujicim nedefinované vlastnosti objektů. Tato práce obsahuje připadovou studii, která slouži jako přiklad použitelnosti Jon-Scriptu a jeho kompatibilitě s jQuery a Redux knihovnami. Také obsahuje po-rovnáni s výkonnosti vůči TypeScriptu, která poukazuje na vyšši výkonnostni nároky JonScriptu, což ukazuje na potřebu optimalizace.JavaScript is the most popular language and the backbone of web development. However, despite its popularity, it is a source of frustration for its developers. This thesis identifies JavaScript's main problem to be a lack of consistency within its features (often subtle) which leads to counterintuitive semantics. The problem is well known and has been partially addressed by a number of languages, extensions, JavaScript strict mode, and linters. This thesis introduces JonScript, a simple and easy-to-use language on top of JavaScript that is compatible with the JavaScript ecosystem. JonScript's features include universally applied arrow function semantics, functor syntax, operator overloading, async inference, and pattern matching. It also simplifies and regularizes a number of features with respect to JavaScript: string syntax, inheritance, instantiation, and expression of undefined object members. The thesis contains case studies showing the usability of JonScript and compatibility with jQuery and Redux. It also contains a performance evaluation showing overhead with respect to TypeScript, suggesting optimization is required

What to Fix? Distinguishing between design and non-design rules in automated tools

Technical debt---design shortcuts taken to optimize for delivery speed---is a critical part of long-term software costs. Consequently, automatically detecting technical debt is a high priority for software practitioners. Software quality tool vendors have responded to this need by positioning their tools to detect and manage technical debt. While these tools bundle a number of rules, it is hard for users to understand which rules identify design issues, as opposed to syntactic quality. This is important, since previous studies have revealed the most significant technical debt is related to design issues. Other research has focused on comparing these tools on open source projects, but these comparisons have not looked at whether the rules were relevant to design. We conducted an empirical study using a structured categorization approach, and manually classify 466 software quality rules from three industry tools---CAST, SonarQube, and NDepend. We found that most of these rules were easily labeled as either not design (55%) or design (19%). The remainder (26%) resulted in disagreements among the labelers. Our results are a first step in formalizing a definition of a design rule, in order to support automatic detection.Comment: Long version of accepted short paper at International Conference on Software Architecture 2017 (Gothenburg, SE

Unleashing the Power of Clippy in Real-World Rust Projects

Clippy lints are considered as essential tools for Rust developers, as they can be configured as gate-keeping rules for a Rust project during continuous integration. Despite their availability, little was known about practical application and cost-effectiveness of the lints in reducing code quality issues. In this study, we embark on a comprehensive analysis to unveil the true impact of Clippy lints in the Rust development landscape. The study is structured around three interrelated components, each contributing to the overall effectiveness of Clippy. Firstly, we conduct a comprehensive analysis of Clippy lints in all idiomatic crates-io Rust projects with an average warning density of 21/KLOC. The analysis identifies the most cost-effective lint fixes, offering valuable opportunities for optimizing code quality. Secondly, we actively engage Rust developers through a user survey to garner invaluable feedback on their experiences with Clippy. User insights shed light on two crucial concerns: the prevalence of false positives in warnings and the need for auto-fix support for most warnings. Thirdly, building upon these findings, we engineer three innovative automated refactoring techniques to effectively fix the four most frequent Clippy lints. As a result, the warning density in Rosetta benchmarks has significantly decreased from 195/KLOC to an impressive 18/KLOC, already lower than the average density of the crates-io Rust projects. These results demonstrate tangible benefit and impact of our efforts in enhancing the overall code quality and maintainability for Rust developers

Automated software security activities in a continuous delivery pipeline

Due to the rise of cyberattacks in IT companies, software security has become a topic for debate. Currently, to secure their products, companies often use manual methods, which makes development stalled and inefficient. To speed up a software development lifecycle, security work needs to be integrated and automated into the development process. This thesis will provide an initial solution for automating the security phase into a continuous software delivery process. This solution involves integrating security tools into a Github repository by using Github Actions to create automated vulnerability scanning workflows for a software project. The solution will then be tested and evaluated with three open-source projects and one project from our sponsor, Volue

Enhancing and integration of security testing in the development of a microservices environment

In the last decade, web application development is moving toward the adoption of Service-Oriented Architecture (SOA). Accordingly to this trend, Software as a Service (SaaS) and Serverless providers are embracing DevOps with the latest tools to facilitate the creation, maintenance and scalability of microservices system configuration. Even if within this trend, security is still an open point that is too often underestimated. Many companies are still thinking about security as a set of controls that have to be checked before the software is used in production. In reality, security needs to be taken into account all along the entire Software Development Lifecycle (SDL). In this thesis, state of the art security recommendations for microservice architecture are reviewed, and useful improvements are given. The main target is for secure to become integrated better into a company workflow, increasing security awareness and simplifying the integration of security measures throughout the SDL. With this background, best practices and recommendations are compared with what companies are currently doing in securing their service-oriented infrastructures. The assumption that there still is much ground to cover security-wise still standing. Lastly, a small case study is presented and used as proof of how small and dynamic startups can be the front runners of high cybersecurity standards. The results of the analysis show that it is easier to integrate up-to-date security measures in a small company

Configuration Smells in Continuous Delivery Pipelines: A Linter and a Six-Month Study on GitLab

An effective and efficient application of Continuous Integration (CI) and Delivery (CD) requires software projects to follow certain principles and good practices. Configuring such a CI/CD pipeline is challenging and error-prone. Therefore, automated linters have been proposed to detect errors in the pipeline. While existing linters identify syntactic errors, detect security vulnerabilities or misuse of the features provided by build servers, they do not support developers that want to prevent common misconfigurations of a CD pipeline that potentially violate CD principles (“CD smells”). To this end, we propose CD-Linter, a semantic linter that can automatically identify four different smells in pipeline configuration files. We have evaluated our approach through a large-scale and long-term study that consists of (i) monitoring 145 issues (opened in as many open-source projects) over a period of 6 months, (ii) manually validating the detection precision and recall on a representative sample of issues, and (iii) assessing the magnitude of the observed smells on 5,312 open-source projects on GitLab. Our results show that CD smells are accepted and fixed by most of the developers and our linter achieves a precision of 87% and a recall of 94%. Those smells can be frequently observed in the wild, as 31% of projects with long configurations are affected by at least one smell

Correções automáticas de problemas em TypeScript e JavaScript via Pull Requests

Trabalho de conclusão de curso (graduação)—Universidade de Brasília, Instituto de Ciências Exatas, Departamento de Ciência da Computação, 2019.Analisadores estáticos são ferramentas bastante utilizadas pelos desenvolvedores, com elas é possível detectar possíveis erros e má prática antes que o código seja enviado para repositórios ou entrar em produção. Porém, mesmo com todos esses benefícios, elas ainda possuem alguns problemas que podem prejudicar sua utilização. Diversas pesquisas buscam evidenciar alguns desses problemas e moldam algumas soluções possíveis para encaixar melhor o uso dessas ferramentas diretamente no fluxo de trabalho dos desen volvedores, indicando que a usabilidade das ferramentas de análise estática é fortemente impactada pelo jeito que os desenvolvedores programam no dia a dia. Nesse estudo estamos propondo a criação de uma nova ferramenta que, com ajuda de bots existentes que observam repositórios do código-fonte e executam análises estáticas e transformações de código-fonte, fará correções automáticas se baseando no modelo Pull based development. Essa ferramenta será reutilizável por se basear numa arquitetura de microsserviços utilizando containers Docker e nela estarão os analisadores estáticos atualmente mais utilizados para as linguagens JavaScript e TypeScript. Além disso, nossa ferramenta contará com novas regras criadas como resultado do presente trabalho. O objetivo deste projeto é criar correções automáticas com o intuito de melhorar a qualidade do código e segurança de projetos baseados em JavaScript e TypeScript e contribuir diretamente para o projeto de pesquisa e bot C-3PR, que buscar criar uma nova abordagem para a utilização de analisadores estáticos. Validamos fazendo a utilização do C-3PR, em conjunto com nossa ferramenta proposta, em cerca de 21 projetos do Tribunal de Contas da União. Até o momento as ferramentas incorporadas ao C-3PR pelo presente trabalho foram executadas 1466 vezes, as quais resultaram, até o momento, na criação de 30 pull requests (19 aceitas) nos repositórios analisados, assim contribuindo diretamente na qualidade do código, diminuição de code smells, aumento da segurança e diminuição de más práticas nos código-fonte de cada projeto analisado.Static analyzers are widely used tools by developers, with them it is possible to detect possible errors and bad practice before the code is sent to repositories or go into produc tion. However, even with all these benefits, they still have some problems that may bother them. There are a number of researches that seek to highlight some of these issues and shape some possible solutions to better fit the use of these tools directly into the workflow of developers, indicating that the usability of static analysis tools is strongly impacted by the way developers program day by day. In this study we are proposing the creation of a new tool that, with the help of existing bots that observe source code repositories and perform static analyzes and source code transformations on the set of changes, will make automatic corrections based on the model Pull-based development. This tool will be reusable because it is based on a microservice architecture using containers Docker and it will have the most used static parsers for JavaScript and TypeScript languages. In addition, our tool will have new rules created especially for this project. The objective of this project is to create automatic corrections with the aim of im proving the quality of the code and security of projects owned by the Tribunal de Contas da União and contribute directly to the C-3PR bot, which consists of a project master of the student Antônio Carlos de Carvalho Júnior, who seek to create a new approach to the use of static analyzers. We validated the use of C-3PR, together with our proposed tool, in approximately 21 projects of the Tribunal de Contas da União. To date, 30 pull-requests have been created in the repositories (19 accepted), thus contributing directly in the quality of the code, decrease code smells, increase of security and decrease of bad practices in the source code of each analyzed project