7 research outputs found
On the Rise and Fall of Simple Stupid Bugs: a Life-Cycle Analysis of SStuBs
Bug detection and prevention is one of the most important goals of software
quality assurance. Nowadays, many of the major problems faced by developers can
be detected or even fixed fully or partially with automatic tools. However,
recent works explored that there exists a substantial amount of simple yet very
annoying errors in code-bases, which are easy to fix, but hard to detect as
they do not hinder the functionality of the given product in a major way.
Programmers introduce such errors accidentally, mostly due to inattention.
Using the ManySStuBs4J dataset, which contains many simple, stupid bugs, found
in GitHub repositories written in the Java programming language, we
investigated the history of such bugs. We were interested in properties such
as: How long do such bugs stay unnoticed in code-bases? Whether they are
typically fixed by the same developer who introduced them? Are they introduced
with the addition of new code or caused more by careless modification of
existing code? We found that most of such stupid bugs lurk in the code for a
long time before they get removed. We noticed that the developer who made the
mistake seems to find a solution faster, however less then half of SStuBs are
fixed by the same person. We also examined PMD's performance when to came to
flagging lines containing SStuBs, and found that similarly to SpotBugs, it is
insufficient when it comes to finding these types of errors. Examining the
life-cycle of such bugs allows us to better understand their nature and adjust
our development processes and quality assurance methods to better support
avoiding them
Towards a prototype based explainable javascript vulnerability prediction model
Security has become a central and unavoidable aspect of today's software development. Practitioners and researchers have proposed many code analysis tools and techniques to mitigate security risks. These tools apply static and dynamic analysis or, more recently, machine learning. Machine learning models can achieve impressive results in finding and forecasting possible security issues in programs. However, most of the current approaches fall short of developer demands in two areas at least: Explainability and granularity of predictions. In this paper, we propose a novel and simple yet, promising approach to identify potentially vulnerable source code in JavaScript programs. The model improves the state-of-the-art in terms of explainability and prediction granularity as it gives results at the level of individual source code lines, which is fine-grained enough for developers to take immediate actions. Additionally, the model explains each predicted line (i.e., provides the most similar vulnerable line from the training set) using a prototype-based approach. In a study of 186 real-world and confirmed JavaScript vulnerability fixes of 91 projects, the approach could flag 60% of the known vulnerable lines on average by marking only 10% of the code-base, but in particular cases, the model identified 100% of the vulnerable code lines while flagging only 8.72% of the code-base