[{"doi":"10.48550/ARXIV.2403.07501","title":"Detecting Security-Relevant Methods using Multi-label Machine Learning","author":[{"full_name":"Johnson, Oshando","id":"66583","last_name":"Johnson","first_name":"Oshando"},{"first_name":"Goran","last_name":"Piskachev","orcid":"0000-0003-4424-5838","full_name":"Piskachev, Goran","id":"41936"},{"last_name":"Krishnamurthy","orcid":"0000-0002-0906-5463","id":"78060","full_name":"Krishnamurthy, Ranjith","first_name":"Ranjith"},{"orcid":"0000-0003-3470-3647","last_name":"Bodden","id":"59256","full_name":"Bodden, Eric","first_name":"Eric"}],"date_created":"2024-05-06T11:43:19Z","date_updated":"2024-05-06T11:47:14Z","citation":{"mla":"Johnson, Oshando, et al. “Detecting Security-Relevant Methods Using Multi-Label Machine Learning.” Proceedings of the 46th International Conference on Software Engineering, IDE Workshop, 2024, doi:10.48550/ARXIV.2403.07501.","short":"O. Johnson, G. Piskachev, R. Krishnamurthy, E. Bodden, in: Proceedings of the 46th International Conference on Software Engineering, IDE Workshop, 2024.","bibtex":"@inproceedings{Johnson_Piskachev_Krishnamurthy_Bodden_2024, title={Detecting Security-Relevant Methods using Multi-label Machine Learning}, DOI={10.48550/ARXIV.2403.07501}, booktitle={Proceedings of the 46th International Conference on Software Engineering, IDE Workshop}, author={Johnson, Oshando and Piskachev, Goran and Krishnamurthy, Ranjith and Bodden, Eric}, year={2024} }","apa":"Johnson, O., Piskachev, G., Krishnamurthy, R., & Bodden, E. (2024). Detecting Security-Relevant Methods using Multi-label Machine Learning. Proceedings of the 46th International Conference on Software Engineering, IDE Workshop. https://doi.org/10.48550/ARXIV.2403.07501","ama":"Johnson O, Piskachev G, Krishnamurthy R, Bodden E. Detecting Security-Relevant Methods using Multi-label Machine Learning. In: Proceedings of the 46th International Conference on Software Engineering, IDE Workshop. ; 2024. doi:10.48550/ARXIV.2403.07501","chicago":"Johnson, Oshando, Goran Piskachev, Ranjith Krishnamurthy, and Eric Bodden. “Detecting Security-Relevant Methods Using Multi-Label Machine Learning.” In Proceedings of the 46th International Conference on Software Engineering, IDE Workshop, 2024. https://doi.org/10.48550/ARXIV.2403.07501.","ieee":"O. Johnson, G. Piskachev, R. Krishnamurthy, and E. Bodden, “Detecting Security-Relevant Methods using Multi-label Machine Learning,” 2024, doi: 10.48550/ARXIV.2403.07501."},"year":"2024","language":[{"iso":"eng"}],"department":[{"_id":"76"},{"_id":"662"}],"user_id":"15249","_id":"53958","status":"public","abstract":[{"lang":"eng","text":"To detect security vulnerabilities, static analysis tools need to be configured with security-relevant methods. Current approaches can automatically identify such methods using binary relevance machine learning approaches. However, they ignore dependencies among security-relevant methods, over-generalize and perform poorly in practice. Additionally, users have to nevertheless manually configure static analysis tools using the detected methods. Based on feedback from users and our observations, the excessive manual steps can often be tedious, error-prone and counter-intuitive.\r\n In this paper, we present Dev-Assist, an IntelliJ IDEA plugin that detects security-relevant methods using a multi-label machine learning approach that considers dependencies among labels. The plugin can automatically generate configurations for static analysis tools, run the static analysis, and show the results in IntelliJ IDEA. Our experiments reveal that Dev-Assist's machine learning approach has a higher F1-Measure than related approaches. Moreover, the plugin reduces and simplifies the manual effort required when configuring and using static analysis tools."}],"publication":"Proceedings of the 46th International Conference on Software Engineering, IDE Workshop","type":"conference"},{"date_updated":"2023-12-04T11:29:49Z","publisher":"Springer Science and Business Media LLC","volume":28,"date_created":"2023-12-04T11:14:34Z","author":[{"first_name":"Goran","id":"41936","full_name":"Piskachev, Goran","last_name":"Piskachev","orcid":"0000-0003-4424-5838"},{"first_name":"Matthias","full_name":"Becker, Matthias","id":"4870","last_name":"Becker","orcid":"https://orcid.org/0000-0003-2465-9347"},{"first_name":"Eric","id":"59256","full_name":"Bodden, Eric","last_name":"Bodden","orcid":"0000-0003-3470-3647"}],"title":"Can the configuration of static analyses make resolving security vulnerabilities more effective? - A user study","doi":"10.1007/s10664-023-10354-3","publication_identifier":{"issn":["1382-3256","1573-7616"]},"publication_status":"published","issue":"5","year":"2023","intvolume":" 28","citation":{"ama":"Piskachev G, Becker M, Bodden E. Can the configuration of static analyses make resolving security vulnerabilities more effective? - A user study. Empirical Software Engineering. 2023;28(5). doi:10.1007/s10664-023-10354-3","ieee":"G. Piskachev, M. Becker, and E. Bodden, “Can the configuration of static analyses make resolving security vulnerabilities more effective? - A user study,” Empirical Software Engineering, vol. 28, no. 5, Art. no. 118, 2023, doi: 10.1007/s10664-023-10354-3.","chicago":"Piskachev, Goran, Matthias Becker, and Eric Bodden. “Can the Configuration of Static Analyses Make Resolving Security Vulnerabilities More Effective? - A User Study.” Empirical Software Engineering 28, no. 5 (2023). https://doi.org/10.1007/s10664-023-10354-3.","bibtex":"@article{Piskachev_Becker_Bodden_2023, title={Can the configuration of static analyses make resolving security vulnerabilities more effective? - A user study}, volume={28}, DOI={10.1007/s10664-023-10354-3}, number={5118}, journal={Empirical Software Engineering}, publisher={Springer Science and Business Media LLC}, author={Piskachev, Goran and Becker, Matthias and Bodden, Eric}, year={2023} }","short":"G. Piskachev, M. Becker, E. Bodden, Empirical Software Engineering 28 (2023).","mla":"Piskachev, Goran, et al. “Can the Configuration of Static Analyses Make Resolving Security Vulnerabilities More Effective? - A User Study.” Empirical Software Engineering, vol. 28, no. 5, 118, Springer Science and Business Media LLC, 2023, doi:10.1007/s10664-023-10354-3.","apa":"Piskachev, G., Becker, M., & Bodden, E. (2023). Can the configuration of static analyses make resolving security vulnerabilities more effective? - A user study. Empirical Software Engineering, 28(5), Article 118. https://doi.org/10.1007/s10664-023-10354-3"},"_id":"49439","department":[{"_id":"76"},{"_id":"662"}],"user_id":"15249","keyword":["Software"],"article_number":"118","language":[{"iso":"eng"}],"publication":"Empirical Software Engineering","type":"journal_article","abstract":[{"text":"AbstractThe use of static analysis security testing (SAST) tools has been increasing in recent years. However, previous studies have shown that, when shipped to end users such as development or security teams, the findings of these tools are often unsatisfying. Users report high numbers of false positives or long analysis times, making the tools unusable in the daily workflow. To address this, SAST tool creators provide a wide range of configuration options, such as customization of rules through domain-specific languages or specification of the application-specific analysis scope. In this paper, we study the configuration space of selected existing SAST tools when used within the integrated development environment (IDE). We focus on the configuration options that impact three dimensions, for which a trade-off is unavoidable, i.e., precision, recall, and analysis runtime. We perform a between-subjects user study with 40 users from multiple development and security teams - to our knowledge, the largest population for this kind of user study in the software engineering community. The results show that users who configure SAST tools are more effective in resolving security vulnerabilities detected by the tools than those using the default configuration. Based on post-study interviews, we identify common strategies that users have while configuring the SAST tools to provide further insights for tool creators. Finally, an evaluation of the configuration options of two commercial SAST tools, Fortify and CheckMarx, reveals that a quarter of the users do not understand the configuration options provided. The configuration options that are found most useful relate to the analysis scope.","lang":"eng"}],"status":"public"},{"date_created":"2023-02-06T10:37:23Z","author":[{"first_name":"Linghui","last_name":"Luo","full_name":"Luo, Linghui"},{"last_name":"Piskachev","orcid":"0000-0003-4424-5838","id":"41936","full_name":"Piskachev, Goran","first_name":"Goran"},{"first_name":"Ranjith","last_name":"Krishnamurthy","orcid":"0000-0002-0906-5463","id":"78060","full_name":"Krishnamurthy, Ranjith"},{"full_name":"Dolby, Julian","last_name":"Dolby","first_name":"Julian"},{"full_name":"Schäf, Martin","last_name":"Schäf","first_name":"Martin"},{"first_name":"Eric","orcid":"0000-0003-3470-3647","last_name":"Bodden","id":"59256","full_name":"Bodden, Eric"}],"date_updated":"2025-04-07T10:15:08Z","title":"Model Generation For Java Frameworks","citation":{"bibtex":"@inproceedings{Luo_Piskachev_Krishnamurthy_Dolby_Schäf_Bodden_2023, title={Model Generation For Java Frameworks}, booktitle={IEEE International Conference on Software Testing, Verification and Validation (ICST)}, author={Luo, Linghui and Piskachev, Goran and Krishnamurthy, Ranjith and Dolby, Julian and Schäf, Martin and Bodden, Eric}, year={2023} }","mla":"Luo, Linghui, et al. “Model Generation For Java Frameworks.” IEEE International Conference on Software Testing, Verification and Validation (ICST), 2023.","short":"L. Luo, G. Piskachev, R. Krishnamurthy, J. Dolby, M. Schäf, E. Bodden, in: IEEE International Conference on Software Testing, Verification and Validation (ICST), 2023.","apa":"Luo, L., Piskachev, G., Krishnamurthy, R., Dolby, J., Schäf, M., & Bodden, E. (2023). Model Generation For Java Frameworks. IEEE International Conference on Software Testing, Verification and Validation (ICST).","ama":"Luo L, Piskachev G, Krishnamurthy R, Dolby J, Schäf M, Bodden E. Model Generation For Java Frameworks. In: IEEE International Conference on Software Testing, Verification and Validation (ICST). ; 2023.","ieee":"L. Luo, G. Piskachev, R. Krishnamurthy, J. Dolby, M. Schäf, and E. Bodden, “Model Generation For Java Frameworks,” 2023.","chicago":"Luo, Linghui, Goran Piskachev, Ranjith Krishnamurthy, Julian Dolby, Martin Schäf, and Eric Bodden. “Model Generation For Java Frameworks.” In IEEE International Conference on Software Testing, Verification and Validation (ICST), 2023."},"year":"2023","department":[{"_id":"76"},{"_id":"662"}],"user_id":"15249","_id":"41812","language":[{"iso":"eng"}],"publication":"IEEE International Conference on Software Testing, Verification and Validation (ICST)","type":"conference","status":"public"},{"year":"2022","citation":{"apa":"Piskachev, G., Späth, J., Budde, I., & Bodden, E. (2022). Fluently specifying taint-flow queries with fluentTQL. Empirical Software Engineering, 27(5), 1–33.","short":"G. Piskachev, J. Späth, I. Budde, E. Bodden, Empirical Software Engineering 27 (2022) 1–33.","mla":"Piskachev, Goran, et al. “Fluently Specifying Taint-Flow Queries with FluentTQL.” Empirical Software Engineering, vol. 27, no. 5, Springer, 2022, pp. 1–33.","bibtex":"@article{Piskachev_Späth_Budde_Bodden_2022, title={Fluently specifying taint-flow queries with fluentTQL}, volume={27}, number={5}, journal={Empirical Software Engineering}, publisher={Springer}, author={Piskachev, Goran and Späth, Johannes and Budde, Ingo and Bodden, Eric}, year={2022}, pages={1–33} }","ama":"Piskachev G, Späth J, Budde I, Bodden E. Fluently specifying taint-flow queries with fluentTQL. Empirical Software Engineering. 2022;27(5):1–33.","ieee":"G. Piskachev, J. Späth, I. Budde, and E. Bodden, “Fluently specifying taint-flow queries with fluentTQL,” Empirical Software Engineering, vol. 27, no. 5, pp. 1–33, 2022.","chicago":"Piskachev, Goran, Johannes Späth, Ingo Budde, and Eric Bodden. “Fluently Specifying Taint-Flow Queries with FluentTQL.” Empirical Software Engineering 27, no. 5 (2022): 1–33."},"intvolume":" 27","page":"1–33","issue":"5","title":"Fluently specifying taint-flow queries with fluentTQL","date_updated":"2022-10-20T12:36:23Z","publisher":"Springer","author":[{"id":"41936","full_name":"Piskachev, Goran","orcid":"0000-0003-4424-5838","last_name":"Piskachev","first_name":"Goran"},{"first_name":"Johannes","last_name":"Späth","full_name":"Späth, Johannes"},{"last_name":"Budde","orcid":"https://orcid.org/0000-0003-0124-6291","full_name":"Budde, Ingo","id":"13693","first_name":"Ingo"},{"id":"59256","full_name":"Bodden, Eric","orcid":"0000-0003-3470-3647","last_name":"Bodden","first_name":"Eric"}],"date_created":"2022-10-20T12:34:04Z","volume":27,"status":"public","type":"journal_article","publication":"Empirical Software Engineering","language":[{"iso":"eng"}],"_id":"33836","user_id":"15249","department":[{"_id":"76"},{"_id":"662"}]},{"year":"2022","citation":{"apa":"Krishnamurthy, R., Piskachev, G., & Bodden, E. (2022). To what extent can we analyze Kotlin programs using existing Java taint analysis tools?","bibtex":"@article{Krishnamurthy_Piskachev_Bodden_2022, series={IEEE International Working Conference on Source Code Analysis and Manipulation (SCAM)}, title={To what extent can we analyze Kotlin programs using existing Java taint analysis tools?}, author={Krishnamurthy, Ranjith and Piskachev, Goran and Bodden, Eric}, year={2022}, collection={IEEE International Working Conference on Source Code Analysis and Manipulation (SCAM)} }","mla":"Krishnamurthy, Ranjith, et al. To What Extent Can We Analyze Kotlin Programs Using Existing Java Taint Analysis Tools? 2022.","short":"R. Krishnamurthy, G. Piskachev, E. Bodden, (2022).","chicago":"Krishnamurthy, Ranjith, Goran Piskachev, and Eric Bodden. “To What Extent Can We Analyze Kotlin Programs Using Existing Java Taint Analysis Tools?” IEEE International Working Conference on Source Code Analysis and Manipulation (SCAM), 2022.","ieee":"R. Krishnamurthy, G. Piskachev, and E. Bodden, “To what extent can we analyze Kotlin programs using existing Java taint analysis tools?” 2022.","ama":"Krishnamurthy R, Piskachev G, Bodden E. To what extent can we analyze Kotlin programs using existing Java taint analysis tools? Published online 2022."},"date_updated":"2022-10-20T12:38:32Z","author":[{"last_name":"Krishnamurthy","orcid":"0000-0002-0906-5463","id":"78060","full_name":"Krishnamurthy, Ranjith","first_name":"Ranjith"},{"last_name":"Piskachev","orcid":"0000-0003-4424-5838","id":"41936","full_name":"Piskachev, Goran","first_name":"Goran"},{"full_name":"Bodden, Eric","id":"59256","last_name":"Bodden","orcid":"0000-0003-3470-3647","first_name":"Eric"}],"date_created":"2022-10-20T12:38:09Z","title":"To what extent can we analyze Kotlin programs using existing Java taint analysis tools?","type":"conference","status":"public","_id":"33838","user_id":"15249","series_title":"IEEE International Working Conference on Source Code Analysis and Manipulation (SCAM)","department":[{"_id":"76"},{"_id":"662"}],"language":[{"iso":"eng"}]},{"type":"conference","status":"public","_id":"33837","department":[{"_id":"76"},{"_id":"662"}],"series_title":"IEEE Secure Development Conference (SecDev)","user_id":"15249","language":[{"iso":"eng"}],"year":"2022","citation":{"mla":"Piskachev, Goran, et al. How Far Are German Companies in Improving Security through Static Program Analysis Tools? 2022.","short":"G. Piskachev, S. Dziwok, T. Koch, S. Merschjohann, E. Bodden, (2022).","bibtex":"@article{Piskachev_Dziwok_Koch_Merschjohann_Bodden_2022, series={IEEE Secure Development Conference (SecDev)}, title={How far are German companies in improving security through static program analysis tools?}, author={Piskachev, Goran and Dziwok, Stefan and Koch, Thorsten and Merschjohann, Sven and Bodden, Eric}, year={2022}, collection={IEEE Secure Development Conference (SecDev)} }","apa":"Piskachev, G., Dziwok, S., Koch, T., Merschjohann, S., & Bodden, E. (2022). How far are German companies in improving security through static program analysis tools?","chicago":"Piskachev, Goran, Stefan Dziwok, Thorsten Koch, Sven Merschjohann, and Eric Bodden. “How Far Are German Companies in Improving Security through Static Program Analysis Tools?” IEEE Secure Development Conference (SecDev), 2022.","ieee":"G. Piskachev, S. Dziwok, T. Koch, S. Merschjohann, and E. Bodden, “How far are German companies in improving security through static program analysis tools?” 2022.","ama":"Piskachev G, Dziwok S, Koch T, Merschjohann S, Bodden E. How far are German companies in improving security through static program analysis tools? Published online 2022."},"date_updated":"2022-10-20T12:37:44Z","author":[{"full_name":"Piskachev, Goran","id":"41936","last_name":"Piskachev","orcid":"0000-0003-4424-5838","first_name":"Goran"},{"first_name":"Stefan","full_name":"Dziwok, Stefan","id":"3901","orcid":"http://orcid.org/0000-0002-8679-6673","last_name":"Dziwok"},{"first_name":"Thorsten","last_name":"Koch","id":"13616","full_name":"Koch, Thorsten"},{"full_name":"Merschjohann, Sven","id":"11394","last_name":"Merschjohann","first_name":"Sven"},{"first_name":"Eric","id":"59256","full_name":"Bodden, Eric","last_name":"Bodden","orcid":"0000-0003-3470-3647"}],"date_created":"2022-10-20T12:37:14Z","title":"How far are German companies in improving security through static program analysis tools?"},{"language":[{"iso":"eng"}],"ddc":["000"],"department":[{"_id":"77"},{"_id":"76"}],"user_id":"15249","_id":"27045","project":[{"_id":"1","name":"SFB 901"},{"_id":"3","name":"SFB 901 - Project Area B"},{"_id":"12","name":"SFB 901 - Subproject B4"}],"status":"public","abstract":[{"text":"Due to the lack of established real-world benchmark suites for static taint analyses of Android applications, evaluations of these analyses are often restricted and hard to compare. Even in evaluations that do use real-world apps, details about the ground truth in those apps are rarely documented, which makes it difficult to compare and reproduce the results. To push Android taint analysis research forward, this paper thus recommends criteria for constructing real-world benchmark suites for this specific domain, and presents TaintBench, the first real-world malware benchmark suite with documented taint flows. TaintBench benchmark apps include taint flows with complex structures, and addresses static challenges that are commonly agreed on by the community. Together with the TaintBench suite, we introduce the TaintBench framework, whose goal is to simplify real-world benchmarking of Android taint analyses. First, a usability test shows that the framework improves experts’ performance and perceived usability when documenting and inspecting taint flows. Second, experiments using TaintBench reveal new insights for the taint analysis tools Amandroid and FlowDroid: (i) They are less effective on real-world malware apps than on synthetic benchmark apps. (ii) Predefined lists of sources and sinks heavily impact the tools’ accuracy. (iii) Surprisingly, up-to-date versions of both tools are less accurate than their predecessors.","lang":"eng"}],"publication":"Empirical Software Engineering","type":"journal_article","doi":"10.1007/s10664-021-10013-5","main_file_link":[{"url":"https://link.springer.com/content/pdf/10.1007/s10664-021-10013-5.pdf","open_access":"1"}],"title":"TaintBench: Automatic real-world malware benchmarking of Android taint analyses","author":[{"first_name":"Linghui","full_name":"Luo, Linghui","last_name":"Luo"},{"first_name":"Felix","last_name":"Pauck","id":"22398","full_name":"Pauck, Felix"},{"last_name":"Piskachev","orcid":"0000-0003-4424-5838","full_name":"Piskachev, Goran","id":"41936","first_name":"Goran"},{"first_name":"Manuel","full_name":"Benz, Manuel","last_name":"Benz"},{"first_name":"Ivan","last_name":"Pashchenko","full_name":"Pashchenko, Ivan"},{"first_name":"Martin","orcid":"0000-0001-5609-0031","last_name":"Mory","id":"65667","full_name":"Mory, Martin"},{"orcid":"0000-0003-3470-3647","last_name":"Bodden","full_name":"Bodden, Eric","id":"59256","first_name":"Eric"},{"last_name":"Hermann","orcid":"0000-0001-9848-2017","full_name":"Hermann, Ben","id":"66173","first_name":"Ben"},{"last_name":"Massacci","full_name":"Massacci, Fabio","first_name":"Fabio"}],"date_created":"2021-11-02T05:13:49Z","date_updated":"2022-01-06T06:57:32Z","oa":"1","citation":{"ieee":"L. Luo et al., “TaintBench: Automatic real-world malware benchmarking of Android taint analyses,” Empirical Software Engineering, 2021, doi: 10.1007/s10664-021-10013-5.","chicago":"Luo, Linghui, Felix Pauck, Goran Piskachev, Manuel Benz, Ivan Pashchenko, Martin Mory, Eric Bodden, Ben Hermann, and Fabio Massacci. “TaintBench: Automatic Real-World Malware Benchmarking of Android Taint Analyses.” Empirical Software Engineering, 2021. https://doi.org/10.1007/s10664-021-10013-5.","ama":"Luo L, Pauck F, Piskachev G, et al. TaintBench: Automatic real-world malware benchmarking of Android taint analyses. Empirical Software Engineering. Published online 2021. doi:10.1007/s10664-021-10013-5","bibtex":"@article{Luo_Pauck_Piskachev_Benz_Pashchenko_Mory_Bodden_Hermann_Massacci_2021, title={TaintBench: Automatic real-world malware benchmarking of Android taint analyses}, DOI={10.1007/s10664-021-10013-5}, journal={Empirical Software Engineering}, author={Luo, Linghui and Pauck, Felix and Piskachev, Goran and Benz, Manuel and Pashchenko, Ivan and Mory, Martin and Bodden, Eric and Hermann, Ben and Massacci, Fabio}, year={2021} }","mla":"Luo, Linghui, et al. “TaintBench: Automatic Real-World Malware Benchmarking of Android Taint Analyses.” Empirical Software Engineering, 2021, doi:10.1007/s10664-021-10013-5.","short":"L. Luo, F. Pauck, G. Piskachev, M. Benz, I. Pashchenko, M. Mory, E. Bodden, B. Hermann, F. Massacci, Empirical Software Engineering (2021).","apa":"Luo, L., Pauck, F., Piskachev, G., Benz, M., Pashchenko, I., Mory, M., Bodden, E., Hermann, B., & Massacci, F. (2021). TaintBench: Automatic real-world malware benchmarking of Android taint analyses. Empirical Software Engineering. https://doi.org/10.1007/s10664-021-10013-5"},"year":"2021","publication_identifier":{"issn":["1382-3256","1573-7616"]},"publication_status":"published"},{"user_id":"72582","_id":"23388","language":[{"iso":"eng"}],"keyword":["Static Analysis","Callgraph Analysis","Python","Qualitative Analysis","Quantitative Analysis","Empirical Evaluation"],"type":"conference","publication":"Proceedings of the 2021 International Conference on Code Quality (ICCQ)","status":"public","abstract":[{"lang":"eng","text":"As one of the most popular programming languages, PYTHON has become a relevant target language for static analysis tools. The primary data structure for performing an inter-procedural static analysis is call-graph (CG), which links call sites to potential call targets in a program. There exists multiple algorithms for constructing callgraphs, tailored to specific languages. However, comparatively few implementations target PYTHON. Moreover, there is still lack of empirical evidence as to how these few algorithms perform in terms of precision and recall. This paper thus presents EVAL_CG, an extensible framework for comparative analysis of Python call-graphs. We conducted two experiments which run the CG algorithms on different Python programming constructs and real-world applications. In both experiments, we evaluate three CG generation frameworks namely, Code2flow, Pyan, and Wala. We record precision, recall, and running time, and identify sources of unsoundness of each framework. Our evaluation shows that none of the current CG construction frameworks produce a sound CG. Moreover, the static CGs contain many spurious edges. Code2flow is also comparatively slow. Hence, further research is needed to support CG generation for Python programs."}],"date_created":"2021-08-12T14:00:54Z","author":[{"first_name":"Sriteja","id":"72582","full_name":"Kummita, Sriteja","last_name":"Kummita"},{"first_name":"Goran","full_name":"Piskachev, Goran","id":"41936","orcid":"0000-0003-4424-5838","last_name":"Piskachev"},{"first_name":"Johannes","last_name":"Spaeth","full_name":"Spaeth, Johannes"},{"first_name":"Eric","orcid":"0000-0003-3470-3647","last_name":"Bodden","full_name":"Bodden, Eric","id":"59256"}],"date_updated":"2022-01-06T06:55:52Z","main_file_link":[{"url":"https://ieeexplore.ieee.org/document/9392986"}],"conference":{"location":"Virtual","start_date":"2021-03-27","name":"International Conference on Code Quality (ICCQ)"},"doi":"10.1109/ICCQ51190.2021.9392986","title":"Qualitative and Quantitative Analysis of Callgraph Algorithms for PYTHON","publication_status":"published","publication_identifier":{"isbn":["978-1-7281-8477-7"]},"citation":{"apa":"Kummita, S., Piskachev, G., Spaeth, J., & Bodden, E. (2021). Qualitative and Quantitative Analysis of Callgraph Algorithms for PYTHON. In Proceedings of the 2021 International Conference on Code Quality (ICCQ). Virtual. https://doi.org/10.1109/ICCQ51190.2021.9392986","mla":"Kummita, Sriteja, et al. “Qualitative and Quantitative Analysis of Callgraph Algorithms for PYTHON.” Proceedings of the 2021 International Conference on Code Quality (ICCQ), 2021, doi:10.1109/ICCQ51190.2021.9392986.","bibtex":"@inproceedings{Kummita_Piskachev_Spaeth_Bodden_2021, title={Qualitative and Quantitative Analysis of Callgraph Algorithms for PYTHON}, DOI={10.1109/ICCQ51190.2021.9392986}, booktitle={Proceedings of the 2021 International Conference on Code Quality (ICCQ)}, author={Kummita, Sriteja and Piskachev, Goran and Spaeth, Johannes and Bodden, Eric}, year={2021} }","short":"S. Kummita, G. Piskachev, J. Spaeth, E. Bodden, in: Proceedings of the 2021 International Conference on Code Quality (ICCQ), 2021.","ieee":"S. Kummita, G. Piskachev, J. Spaeth, and E. Bodden, “Qualitative and Quantitative Analysis of Callgraph Algorithms for PYTHON,” in Proceedings of the 2021 International Conference on Code Quality (ICCQ), Virtual, 2021.","chicago":"Kummita, Sriteja, Goran Piskachev, Johannes Spaeth, and Eric Bodden. “Qualitative and Quantitative Analysis of Callgraph Algorithms for PYTHON.” In Proceedings of the 2021 International Conference on Code Quality (ICCQ), 2021. https://doi.org/10.1109/ICCQ51190.2021.9392986.","ama":"Kummita S, Piskachev G, Spaeth J, Bodden E. Qualitative and Quantitative Analysis of Callgraph Algorithms for PYTHON. In: Proceedings of the 2021 International Conference on Code Quality (ICCQ). ; 2021. doi:10.1109/ICCQ51190.2021.9392986"},"year":"2021"},{"publication":"2021 IEEE 21st International Working Conference on Source Code Analysis and Manipulation (SCAM)","type":"conference","status":"public","department":[{"_id":"76"},{"_id":"662"}],"user_id":"15249","_id":"26407","language":[{"iso":"eng"}],"citation":{"apa":"Piskachev, G., Krishnamurthy, R., & Bodden, E. (2021). SecuCheck: Engineering configurable taint analysis for software developers. 2021 IEEE 21st International Working Conference on Source Code Analysis and Manipulation (SCAM).","mla":"Piskachev, Goran, et al. “SecuCheck: Engineering Configurable Taint Analysis for Software Developers.” 2021 IEEE 21st International Working Conference on Source Code Analysis and Manipulation (SCAM), 2021.","short":"G. Piskachev, R. Krishnamurthy, E. Bodden, in: 2021 IEEE 21st International Working Conference on Source Code Analysis and Manipulation (SCAM), 2021.","bibtex":"@inproceedings{Piskachev_Krishnamurthy_Bodden_2021, title={SecuCheck: Engineering configurable taint analysis for software developers}, booktitle={2021 IEEE 21st International Working Conference on Source Code Analysis and Manipulation (SCAM)}, author={Piskachev, Goran and Krishnamurthy, Ranjith and Bodden, Eric}, year={2021} }","ama":"Piskachev G, Krishnamurthy R, Bodden E. SecuCheck: Engineering configurable taint analysis for software developers. In: 2021 IEEE 21st International Working Conference on Source Code Analysis and Manipulation (SCAM). ; 2021.","chicago":"Piskachev, Goran, Ranjith Krishnamurthy, and Eric Bodden. “SecuCheck: Engineering Configurable Taint Analysis for Software Developers.” In 2021 IEEE 21st International Working Conference on Source Code Analysis and Manipulation (SCAM), 2021.","ieee":"G. Piskachev, R. Krishnamurthy, and E. Bodden, “SecuCheck: Engineering configurable taint analysis for software developers,” 2021."},"year":"2021","author":[{"full_name":"Piskachev, Goran","id":"41936","orcid":"0000-0003-4424-5838","last_name":"Piskachev","first_name":"Goran"},{"first_name":"Ranjith","full_name":"Krishnamurthy, Ranjith","last_name":"Krishnamurthy"},{"id":"59256","full_name":"Bodden, Eric","last_name":"Bodden","orcid":"0000-0003-3470-3647","first_name":"Eric"}],"date_created":"2021-10-18T12:53:15Z","date_updated":"2022-10-20T12:44:31Z","title":"SecuCheck: Engineering configurable taint analysis for software developers"},{"extern":"1","language":[{"iso":"eng"}],"keyword":["Static Analysis","Static Analysis Results Interchange Format","SARIF","Static Analysis Server Protocol","SASP"],"user_id":"72582","_id":"23389","status":"public","abstract":[{"text":"Background - Software companies increasingly rely on static analysis tools to detect potential bugs and security vulnerabilities in their software products. In the past decade, more and more commercial and open-source static analysis tools have been developed and are maintained. Each tool comes with its own reporting format, preventing an easy integration of multiple analysis tools in a single interface, such as the Static Analysis Server Protocol (SASP). In 2017, a collaborative effort in industry, including Microsoft and GrammaTech, has proposed the Static Analysis Results Interchange Format (SARIF) to address this issue. SARIF is a standardized format in which static analysis warnings can be encoded, to allow the import and export of analysis reports between different tools.\r\nPurpose - This paper explains the SARIF format through examples and presents a proof of concept of the connector that allows the static analysis tool CogniCrypt to generate and export its results in SARIF format.\r\nDesign/Approach - We conduct a cross-sectional study between the SARIF format and CogniCrypt's output format before detailing the implementation of the connector. The study aims to find the components of interest in CogniCrypt that the SARIF export module can complete.\r\nOriginality/Value - The integration of SARIF into CogniCrypt described in this paper can be reused to integrate SARIF into other static analysis tools.\r\nConclusion - After detailing the SARIF format, we present an initial implementation to integrate SARIF into CogniCrypt. After taking advantage of all the features provided by SARIF, CogniCrypt will be able to support SASP.","lang":"eng"}],"type":"report","main_file_link":[{"url":"https://arxiv.org/abs/1907.02558"}],"title":"Integration of the Static Analysis Results Interchange Format in CogniCrypt","author":[{"first_name":"Sriteja","full_name":"Kummita, Sriteja","id":"72582","last_name":"Kummita"},{"first_name":"Goran","full_name":"Piskachev, Goran","id":"41936","orcid":"0000-0003-4424-5838","last_name":"Piskachev"}],"date_created":"2021-08-12T14:04:46Z","date_updated":"2022-01-06T06:55:52Z","citation":{"ieee":"S. Kummita and G. Piskachev, Integration of the Static Analysis Results Interchange Format in CogniCrypt. 2019.","chicago":"Kummita, Sriteja, and Goran Piskachev. Integration of the Static Analysis Results Interchange Format in CogniCrypt, 2019.","ama":"Kummita S, Piskachev G. Integration of the Static Analysis Results Interchange Format in CogniCrypt.; 2019.","apa":"Kummita, S., & Piskachev, G. (2019). Integration of the Static Analysis Results Interchange Format in CogniCrypt.","short":"S. Kummita, G. Piskachev, Integration of the Static Analysis Results Interchange Format in CogniCrypt, 2019.","bibtex":"@book{Kummita_Piskachev_2019, title={Integration of the Static Analysis Results Interchange Format in CogniCrypt}, author={Kummita, Sriteja and Piskachev, Goran}, year={2019} }","mla":"Kummita, Sriteja, and Goran Piskachev. Integration of the Static Analysis Results Interchange Format in CogniCrypt. 2019."},"year":"2019"},{"_id":"20822","user_id":"5786","department":[{"_id":"76"},{"_id":"241"}],"language":[{"iso":"eng"}],"type":"report","abstract":[{"text":"Several examples of mechatronic systems can be found nowadays in modern cars, production systems, and medical technology. Day by day, the number of innovative functionalities in such mechatronic systems is increasing. These functionalities are realized with complex software. Such software exhibits hard real-time, safety requirements. The adherence to these requirements must be thoroughly analyzed and verified. Moreover, to obtain a significant increment in the reliability, performance, and efficiency of such software, it needs to maintain the self-adaptation of its properties. In order to develop such systems with a high quality and within a short time, we need a systematic and consistent design method. For this purpose, the software engineering group at the University of Paderborn and the Fraunhofer IEM in Paderborn propose the MechatronicUML method. This method provides a comprehensive model-driven process support, that starts from requirements and reaches the executable software after passing through several design and analysis steps. This process improves the comprehension during development and makes complex systems manageable. MechatronicUML emphasizes mainly on: (1) modeling and (formal) verification of reconfigurable software architectures, (2) the coordination among system components in such architectures, and (3) the integration of discrete software events with the continuous behavior of control devices.","lang":"eng"}],"status":"public","date_updated":"2022-01-06T06:54:40Z","author":[{"first_name":"Stefan","id":"3901","full_name":"Dziwok, Stefan","orcid":"http://orcid.org/0000-0002-8679-6673","last_name":"Dziwok"},{"last_name":"Pohlmann","full_name":"Pohlmann, Uwe","first_name":"Uwe"},{"last_name":"Piskachev","orcid":"0000-0003-4424-5838","full_name":"Piskachev, Goran","id":"41936","first_name":"Goran"},{"id":"9106","full_name":"Schubert, David","last_name":"Schubert","first_name":"David"},{"last_name":"Thiele","full_name":"Thiele, Sebastian","first_name":"Sebastian"},{"last_name":"Gerking","full_name":"Gerking, Christopher","first_name":"Christopher"}],"date_created":"2020-12-22T09:24:42Z","title":"The MechatronicUML Design Method: Process and Language for Platform-Independent Modeling","year":"2016","place":"Zukunftsmeile 1, 33102 Paderborn, Germany","citation":{"ieee":"S. Dziwok, U. Pohlmann, G. Piskachev, D. Schubert, S. Thiele, and C. Gerking, The MechatronicUML Design Method: Process and Language for Platform-Independent Modeling. Zukunftsmeile 1, 33102 Paderborn, Germany, 2016.","chicago":"Dziwok, Stefan, Uwe Pohlmann, Goran Piskachev, David Schubert, Sebastian Thiele, and Christopher Gerking. The MechatronicUML Design Method: Process and Language for Platform-Independent Modeling. Zukunftsmeile 1, 33102 Paderborn, Germany, 2016.","ama":"Dziwok S, Pohlmann U, Piskachev G, Schubert D, Thiele S, Gerking C. The MechatronicUML Design Method: Process and Language for Platform-Independent Modeling.; 2016.","apa":"Dziwok, S., Pohlmann, U., Piskachev, G., Schubert, D., Thiele, S., & Gerking, C. (2016). The MechatronicUML Design Method: Process and Language for Platform-Independent Modeling.","mla":"Dziwok, Stefan, et al. The MechatronicUML Design Method: Process and Language for Platform-Independent Modeling. 2016.","short":"S. Dziwok, U. Pohlmann, G. Piskachev, D. Schubert, S. Thiele, C. Gerking, The MechatronicUML Design Method: Process and Language for Platform-Independent Modeling, Zukunftsmeile 1, 33102 Paderborn, Germany, 2016.","bibtex":"@book{Dziwok_Pohlmann_Piskachev_Schubert_Thiele_Gerking_2016, place={Zukunftsmeile 1, 33102 Paderborn, Germany}, title={The MechatronicUML Design Method: Process and Language for Platform-Independent Modeling}, author={Dziwok, Stefan and Pohlmann, Uwe and Piskachev, Goran and Schubert, David and Thiele, Sebastian and Gerking, Christopher}, year={2016} }"}},{"status":"public","type":"report","language":[{"iso":"eng"}],"_id":"20832","user_id":"5786","department":[{"_id":"76"}],"year":"2015","citation":{"ieee":"W. Schäfer et al., Seminar Theses of the Project Group Cybertron. 2015.","chicago":"Schäfer, Wilhelm, Stefan Dziwok, Uwe Pohlmann, Jan Bobolz, Mike Czech, Andreas Peter Dann, Johannes Geismann, et al. Seminar Theses of the Project Group Cybertron, 2015.","ama":"Schäfer W, Dziwok S, Pohlmann U, et al. Seminar Theses of the Project Group Cybertron.; 2015.","apa":"Schäfer, W., Dziwok, S., Pohlmann, U., Bobolz, J., Czech, M., Dann, A. P., Geismann, J., Hüwe, M., Krieger, A., Piskachev, G., Schubert, D., & Wohlrab, R. (2015). Seminar Theses of the Project Group Cybertron.","bibtex":"@book{Schäfer_Dziwok_Pohlmann_Bobolz_Czech_Dann_Geismann_Hüwe_Krieger_Piskachev_et al._2015, title={Seminar Theses of the Project Group Cybertron}, author={Schäfer, Wilhelm and Dziwok, Stefan and Pohlmann, Uwe and Bobolz, Jan and Czech, Mike and Dann, Andreas Peter and Geismann, Johannes and Hüwe, Marcus and Krieger, Arthur and Piskachev, Goran and et al.}, year={2015} }","mla":"Schäfer, Wilhelm, et al. Seminar Theses of the Project Group Cybertron. 2015.","short":"W. Schäfer, S. Dziwok, U. Pohlmann, J. Bobolz, M. Czech, A.P. Dann, J. Geismann, M. Hüwe, A. Krieger, G. Piskachev, D. Schubert, R. Wohlrab, Seminar Theses of the Project Group Cybertron, 2015."},"title":"Seminar Theses of the Project Group Cybertron","date_updated":"2022-01-06T06:54:40Z","date_created":"2020-12-22T10:03:05Z","author":[{"first_name":"Wilhelm","full_name":"Schäfer, Wilhelm","last_name":"Schäfer"},{"first_name":"Stefan","last_name":"Dziwok","orcid":"http://orcid.org/0000-0002-8679-6673","full_name":"Dziwok, Stefan","id":"3901"},{"first_name":"Uwe","full_name":"Pohlmann, Uwe","last_name":"Pohlmann"},{"first_name":"Jan","last_name":"Bobolz","full_name":"Bobolz, Jan","id":"27207"},{"last_name":"Czech","full_name":"Czech, Mike","first_name":"Mike"},{"first_name":"Andreas Peter","full_name":"Dann, Andreas Peter","id":"26886","last_name":"Dann"},{"full_name":"Geismann, Johannes","id":"20063","last_name":"Geismann","orcid":"https://orcid.org/0000-0003-2015-2047","first_name":"Johannes"},{"last_name":"Hüwe","id":"13606","full_name":"Hüwe, Marcus","first_name":"Marcus"},{"first_name":"Arthur","full_name":"Krieger, Arthur","last_name":"Krieger"},{"full_name":"Piskachev, Goran","id":"41936","last_name":"Piskachev","orcid":"0000-0003-4424-5838","first_name":"Goran"},{"id":"9106","full_name":"Schubert, David","last_name":"Schubert","first_name":"David"},{"full_name":"Wohlrab, Rebekka","last_name":"Wohlrab","first_name":"Rebekka"}]}]