---
_id: '53958'
abstract:
- lang: eng
text: "To detect security vulnerabilities, static analysis tools need to be configured
with security-relevant methods. Current approaches can automatically identify
such methods using binary relevance machine learning approaches. However, they
ignore dependencies among security-relevant methods, over-generalize and perform
poorly in practice. Additionally, users have to nevertheless manually configure
static analysis tools using the detected methods. Based on feedback from users
and our observations, the excessive manual steps can often be tedious, error-prone
and counter-intuitive.\r\n In this paper, we present Dev-Assist, an IntelliJ IDEA
plugin that detects security-relevant methods using a multi-label machine learning
approach that considers dependencies among labels. The plugin can automatically
generate configurations for static analysis tools, run the static analysis, and
show the results in IntelliJ IDEA. Our experiments reveal that Dev-Assist's machine
learning approach has a higher F1-Measure than related approaches. Moreover, the
plugin reduces and simplifies the manual effort required when configuring and
using static analysis tools."
author:
- first_name: Oshando
full_name: Johnson, Oshando
id: '66583'
last_name: Johnson
- first_name: Goran
full_name: Piskachev, Goran
id: '41936'
last_name: Piskachev
orcid: 0000-0003-4424-5838
- first_name: Ranjith
full_name: Krishnamurthy, Ranjith
id: '78060'
last_name: Krishnamurthy
orcid: 0000-0002-0906-5463
- first_name: Eric
full_name: Bodden, Eric
id: '59256'
last_name: Bodden
orcid: 0000-0003-3470-3647
citation:
ama: 'Johnson O, Piskachev G, Krishnamurthy R, Bodden E. Detecting Security-Relevant
Methods using Multi-label Machine Learning. In: Proceedings of the 46th International
Conference on Software Engineering, IDE Workshop. ; 2024. doi:10.48550/ARXIV.2403.07501'
apa: Johnson, O., Piskachev, G., Krishnamurthy, R., & Bodden, E. (2024). Detecting
Security-Relevant Methods using Multi-label Machine Learning. Proceedings of
the 46th International Conference on Software Engineering, IDE Workshop. https://doi.org/10.48550/ARXIV.2403.07501
bibtex: '@inproceedings{Johnson_Piskachev_Krishnamurthy_Bodden_2024, title={Detecting
Security-Relevant Methods using Multi-label Machine Learning}, DOI={10.48550/ARXIV.2403.07501},
booktitle={Proceedings of the 46th International Conference on Software Engineering,
IDE Workshop}, author={Johnson, Oshando and Piskachev, Goran and Krishnamurthy,
Ranjith and Bodden, Eric}, year={2024} }'
chicago: Johnson, Oshando, Goran Piskachev, Ranjith Krishnamurthy, and Eric Bodden.
“Detecting Security-Relevant Methods Using Multi-Label Machine Learning.” In Proceedings
of the 46th International Conference on Software Engineering, IDE Workshop,
2024. https://doi.org/10.48550/ARXIV.2403.07501.
ieee: 'O. Johnson, G. Piskachev, R. Krishnamurthy, and E. Bodden, “Detecting Security-Relevant
Methods using Multi-label Machine Learning,” 2024, doi: 10.48550/ARXIV.2403.07501.'
mla: Johnson, Oshando, et al. “Detecting Security-Relevant Methods Using Multi-Label
Machine Learning.” Proceedings of the 46th International Conference on Software
Engineering, IDE Workshop, 2024, doi:10.48550/ARXIV.2403.07501.
short: 'O. Johnson, G. Piskachev, R. Krishnamurthy, E. Bodden, in: Proceedings of
the 46th International Conference on Software Engineering, IDE Workshop, 2024.'
date_created: 2024-05-06T11:43:19Z
date_updated: 2024-05-06T11:47:14Z
department:
- _id: '76'
- _id: '662'
doi: 10.48550/ARXIV.2403.07501
language:
- iso: eng
publication: Proceedings of the 46th International Conference on Software Engineering,
IDE Workshop
status: public
title: Detecting Security-Relevant Methods using Multi-label Machine Learning
type: conference
user_id: '15249'
year: '2024'
...
---
_id: '49439'
abstract:
- lang: eng
text: AbstractThe use of static analysis security
testing (SAST) tools has been increasing in recent years. However, previous studies
have shown that, when shipped to end users such as development or security teams,
the findings of these tools are often unsatisfying. Users report high numbers
of false positives or long analysis times, making the tools unusable in the daily
workflow. To address this, SAST tool creators provide a wide range of configuration
options, such as customization of rules through domain-specific languages or specification
of the application-specific analysis scope. In this paper, we study the configuration
space of selected existing SAST tools when used within the integrated development
environment (IDE). We focus on the configuration options that impact three dimensions,
for which a trade-off is unavoidable, i.e., precision, recall, and analysis runtime.
We perform a between-subjects user study with 40 users from multiple development
and security teams - to our knowledge, the largest population for this kind of
user study in the software engineering community. The results show that users
who configure SAST tools are more effective in resolving security vulnerabilities
detected by the tools than those using the default configuration. Based on post-study
interviews, we identify common strategies that users have while configuring the
SAST tools to provide further insights for tool creators. Finally, an evaluation
of the configuration options of two commercial SAST tools, Fortify
and CheckMarx, reveals that a quarter of the users do not understand
the configuration options provided. The configuration options that are found most
useful relate to the analysis scope.
article_number: '118'
author:
- first_name: Goran
full_name: Piskachev, Goran
id: '41936'
last_name: Piskachev
orcid: 0000-0003-4424-5838
- first_name: Matthias
full_name: Becker, Matthias
id: '4870'
last_name: Becker
orcid: https://orcid.org/0000-0003-2465-9347
- first_name: Eric
full_name: Bodden, Eric
id: '59256'
last_name: Bodden
orcid: 0000-0003-3470-3647
citation:
ama: Piskachev G, Becker M, Bodden E. Can the configuration of static analyses make
resolving security vulnerabilities more effective? - A user study. Empirical
Software Engineering. 2023;28(5). doi:10.1007/s10664-023-10354-3
apa: Piskachev, G., Becker, M., & Bodden, E. (2023). Can the configuration of
static analyses make resolving security vulnerabilities more effective? - A user
study. Empirical Software Engineering, 28(5), Article 118. https://doi.org/10.1007/s10664-023-10354-3
bibtex: '@article{Piskachev_Becker_Bodden_2023, title={Can the configuration of
static analyses make resolving security vulnerabilities more effective? - A user
study}, volume={28}, DOI={10.1007/s10664-023-10354-3},
number={5118}, journal={Empirical Software Engineering}, publisher={Springer Science
and Business Media LLC}, author={Piskachev, Goran and Becker, Matthias and Bodden,
Eric}, year={2023} }'
chicago: Piskachev, Goran, Matthias Becker, and Eric Bodden. “Can the Configuration
of Static Analyses Make Resolving Security Vulnerabilities More Effective? - A
User Study.” Empirical Software Engineering 28, no. 5 (2023). https://doi.org/10.1007/s10664-023-10354-3.
ieee: 'G. Piskachev, M. Becker, and E. Bodden, “Can the configuration of static
analyses make resolving security vulnerabilities more effective? - A user study,”
Empirical Software Engineering, vol. 28, no. 5, Art. no. 118, 2023, doi:
10.1007/s10664-023-10354-3.'
mla: Piskachev, Goran, et al. “Can the Configuration of Static Analyses Make Resolving
Security Vulnerabilities More Effective? - A User Study.” Empirical Software
Engineering, vol. 28, no. 5, 118, Springer Science and Business Media LLC,
2023, doi:10.1007/s10664-023-10354-3.
short: G. Piskachev, M. Becker, E. Bodden, Empirical Software Engineering 28 (2023).
date_created: 2023-12-04T11:14:34Z
date_updated: 2023-12-04T11:29:49Z
department:
- _id: '76'
- _id: '662'
doi: 10.1007/s10664-023-10354-3
intvolume: ' 28'
issue: '5'
keyword:
- Software
language:
- iso: eng
publication: Empirical Software Engineering
publication_identifier:
issn:
- 1382-3256
- 1573-7616
publication_status: published
publisher: Springer Science and Business Media LLC
status: public
title: Can the configuration of static analyses make resolving security vulnerabilities
more effective? - A user study
type: journal_article
user_id: '15249'
volume: 28
year: '2023'
...
---
_id: '41812'
author:
- first_name: Linghui
full_name: Luo, Linghui
last_name: Luo
- first_name: Goran
full_name: Piskachev, Goran
id: '41936'
last_name: Piskachev
orcid: 0000-0003-4424-5838
- first_name: Ranjith
full_name: Krishnamurthy, Ranjith
id: '78060'
last_name: Krishnamurthy
orcid: 0000-0002-0906-5463
- first_name: Julian
full_name: Dolby, Julian
last_name: Dolby
- first_name: Martin
full_name: Schäf, Martin
last_name: Schäf
- first_name: Eric
full_name: Bodden, Eric
id: '59256'
last_name: Bodden
orcid: 0000-0003-3470-3647
citation:
ama: 'Luo L, Piskachev G, Krishnamurthy R, Dolby J, Schäf M, Bodden E. Model Generation
For Java Frameworks. In: IEEE International Conference on Software Testing,
Verification and Validation (ICST). ; 2023.'
apa: Luo, L., Piskachev, G., Krishnamurthy, R., Dolby, J., Schäf, M., & Bodden,
E. (2023). Model Generation For Java Frameworks. IEEE International Conference
on Software Testing, Verification and Validation (ICST).
bibtex: '@inproceedings{Luo_Piskachev_Krishnamurthy_Dolby_Schäf_Bodden_2023, title={Model
Generation For Java Frameworks}, booktitle={IEEE International Conference on Software
Testing, Verification and Validation (ICST)}, author={Luo, Linghui and Piskachev,
Goran and Krishnamurthy, Ranjith and Dolby, Julian and Schäf, Martin and Bodden,
Eric}, year={2023} }'
chicago: Luo, Linghui, Goran Piskachev, Ranjith Krishnamurthy, Julian Dolby, Martin
Schäf, and Eric Bodden. “Model Generation For Java Frameworks.” In IEEE International
Conference on Software Testing, Verification and Validation (ICST), 2023.
ieee: L. Luo, G. Piskachev, R. Krishnamurthy, J. Dolby, M. Schäf, and E. Bodden,
“Model Generation For Java Frameworks,” 2023.
mla: Luo, Linghui, et al. “Model Generation For Java Frameworks.” IEEE International
Conference on Software Testing, Verification and Validation (ICST), 2023.
short: 'L. Luo, G. Piskachev, R. Krishnamurthy, J. Dolby, M. Schäf, E. Bodden, in:
IEEE International Conference on Software Testing, Verification and Validation
(ICST), 2023.'
date_created: 2023-02-06T10:37:23Z
date_updated: 2025-04-07T10:15:08Z
department:
- _id: '76'
- _id: '662'
language:
- iso: eng
publication: IEEE International Conference on Software Testing, Verification and Validation
(ICST)
status: public
title: Model Generation For Java Frameworks
type: conference
user_id: '15249'
year: '2023'
...
---
_id: '33836'
author:
- first_name: Goran
full_name: Piskachev, Goran
id: '41936'
last_name: Piskachev
orcid: 0000-0003-4424-5838
- first_name: Johannes
full_name: Späth, Johannes
last_name: Späth
- first_name: Ingo
full_name: Budde, Ingo
id: '13693'
last_name: Budde
orcid: https://orcid.org/0000-0003-0124-6291
- first_name: Eric
full_name: Bodden, Eric
id: '59256'
last_name: Bodden
orcid: 0000-0003-3470-3647
citation:
ama: Piskachev G, Späth J, Budde I, Bodden E. Fluently specifying taint-flow queries
with fluentTQL. Empirical Software Engineering. 2022;27(5):1–33.
apa: Piskachev, G., Späth, J., Budde, I., & Bodden, E. (2022). Fluently specifying
taint-flow queries with fluentTQL. Empirical Software Engineering, 27(5),
1–33.
bibtex: '@article{Piskachev_Späth_Budde_Bodden_2022, title={Fluently specifying
taint-flow queries with fluentTQL}, volume={27}, number={5}, journal={Empirical
Software Engineering}, publisher={Springer}, author={Piskachev, Goran and Späth,
Johannes and Budde, Ingo and Bodden, Eric}, year={2022}, pages={1–33} }'
chicago: 'Piskachev, Goran, Johannes Späth, Ingo Budde, and Eric Bodden. “Fluently
Specifying Taint-Flow Queries with FluentTQL.” Empirical Software Engineering
27, no. 5 (2022): 1–33.'
ieee: G. Piskachev, J. Späth, I. Budde, and E. Bodden, “Fluently specifying taint-flow
queries with fluentTQL,” Empirical Software Engineering, vol. 27, no. 5,
pp. 1–33, 2022.
mla: Piskachev, Goran, et al. “Fluently Specifying Taint-Flow Queries with FluentTQL.”
Empirical Software Engineering, vol. 27, no. 5, Springer, 2022, pp. 1–33.
short: G. Piskachev, J. Späth, I. Budde, E. Bodden, Empirical Software Engineering
27 (2022) 1–33.
date_created: 2022-10-20T12:34:04Z
date_updated: 2022-10-20T12:36:23Z
department:
- _id: '76'
- _id: '662'
intvolume: ' 27'
issue: '5'
language:
- iso: eng
page: 1–33
publication: Empirical Software Engineering
publisher: Springer
status: public
title: Fluently specifying taint-flow queries with fluentTQL
type: journal_article
user_id: '15249'
volume: 27
year: '2022'
...
---
_id: '33838'
author:
- first_name: Ranjith
full_name: Krishnamurthy, Ranjith
id: '78060'
last_name: Krishnamurthy
orcid: 0000-0002-0906-5463
- first_name: Goran
full_name: Piskachev, Goran
id: '41936'
last_name: Piskachev
orcid: 0000-0003-4424-5838
- first_name: Eric
full_name: Bodden, Eric
id: '59256'
last_name: Bodden
orcid: 0000-0003-3470-3647
citation:
ama: Krishnamurthy R, Piskachev G, Bodden E. To what extent can we analyze Kotlin
programs using existing Java taint analysis tools? Published online 2022.
apa: Krishnamurthy, R., Piskachev, G., & Bodden, E. (2022). To what extent
can we analyze Kotlin programs using existing Java taint analysis tools?
bibtex: '@article{Krishnamurthy_Piskachev_Bodden_2022, series={IEEE International
Working Conference on Source Code Analysis and Manipulation (SCAM)}, title={To
what extent can we analyze Kotlin programs using existing Java taint analysis
tools?}, author={Krishnamurthy, Ranjith and Piskachev, Goran and Bodden, Eric},
year={2022}, collection={IEEE International Working Conference on Source Code
Analysis and Manipulation (SCAM)} }'
chicago: Krishnamurthy, Ranjith, Goran Piskachev, and Eric Bodden. “To What Extent
Can We Analyze Kotlin Programs Using Existing Java Taint Analysis Tools?” IEEE
International Working Conference on Source Code Analysis and Manipulation (SCAM),
2022.
ieee: R. Krishnamurthy, G. Piskachev, and E. Bodden, “To what extent can we analyze
Kotlin programs using existing Java taint analysis tools?” 2022.
mla: Krishnamurthy, Ranjith, et al. To What Extent Can We Analyze Kotlin Programs
Using Existing Java Taint Analysis Tools? 2022.
short: R. Krishnamurthy, G. Piskachev, E. Bodden, (2022).
date_created: 2022-10-20T12:38:09Z
date_updated: 2022-10-20T12:38:32Z
department:
- _id: '76'
- _id: '662'
language:
- iso: eng
series_title: IEEE International Working Conference on Source Code Analysis and Manipulation
(SCAM)
status: public
title: To what extent can we analyze Kotlin programs using existing Java taint analysis
tools?
type: conference
user_id: '15249'
year: '2022'
...
---
_id: '33837'
author:
- first_name: Goran
full_name: Piskachev, Goran
id: '41936'
last_name: Piskachev
orcid: 0000-0003-4424-5838
- first_name: Stefan
full_name: Dziwok, Stefan
id: '3901'
last_name: Dziwok
orcid: http://orcid.org/0000-0002-8679-6673
- first_name: Thorsten
full_name: Koch, Thorsten
id: '13616'
last_name: Koch
- first_name: Sven
full_name: Merschjohann, Sven
id: '11394'
last_name: Merschjohann
- first_name: Eric
full_name: Bodden, Eric
id: '59256'
last_name: Bodden
orcid: 0000-0003-3470-3647
citation:
ama: Piskachev G, Dziwok S, Koch T, Merschjohann S, Bodden E. How far are German
companies in improving security through static program analysis tools? Published
online 2022.
apa: Piskachev, G., Dziwok, S., Koch, T., Merschjohann, S., & Bodden, E. (2022).
How far are German companies in improving security through static program analysis
tools?
bibtex: '@article{Piskachev_Dziwok_Koch_Merschjohann_Bodden_2022, series={IEEE Secure
Development Conference (SecDev)}, title={How far are German companies in improving
security through static program analysis tools?}, author={Piskachev, Goran and
Dziwok, Stefan and Koch, Thorsten and Merschjohann, Sven and Bodden, Eric}, year={2022},
collection={IEEE Secure Development Conference (SecDev)} }'
chicago: Piskachev, Goran, Stefan Dziwok, Thorsten Koch, Sven Merschjohann, and
Eric Bodden. “How Far Are German Companies in Improving Security through Static
Program Analysis Tools?” IEEE Secure Development Conference (SecDev), 2022.
ieee: G. Piskachev, S. Dziwok, T. Koch, S. Merschjohann, and E. Bodden, “How far
are German companies in improving security through static program analysis tools?”
2022.
mla: Piskachev, Goran, et al. How Far Are German Companies in Improving Security
through Static Program Analysis Tools? 2022.
short: G. Piskachev, S. Dziwok, T. Koch, S. Merschjohann, E. Bodden, (2022).
date_created: 2022-10-20T12:37:14Z
date_updated: 2022-10-20T12:37:44Z
department:
- _id: '76'
- _id: '662'
language:
- iso: eng
series_title: IEEE Secure Development Conference (SecDev)
status: public
title: How far are German companies in improving security through static program analysis
tools?
type: conference
user_id: '15249'
year: '2022'
...
---
_id: '27045'
abstract:
- lang: eng
text: 'Due to the lack of established real-world benchmark suites for static taint
analyses of Android applications, evaluations of these analyses are often restricted
and hard to compare. Even in evaluations that do use real-world apps, details
about the ground truth in those apps are rarely documented, which makes it difficult
to compare and reproduce the results. To push Android taint analysis research
forward, this paper thus recommends criteria for constructing real-world benchmark
suites for this specific domain, and presents TaintBench, the first real-world
malware benchmark suite with documented taint flows. TaintBench benchmark apps
include taint flows with complex structures, and addresses static challenges that
are commonly agreed on by the community. Together with the TaintBench suite, we
introduce the TaintBench framework, whose goal is to simplify real-world benchmarking
of Android taint analyses. First, a usability test shows that the framework improves
experts’ performance and perceived usability when documenting and inspecting taint
flows. Second, experiments using TaintBench reveal new insights for the taint
analysis tools Amandroid and FlowDroid: (i) They are less effective on real-world
malware apps than on synthetic benchmark apps. (ii) Predefined lists of sources
and sinks heavily impact the tools’ accuracy. (iii) Surprisingly, up-to-date versions
of both tools are less accurate than their predecessors.'
author:
- first_name: Linghui
full_name: Luo, Linghui
last_name: Luo
- first_name: Felix
full_name: Pauck, Felix
id: '22398'
last_name: Pauck
- first_name: Goran
full_name: Piskachev, Goran
id: '41936'
last_name: Piskachev
orcid: 0000-0003-4424-5838
- first_name: Manuel
full_name: Benz, Manuel
last_name: Benz
- first_name: Ivan
full_name: Pashchenko, Ivan
last_name: Pashchenko
- first_name: Martin
full_name: Mory, Martin
id: '65667'
last_name: Mory
orcid: 0000-0001-5609-0031
- first_name: Eric
full_name: Bodden, Eric
id: '59256'
last_name: Bodden
orcid: 0000-0003-3470-3647
- first_name: Ben
full_name: Hermann, Ben
id: '66173'
last_name: Hermann
orcid: 0000-0001-9848-2017
- first_name: Fabio
full_name: Massacci, Fabio
last_name: Massacci
citation:
ama: 'Luo L, Pauck F, Piskachev G, et al. TaintBench: Automatic real-world malware
benchmarking of Android taint analyses. Empirical Software Engineering.
Published online 2021. doi:10.1007/s10664-021-10013-5'
apa: 'Luo, L., Pauck, F., Piskachev, G., Benz, M., Pashchenko, I., Mory, M., Bodden,
E., Hermann, B., & Massacci, F. (2021). TaintBench: Automatic real-world malware
benchmarking of Android taint analyses. Empirical Software Engineering.
https://doi.org/10.1007/s10664-021-10013-5'
bibtex: '@article{Luo_Pauck_Piskachev_Benz_Pashchenko_Mory_Bodden_Hermann_Massacci_2021,
title={TaintBench: Automatic real-world malware benchmarking of Android taint
analyses}, DOI={10.1007/s10664-021-10013-5},
journal={Empirical Software Engineering}, author={Luo, Linghui and Pauck, Felix
and Piskachev, Goran and Benz, Manuel and Pashchenko, Ivan and Mory, Martin and
Bodden, Eric and Hermann, Ben and Massacci, Fabio}, year={2021} }'
chicago: 'Luo, Linghui, Felix Pauck, Goran Piskachev, Manuel Benz, Ivan Pashchenko,
Martin Mory, Eric Bodden, Ben Hermann, and Fabio Massacci. “TaintBench: Automatic
Real-World Malware Benchmarking of Android Taint Analyses.” Empirical Software
Engineering, 2021. https://doi.org/10.1007/s10664-021-10013-5.'
ieee: 'L. Luo et al., “TaintBench: Automatic real-world malware benchmarking
of Android taint analyses,” Empirical Software Engineering, 2021, doi:
10.1007/s10664-021-10013-5.'
mla: 'Luo, Linghui, et al. “TaintBench: Automatic Real-World Malware Benchmarking
of Android Taint Analyses.” Empirical Software Engineering, 2021, doi:10.1007/s10664-021-10013-5.'
short: L. Luo, F. Pauck, G. Piskachev, M. Benz, I. Pashchenko, M. Mory, E. Bodden,
B. Hermann, F. Massacci, Empirical Software Engineering (2021).
date_created: 2021-11-02T05:13:49Z
date_updated: 2022-01-06T06:57:32Z
ddc:
- '000'
department:
- _id: '77'
- _id: '76'
doi: 10.1007/s10664-021-10013-5
language:
- iso: eng
main_file_link:
- open_access: '1'
url: https://link.springer.com/content/pdf/10.1007/s10664-021-10013-5.pdf
oa: '1'
project:
- _id: '1'
name: SFB 901
- _id: '3'
name: SFB 901 - Project Area B
- _id: '12'
name: SFB 901 - Subproject B4
publication: Empirical Software Engineering
publication_identifier:
issn:
- 1382-3256
- 1573-7616
publication_status: published
status: public
title: 'TaintBench: Automatic real-world malware benchmarking of Android taint analyses'
type: journal_article
user_id: '15249'
year: '2021'
...
---
_id: '23388'
abstract:
- lang: eng
text: As one of the most popular programming languages, PYTHON has become a relevant
target language for static analysis tools. The primary data structure for performing
an inter-procedural static analysis is call-graph (CG), which links call sites
to potential call targets in a program. There exists multiple algorithms for constructing
callgraphs, tailored to specific languages. However, comparatively few implementations
target PYTHON. Moreover, there is still lack of empirical evidence as to how these
few algorithms perform in terms of precision and recall. This paper thus presents
EVAL_CG, an extensible framework for comparative analysis of Python call-graphs.
We conducted two experiments which run the CG algorithms on different Python programming
constructs and real-world applications. In both experiments, we evaluate three
CG generation frameworks namely, Code2flow, Pyan, and Wala. We record precision,
recall, and running time, and identify sources of unsoundness of each framework.
Our evaluation shows that none of the current CG construction frameworks produce
a sound CG. Moreover, the static CGs contain many spurious edges. Code2flow is
also comparatively slow. Hence, further research is needed to support CG generation
for Python programs.
author:
- first_name: Sriteja
full_name: Kummita, Sriteja
id: '72582'
last_name: Kummita
- first_name: Goran
full_name: Piskachev, Goran
id: '41936'
last_name: Piskachev
orcid: 0000-0003-4424-5838
- first_name: Johannes
full_name: Spaeth, Johannes
last_name: Spaeth
- first_name: Eric
full_name: Bodden, Eric
id: '59256'
last_name: Bodden
orcid: 0000-0003-3470-3647
citation:
ama: 'Kummita S, Piskachev G, Spaeth J, Bodden E. Qualitative and Quantitative Analysis
of Callgraph Algorithms for PYTHON. In: Proceedings of the 2021 International
Conference on Code Quality (ICCQ). ; 2021. doi:10.1109/ICCQ51190.2021.9392986'
apa: Kummita, S., Piskachev, G., Spaeth, J., & Bodden, E. (2021). Qualitative
and Quantitative Analysis of Callgraph Algorithms for PYTHON. In Proceedings
of the 2021 International Conference on Code Quality (ICCQ). Virtual. https://doi.org/10.1109/ICCQ51190.2021.9392986
bibtex: '@inproceedings{Kummita_Piskachev_Spaeth_Bodden_2021, title={Qualitative
and Quantitative Analysis of Callgraph Algorithms for PYTHON}, DOI={10.1109/ICCQ51190.2021.9392986},
booktitle={Proceedings of the 2021 International Conference on Code Quality (ICCQ)},
author={Kummita, Sriteja and Piskachev, Goran and Spaeth, Johannes and Bodden,
Eric}, year={2021} }'
chicago: Kummita, Sriteja, Goran Piskachev, Johannes Spaeth, and Eric Bodden. “Qualitative
and Quantitative Analysis of Callgraph Algorithms for PYTHON.” In Proceedings
of the 2021 International Conference on Code Quality (ICCQ), 2021. https://doi.org/10.1109/ICCQ51190.2021.9392986.
ieee: S. Kummita, G. Piskachev, J. Spaeth, and E. Bodden, “Qualitative and Quantitative
Analysis of Callgraph Algorithms for PYTHON,” in Proceedings of the 2021 International
Conference on Code Quality (ICCQ), Virtual, 2021.
mla: Kummita, Sriteja, et al. “Qualitative and Quantitative Analysis of Callgraph
Algorithms for PYTHON.” Proceedings of the 2021 International Conference on
Code Quality (ICCQ), 2021, doi:10.1109/ICCQ51190.2021.9392986.
short: 'S. Kummita, G. Piskachev, J. Spaeth, E. Bodden, in: Proceedings of the 2021
International Conference on Code Quality (ICCQ), 2021.'
conference:
location: Virtual
name: International Conference on Code Quality (ICCQ)
start_date: 2021-03-27
date_created: 2021-08-12T14:00:54Z
date_updated: 2022-01-06T06:55:52Z
doi: 10.1109/ICCQ51190.2021.9392986
keyword:
- Static Analysis
- Callgraph Analysis
- Python
- Qualitative Analysis
- Quantitative Analysis
- Empirical Evaluation
language:
- iso: eng
main_file_link:
- url: https://ieeexplore.ieee.org/document/9392986
publication: Proceedings of the 2021 International Conference on Code Quality (ICCQ)
publication_identifier:
isbn:
- 978-1-7281-8477-7
publication_status: published
status: public
title: Qualitative and Quantitative Analysis of Callgraph Algorithms for PYTHON
type: conference
user_id: '72582'
year: '2021'
...
---
_id: '26407'
author:
- first_name: Goran
full_name: Piskachev, Goran
id: '41936'
last_name: Piskachev
orcid: 0000-0003-4424-5838
- first_name: Ranjith
full_name: Krishnamurthy, Ranjith
last_name: Krishnamurthy
- first_name: Eric
full_name: Bodden, Eric
id: '59256'
last_name: Bodden
orcid: 0000-0003-3470-3647
citation:
ama: 'Piskachev G, Krishnamurthy R, Bodden E. SecuCheck: Engineering configurable
taint analysis for software developers. In: 2021 IEEE 21st International Working
Conference on Source Code Analysis and Manipulation (SCAM). ; 2021.'
apa: 'Piskachev, G., Krishnamurthy, R., & Bodden, E. (2021). SecuCheck: Engineering
configurable taint analysis for software developers. 2021 IEEE 21st International
Working Conference on Source Code Analysis and Manipulation (SCAM).'
bibtex: '@inproceedings{Piskachev_Krishnamurthy_Bodden_2021, title={SecuCheck: Engineering
configurable taint analysis for software developers}, booktitle={2021 IEEE 21st
International Working Conference on Source Code Analysis and Manipulation (SCAM)},
author={Piskachev, Goran and Krishnamurthy, Ranjith and Bodden, Eric}, year={2021}
}'
chicago: 'Piskachev, Goran, Ranjith Krishnamurthy, and Eric Bodden. “SecuCheck:
Engineering Configurable Taint Analysis for Software Developers.” In 2021 IEEE
21st International Working Conference on Source Code Analysis and Manipulation
(SCAM), 2021.'
ieee: 'G. Piskachev, R. Krishnamurthy, and E. Bodden, “SecuCheck: Engineering configurable
taint analysis for software developers,” 2021.'
mla: 'Piskachev, Goran, et al. “SecuCheck: Engineering Configurable Taint Analysis
for Software Developers.” 2021 IEEE 21st International Working Conference on
Source Code Analysis and Manipulation (SCAM), 2021.'
short: 'G. Piskachev, R. Krishnamurthy, E. Bodden, in: 2021 IEEE 21st International
Working Conference on Source Code Analysis and Manipulation (SCAM), 2021.'
date_created: 2021-10-18T12:53:15Z
date_updated: 2022-10-20T12:44:31Z
department:
- _id: '76'
- _id: '662'
language:
- iso: eng
publication: 2021 IEEE 21st International Working Conference on Source Code Analysis
and Manipulation (SCAM)
status: public
title: 'SecuCheck: Engineering configurable taint analysis for software developers'
type: conference
user_id: '15249'
year: '2021'
...
---
_id: '23389'
abstract:
- lang: eng
text: "Background - Software companies increasingly rely on static analysis tools
to detect potential bugs and security vulnerabilities in their software products.
In the past decade, more and more commercial and open-source static analysis tools
have been developed and are maintained. Each tool comes with its own reporting
format, preventing an easy integration of multiple analysis tools in a single
interface, such as the Static Analysis Server Protocol (SASP). In 2017, a collaborative
effort in industry, including Microsoft and GrammaTech, has proposed the Static
Analysis Results Interchange Format (SARIF) to address this issue. SARIF is a
standardized format in which static analysis warnings can be encoded, to allow
the import and export of analysis reports between different tools.\r\nPurpose
- This paper explains the SARIF format through examples and presents a proof of
concept of the connector that allows the static analysis tool CogniCrypt to generate
and export its results in SARIF format.\r\nDesign/Approach - We conduct a cross-sectional
study between the SARIF format and CogniCrypt's output format before detailing
the implementation of the connector. The study aims to find the components of
interest in CogniCrypt that the SARIF export module can complete.\r\nOriginality/Value
- The integration of SARIF into CogniCrypt described in this paper can be reused
to integrate SARIF into other static analysis tools.\r\nConclusion - After detailing
the SARIF format, we present an initial implementation to integrate SARIF into
CogniCrypt. After taking advantage of all the features provided by SARIF, CogniCrypt
will be able to support SASP."
author:
- first_name: Sriteja
full_name: Kummita, Sriteja
id: '72582'
last_name: Kummita
- first_name: Goran
full_name: Piskachev, Goran
id: '41936'
last_name: Piskachev
orcid: 0000-0003-4424-5838
citation:
ama: Kummita S, Piskachev G. Integration of the Static Analysis Results Interchange
Format in CogniCrypt.; 2019.
apa: Kummita, S., & Piskachev, G. (2019). Integration of the Static Analysis
Results Interchange Format in CogniCrypt.
bibtex: '@book{Kummita_Piskachev_2019, title={Integration of the Static Analysis
Results Interchange Format in CogniCrypt}, author={Kummita, Sriteja and Piskachev,
Goran}, year={2019} }'
chicago: Kummita, Sriteja, and Goran Piskachev. Integration of the Static Analysis
Results Interchange Format in CogniCrypt, 2019.
ieee: S. Kummita and G. Piskachev, Integration of the Static Analysis Results
Interchange Format in CogniCrypt. 2019.
mla: Kummita, Sriteja, and Goran Piskachev. Integration of the Static Analysis
Results Interchange Format in CogniCrypt. 2019.
short: S. Kummita, G. Piskachev, Integration of the Static Analysis Results Interchange
Format in CogniCrypt, 2019.
date_created: 2021-08-12T14:04:46Z
date_updated: 2022-01-06T06:55:52Z
extern: '1'
keyword:
- Static Analysis
- Static Analysis Results Interchange Format
- SARIF
- Static Analysis Server Protocol
- SASP
language:
- iso: eng
main_file_link:
- url: https://arxiv.org/abs/1907.02558
status: public
title: Integration of the Static Analysis Results Interchange Format in CogniCrypt
type: report
user_id: '72582'
year: '2019'
...
---
_id: '20822'
abstract:
- lang: eng
text: 'Several examples of mechatronic systems can be found nowadays in modern cars,
production systems, and medical technology. Day by day, the number of innovative
functionalities in such mechatronic systems is increasing. These functionalities
are realized with complex software. Such software exhibits hard real-time, safety
requirements. The adherence to these requirements must be thoroughly analyzed
and verified. Moreover, to obtain a significant increment in the reliability,
performance, and efficiency of such software, it needs to maintain the self-adaptation
of its properties. In order to develop such systems with a high quality and within
a short time, we need a systematic and consistent design method. For this purpose,
the software engineering group at the University of Paderborn and the Fraunhofer
IEM in Paderborn propose the MechatronicUML method. This method provides a comprehensive
model-driven process support, that starts from requirements and reaches the executable
software after passing through several design and analysis steps. This process
improves the comprehension during development and makes complex systems manageable.
MechatronicUML emphasizes mainly on: (1) modeling and (formal) verification of
reconfigurable software architectures, (2) the coordination among system components
in such architectures, and (3) the integration of discrete software events with
the continuous behavior of control devices.'
author:
- first_name: Stefan
full_name: Dziwok, Stefan
id: '3901'
last_name: Dziwok
orcid: http://orcid.org/0000-0002-8679-6673
- first_name: Uwe
full_name: Pohlmann, Uwe
last_name: Pohlmann
- first_name: Goran
full_name: Piskachev, Goran
id: '41936'
last_name: Piskachev
orcid: 0000-0003-4424-5838
- first_name: David
full_name: Schubert, David
id: '9106'
last_name: Schubert
- first_name: Sebastian
full_name: Thiele, Sebastian
last_name: Thiele
- first_name: Christopher
full_name: Gerking, Christopher
last_name: Gerking
citation:
ama: 'Dziwok S, Pohlmann U, Piskachev G, Schubert D, Thiele S, Gerking C. The
MechatronicUML Design Method: Process and Language for Platform-Independent Modeling.;
2016.'
apa: 'Dziwok, S., Pohlmann, U., Piskachev, G., Schubert, D., Thiele, S., & Gerking,
C. (2016). The MechatronicUML Design Method: Process and Language for Platform-Independent
Modeling.'
bibtex: '@book{Dziwok_Pohlmann_Piskachev_Schubert_Thiele_Gerking_2016, place={Zukunftsmeile
1, 33102 Paderborn, Germany}, title={The MechatronicUML Design Method: Process
and Language for Platform-Independent Modeling}, author={Dziwok, Stefan and Pohlmann,
Uwe and Piskachev, Goran and Schubert, David and Thiele, Sebastian and Gerking,
Christopher}, year={2016} }'
chicago: 'Dziwok, Stefan, Uwe Pohlmann, Goran Piskachev, David Schubert, Sebastian
Thiele, and Christopher Gerking. The MechatronicUML Design Method: Process
and Language for Platform-Independent Modeling. Zukunftsmeile 1, 33102 Paderborn,
Germany, 2016.'
ieee: 'S. Dziwok, U. Pohlmann, G. Piskachev, D. Schubert, S. Thiele, and C. Gerking,
The MechatronicUML Design Method: Process and Language for Platform-Independent
Modeling. Zukunftsmeile 1, 33102 Paderborn, Germany, 2016.'
mla: 'Dziwok, Stefan, et al. The MechatronicUML Design Method: Process and Language
for Platform-Independent Modeling. 2016.'
short: 'S. Dziwok, U. Pohlmann, G. Piskachev, D. Schubert, S. Thiele, C. Gerking,
The MechatronicUML Design Method: Process and Language for Platform-Independent
Modeling, Zukunftsmeile 1, 33102 Paderborn, Germany, 2016.'
date_created: 2020-12-22T09:24:42Z
date_updated: 2022-01-06T06:54:40Z
department:
- _id: '76'
- _id: '241'
language:
- iso: eng
place: Zukunftsmeile 1, 33102 Paderborn, Germany
status: public
title: 'The MechatronicUML Design Method: Process and Language for Platform-Independent
Modeling'
type: report
user_id: '5786'
year: '2016'
...
---
_id: '20832'
author:
- first_name: Wilhelm
full_name: Schäfer, Wilhelm
last_name: Schäfer
- first_name: Stefan
full_name: Dziwok, Stefan
id: '3901'
last_name: Dziwok
orcid: http://orcid.org/0000-0002-8679-6673
- first_name: Uwe
full_name: Pohlmann, Uwe
last_name: Pohlmann
- first_name: Jan
full_name: Bobolz, Jan
id: '27207'
last_name: Bobolz
- first_name: Mike
full_name: Czech, Mike
last_name: Czech
- first_name: Andreas Peter
full_name: Dann, Andreas Peter
id: '26886'
last_name: Dann
- first_name: Johannes
full_name: Geismann, Johannes
id: '20063'
last_name: Geismann
orcid: https://orcid.org/0000-0003-2015-2047
- first_name: Marcus
full_name: Hüwe, Marcus
id: '13606'
last_name: Hüwe
- first_name: Arthur
full_name: Krieger, Arthur
last_name: Krieger
- first_name: Goran
full_name: Piskachev, Goran
id: '41936'
last_name: Piskachev
orcid: 0000-0003-4424-5838
- first_name: David
full_name: Schubert, David
id: '9106'
last_name: Schubert
- first_name: Rebekka
full_name: Wohlrab, Rebekka
last_name: Wohlrab
citation:
ama: Schäfer W, Dziwok S, Pohlmann U, et al. Seminar Theses of the Project Group
Cybertron.; 2015.
apa: Schäfer, W., Dziwok, S., Pohlmann, U., Bobolz, J., Czech, M., Dann, A. P.,
Geismann, J., Hüwe, M., Krieger, A., Piskachev, G., Schubert, D., & Wohlrab,
R. (2015). Seminar Theses of the Project Group Cybertron.
bibtex: '@book{Schäfer_Dziwok_Pohlmann_Bobolz_Czech_Dann_Geismann_Hüwe_Krieger_Piskachev_et
al._2015, title={Seminar Theses of the Project Group Cybertron}, author={Schäfer,
Wilhelm and Dziwok, Stefan and Pohlmann, Uwe and Bobolz, Jan and Czech, Mike and
Dann, Andreas Peter and Geismann, Johannes and Hüwe, Marcus and Krieger, Arthur
and Piskachev, Goran and et al.}, year={2015} }'
chicago: Schäfer, Wilhelm, Stefan Dziwok, Uwe Pohlmann, Jan Bobolz, Mike Czech,
Andreas Peter Dann, Johannes Geismann, et al. Seminar Theses of the Project
Group Cybertron, 2015.
ieee: W. Schäfer et al., Seminar Theses of the Project Group Cybertron.
2015.
mla: Schäfer, Wilhelm, et al. Seminar Theses of the Project Group Cybertron.
2015.
short: W. Schäfer, S. Dziwok, U. Pohlmann, J. Bobolz, M. Czech, A.P. Dann, J. Geismann,
M. Hüwe, A. Krieger, G. Piskachev, D. Schubert, R. Wohlrab, Seminar Theses of
the Project Group Cybertron, 2015.
date_created: 2020-12-22T10:03:05Z
date_updated: 2022-01-06T06:54:40Z
department:
- _id: '76'
language:
- iso: eng
status: public
title: Seminar Theses of the Project Group Cybertron
type: report
user_id: '5786'
year: '2015'
...