[{"article_number":"45","file_date_updated":"2026-02-11T18:32:52Z","_id":"63834","user_id":"88024","department":[{"_id":"76"}],"status":"public","type":"journal_article","doi":"10.1007/s10515-025-00589-3","date_updated":"2026-02-11T18:33:12Z","author":[{"last_name":"Khedkar","id":"88024","full_name":"Khedkar, Mugdha","first_name":"Mugdha"},{"first_name":"Ambuj","last_name":"Kumar Mondal","full_name":"Kumar Mondal, Ambuj"},{"first_name":"Eric","orcid":"0000-0003-3470-3647","last_name":"Bodden","full_name":"Bodden, Eric","id":"59256"}],"volume":33,"citation":{"ieee":"M. Khedkar, A. Kumar Mondal, and E. Bodden, “A study of privacy-related data collected by Android apps,” <i>Automated Software Engineering</i>, vol. 33, no. 2, Art. no. 45, 2026, doi: <a href=\"https://doi.org/10.1007/s10515-025-00589-3\">10.1007/s10515-025-00589-3</a>.","chicago":"Khedkar, Mugdha, Ambuj Kumar Mondal, and Eric Bodden. “A Study of Privacy-Related Data Collected by Android Apps.” <i>Automated Software Engineering</i> 33, no. 2 (2026). <a href=\"https://doi.org/10.1007/s10515-025-00589-3\">https://doi.org/10.1007/s10515-025-00589-3</a>.","ama":"Khedkar M, Kumar Mondal A, Bodden E. A study of privacy-related data collected by Android apps. <i>Automated Software Engineering</i>. 2026;33(2). doi:<a href=\"https://doi.org/10.1007/s10515-025-00589-3\">10.1007/s10515-025-00589-3</a>","apa":"Khedkar, M., Kumar Mondal, A., &#38; Bodden, E. (2026). A study of privacy-related data collected by Android apps. <i>Automated Software Engineering</i>, <i>33</i>(2), Article 45. <a href=\"https://doi.org/10.1007/s10515-025-00589-3\">https://doi.org/10.1007/s10515-025-00589-3</a>","bibtex":"@article{Khedkar_Kumar Mondal_Bodden_2026, title={A study of privacy-related data collected by Android apps}, volume={33}, DOI={<a href=\"https://doi.org/10.1007/s10515-025-00589-3\">10.1007/s10515-025-00589-3</a>}, number={245}, journal={Automated Software Engineering}, publisher={Springer Science and Business Media LLC}, author={Khedkar, Mugdha and Kumar Mondal, Ambuj and Bodden, Eric}, year={2026} }","mla":"Khedkar, Mugdha, et al. “A Study of Privacy-Related Data Collected by Android Apps.” <i>Automated Software Engineering</i>, vol. 33, no. 2, 45, Springer Science and Business Media LLC, 2026, doi:<a href=\"https://doi.org/10.1007/s10515-025-00589-3\">10.1007/s10515-025-00589-3</a>.","short":"M. Khedkar, A. Kumar Mondal, E. Bodden, Automated Software Engineering 33 (2026)."},"intvolume":"        33","publication_status":"published","has_accepted_license":"1","publication_identifier":{"issn":["0928-8910","1573-7535"]},"ddc":["006"],"language":[{"iso":"eng"}],"abstract":[{"lang":"eng","text":"<jats:title>Abstract</jats:title>\r\n                  <jats:p>\r\n                    Many Android apps collect data from users, and the European Union’s General Data Protection Regulation (GDPR) mandates clear disclosures of such data collection. However, apps often use third-party code, complicating accurate disclosures. This paper investigates how accurately current Android apps fulfill these requirements. In this work, we present a multi-layered definition of privacy-related data to correctly report data collection in Android apps. We further create a dataset of privacy-sensitive data classes that may be used as input by an Android app. This dataset takes into account data collected both through the user interface and system APIs. Based on this, we implement a semi-automated prototype that detects and labels privacy-related data collected by a given Android app. We manually examine the data safety sections of 70 Android apps to observe how data collection is reported, identifying instances of over- and under-reporting. We compare our prototype’s results with the data safety sections of 20 apps revealing reporting discrepancies. Using the results from two Messaging and Social Media apps (Signal and Instagram), we discuss how app developers under-report and over-report data collection, respectively, and identify inaccurately reported data categories. A broader study of 7,500 Android apps reveals that apps most frequently collect data that can\r\n                    <jats:italic>partially identify</jats:italic>\r\n                    users. Although system APIs consistently collect large amounts of privacy-related data, user interfaces exhibit some more diverse data collection patterns. A more focused study on various domains of apps reveals that the largest fraction of apps collecting personal data belong to the domain of\r\n                    <jats:italic>Messaging and Social Media</jats:italic>\r\n                    . Our findings show that location is collected frequently by apps, specially from the\r\n                    <jats:italic>E-commerce and Shopping</jats:italic>\r\n                    domain. However, it is often under-reported in app data safety sections. Our results highlight the need for greater consistency in privacy-aware app development and reporting practices.\r\n                  </jats:p>"}],"file":[{"relation":"main_file","success":1,"content_type":"application/pdf","file_id":"64127","file_name":"s10515-025-00589-3-1.pdf","access_level":"closed","file_size":3363479,"creator":"khedkarm","date_created":"2026-02-11T18:32:52Z","date_updated":"2026-02-11T18:32:52Z"}],"publication":"Automated Software Engineering","title":"A study of privacy-related data collected by Android apps","publisher":"Springer Science and Business Media LLC","date_created":"2026-02-02T12:36:22Z","year":"2026","issue":"2"},{"user_id":"88024","department":[{"_id":"76"}],"external_id":{"arxiv":["2601.20459"]},"_id":"64823","language":[{"iso":"eng"}],"keyword":["static analysis","data collection","data protection","privacy-aware reporting"],"type":"conference","publication":"Proceedings of the IEEE/ACM 13th International Conference on Mobile Software Engineering and Systems (MOBILESoft '26). Association for Computing Machinery, New York, NY, USA, 65–68.","status":"public","abstract":[{"lang":"eng","text":"Current legal frameworks enforce that Android developers accurately report the data their apps collect. However, large codebases can make this reporting challenging. This paper employs an empirical approach to understand developers' experience with Google Play Store's Data Safety Section (DSS) form.\r\n\r\nWe first survey 41 Android developers to understand how they categorize privacy-related data into DSS categories and how confident they feel when completing the DSS form. To gain a broader and more detailed view of the challenges developers encounter during the process, we complement the survey with an analysis of 172 online developer discussions, capturing the perspectives of 642 additional developers. Together, these two data sources represent insights from 683 developers.\r\n\r\nOur findings reveal that developers often manually classify the privacy-related data their apps collect into the data categories defined by Google-or, in some cases, omit classification entirely-and rely heavily on existing online resources when completing the form. Moreover, developers are generally confident in recognizing the data their apps collect, yet they lack confidence in translating this knowledge into DSS-compliant disclosures. Key challenges include issues in identifying privacy-relevant data to complete the form, limited understanding of the form, and concerns about app rejection due to discrepancies with Google's privacy requirements.\r\nThese results underscore the need for clearer guidance and more accessible tooling to support developers in meeting privacy-aware reporting obligations. "}],"author":[{"first_name":"Mugdha","full_name":"Khedkar, Mugdha","id":"88024","last_name":"Khedkar"},{"first_name":"Michael","id":"32312","full_name":"Schlichtig, Michael","orcid":"0000-0001-6600-6171","last_name":"Schlichtig"},{"id":"102489","full_name":"Soliman, Mohamed Aboubakr Mohamed","last_name":"Soliman","first_name":"Mohamed Aboubakr Mohamed"},{"first_name":"Eric","full_name":"Bodden, Eric","id":"59256","last_name":"Bodden","orcid":"0000-0003-3470-3647"}],"date_created":"2026-03-04T08:10:43Z","date_updated":"2026-03-13T12:10:10Z","conference":{"location":"Rio de Janeiro, Brazil","end_date":"2026-04-18","start_date":"2026-04-12","name":"13th International Conference on Mobile Software Engineering and Systems 2024"},"title":"Challenges in Android Data Disclosure: An Empirical Study.","citation":{"ama":"Khedkar M, Schlichtig M, Soliman MAM, Bodden E. Challenges in Android Data Disclosure: An Empirical Study. In: <i>Proceedings of the IEEE/ACM 13th International Conference on Mobile Software Engineering and Systems (MOBILESoft ’26). Association for Computing Machinery, New York, NY, USA, 65–68.</i> ; 2026.","ieee":"M. Khedkar, M. Schlichtig, M. A. M. Soliman, and E. Bodden, “Challenges in Android Data Disclosure: An Empirical Study.,” presented at the 13th International Conference on Mobile Software Engineering and Systems 2024, Rio de Janeiro, Brazil, 2026.","chicago":"Khedkar, Mugdha, Michael Schlichtig, Mohamed Aboubakr Mohamed Soliman, and Eric Bodden. “Challenges in Android Data Disclosure: An Empirical Study.” In <i>Proceedings of the IEEE/ACM 13th International Conference on Mobile Software Engineering and Systems (MOBILESoft ’26). Association for Computing Machinery, New York, NY, USA, 65–68.</i>, 2026.","short":"M. Khedkar, M. Schlichtig, M.A.M. Soliman, E. Bodden, in: Proceedings of the IEEE/ACM 13th International Conference on Mobile Software Engineering and Systems (MOBILESoft ’26). Association for Computing Machinery, New York, NY, USA, 65–68., 2026.","mla":"Khedkar, Mugdha, et al. “Challenges in Android Data Disclosure: An Empirical Study.” <i>Proceedings of the IEEE/ACM 13th International Conference on Mobile Software Engineering and Systems (MOBILESoft ’26). Association for Computing Machinery, New York, NY, USA, 65–68.</i>, 2026.","bibtex":"@inproceedings{Khedkar_Schlichtig_Soliman_Bodden_2026, title={Challenges in Android Data Disclosure: An Empirical Study.}, booktitle={Proceedings of the IEEE/ACM 13th International Conference on Mobile Software Engineering and Systems (MOBILESoft ’26). Association for Computing Machinery, New York, NY, USA, 65–68.}, author={Khedkar, Mugdha and Schlichtig, Michael and Soliman, Mohamed Aboubakr Mohamed and Bodden, Eric}, year={2026} }","apa":"Khedkar, M., Schlichtig, M., Soliman, M. A. M., &#38; Bodden, E. (2026). Challenges in Android Data Disclosure: An Empirical Study. <i>Proceedings of the IEEE/ACM 13th International Conference on Mobile Software Engineering and Systems (MOBILESoft ’26). Association for Computing Machinery, New York, NY, USA, 65–68.</i> 13th International Conference on Mobile Software Engineering and Systems 2024, Rio de Janeiro, Brazil."},"year":"2026"},{"language":[{"iso":"eng"}],"article_number":"56","department":[{"_id":"76"}],"user_id":"88024","_id":"64821","status":"public","publication":"Automated Software Engineering ","type":"journal_article","doi":"10.1007/s10515-026-00601-4","title":"Between Law and Code: Challenges and Opportunities for Automating Privacy Assessments","volume":33,"date_created":"2026-03-04T08:03:14Z","author":[{"first_name":"Mugdha","full_name":"Khedkar, Mugdha","id":"88024","last_name":"Khedkar"},{"full_name":"Schlichtig, Michael","id":"32312","orcid":"0000-0001-6600-6171","last_name":"Schlichtig","first_name":"Michael"},{"first_name":"Nihad","last_name":"Atakishiyev","full_name":"Atakishiyev, Nihad"},{"first_name":"Eric","id":"59256","full_name":"Bodden, Eric","orcid":"0000-0003-3470-3647","last_name":"Bodden"}],"date_updated":"2026-03-13T12:10:38Z","publisher":"Springer US","intvolume":"        33","citation":{"ama":"Khedkar M, Schlichtig M, Atakishiyev N, Bodden E. Between Law and Code: Challenges and Opportunities for Automating Privacy Assessments. <i>Automated Software Engineering </i>. 2026;33(2). doi:<a href=\"https://doi.org/10.1007/s10515-026-00601-4\">10.1007/s10515-026-00601-4</a>","chicago":"Khedkar, Mugdha, Michael Schlichtig, Nihad Atakishiyev, and Eric Bodden. “Between Law and Code: Challenges and Opportunities for Automating Privacy Assessments.” <i>Automated Software Engineering </i> 33, no. 2 (2026). <a href=\"https://doi.org/10.1007/s10515-026-00601-4\">https://doi.org/10.1007/s10515-026-00601-4</a>.","ieee":"M. Khedkar, M. Schlichtig, N. Atakishiyev, and E. Bodden, “Between Law and Code: Challenges and Opportunities for Automating Privacy Assessments,” <i>Automated Software Engineering </i>, vol. 33, no. 2, Art. no. 56, 2026, doi: <a href=\"https://doi.org/10.1007/s10515-026-00601-4\">10.1007/s10515-026-00601-4</a>.","mla":"Khedkar, Mugdha, et al. “Between Law and Code: Challenges and Opportunities for Automating Privacy Assessments.” <i>Automated Software Engineering </i>, vol. 33, no. 2, 56, Springer US, 2026, doi:<a href=\"https://doi.org/10.1007/s10515-026-00601-4\">10.1007/s10515-026-00601-4</a>.","bibtex":"@article{Khedkar_Schlichtig_Atakishiyev_Bodden_2026, title={Between Law and Code: Challenges and Opportunities for Automating Privacy Assessments}, volume={33}, DOI={<a href=\"https://doi.org/10.1007/s10515-026-00601-4\">10.1007/s10515-026-00601-4</a>}, number={256}, journal={Automated Software Engineering }, publisher={Springer US}, author={Khedkar, Mugdha and Schlichtig, Michael and Atakishiyev, Nihad and Bodden, Eric}, year={2026} }","short":"M. Khedkar, M. Schlichtig, N. Atakishiyev, E. Bodden, Automated Software Engineering  33 (2026).","apa":"Khedkar, M., Schlichtig, M., Atakishiyev, N., &#38; Bodden, E. (2026). Between Law and Code: Challenges and Opportunities for Automating Privacy Assessments. <i>Automated Software Engineering </i>, <i>33</i>(2), Article 56. <a href=\"https://doi.org/10.1007/s10515-026-00601-4\">https://doi.org/10.1007/s10515-026-00601-4</a>"},"year":"2026","issue":"2","publication_identifier":{"unknown":["1573-7535"]}},{"status":"public","citation":{"apa":"Khedkar, M., Schlichtig, M., &#38; Bodden, E. (2026). Source Code-Driven GDPR Documentation: Supporting RoPA with Assessor View. <i>IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER 2026)</i>.","short":"M. Khedkar, M. Schlichtig, E. Bodden, in: IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER 2026), 2026.","mla":"Khedkar, Mugdha, et al. “Source Code-Driven GDPR Documentation: Supporting RoPA with Assessor View.” <i>IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER 2026)</i>, 2026.","bibtex":"@inproceedings{Khedkar_Schlichtig_Bodden_2026, title={Source Code-Driven GDPR Documentation: Supporting RoPA with Assessor View}, booktitle={IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER 2026)}, author={Khedkar, Mugdha and Schlichtig, Michael and Bodden, Eric}, year={2026} }","chicago":"Khedkar, Mugdha, Michael Schlichtig, and Eric Bodden. “Source Code-Driven GDPR Documentation: Supporting RoPA with Assessor View.” In <i>IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER 2026)</i>, 2026.","ieee":"M. Khedkar, M. Schlichtig, and E. Bodden, “Source Code-Driven GDPR Documentation: Supporting RoPA with Assessor View,” 2026.","ama":"Khedkar M, Schlichtig M, Bodden E. Source Code-Driven GDPR Documentation: Supporting RoPA with Assessor View. In: <i>IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER 2026)</i>. ; 2026."},"year":"2026","publication":"IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER 2026)","type":"conference","language":[{"iso":"eng"}],"main_file_link":[{"url":"https://mugdhak30.github.io/assets/Preprints/RoPA_SANER2026.pdf"}],"title":"Source Code-Driven GDPR Documentation: Supporting RoPA with Assessor View","department":[{"_id":"76"}],"author":[{"last_name":"Khedkar","id":"88024","full_name":"Khedkar, Mugdha","first_name":"Mugdha"},{"first_name":"Michael","id":"32312","full_name":"Schlichtig, Michael","orcid":"0000-0001-6600-6171","last_name":"Schlichtig"},{"last_name":"Bodden","orcid":"0000-0003-3470-3647","full_name":"Bodden, Eric","id":"59256","first_name":"Eric"}],"user_id":"88024","date_created":"2026-03-13T12:16:09Z","_id":"64909","date_updated":"2026-03-13T12:17:01Z"},{"language":[{"iso":"eng"}],"user_id":"32312","department":[{"_id":"76"}],"_id":"65017","external_id":{"arxiv":["2603.10558"]},"status":"public","abstract":[{"lang":"eng","text":"Static Application Security Testing (SAST) tools play a vital role in modern software development by automatically detecting potential vulnerabilities in source code. However, their effectiveness is often limited by a high rate of false positives, which wastes developer's effort and undermines trust in automated analysis. This work presents a Graph Convolutional Network (GCN) model designed to predict SAST reports as true and false positive. The model leverages Code Property Graphs (CPGs) constructed from static analysis results to capture both, structural and semantic relationships within code. Trained on the CamBenchCAP dataset, the model achieved an accuracy of 100% on the test set using an 80/20 train-test split. Evaluation on the CryptoAPI-Bench benchmark further demonstrated the model's practical applicability, reaching an overall accuracy of up to 96.6%. A detailed qualitative inspection revealed that many cases marked as misclassifications corresponded to genuine security weaknesses, indicating that the model effectively reflects conservative, security-aware reasoning. Identified limitations include incomplete control-flow representation due to missing interprocedural connections. Future work will focus on integrating call graphs, applying graph explainability techniques, and extending training data across multiple SAST tools to improve generalization and interpretability."}],"type":"preprint","publication":"arXiv:2603.10558","title":"FP-Predictor - False Positive Prediction for Static Analysis Reports","author":[{"first_name":"Tom","full_name":"Ohlmer, Tom","last_name":"Ohlmer"},{"full_name":"Schlichtig, Michael","id":"32312","last_name":"Schlichtig","orcid":"0000-0001-6600-6171","first_name":"Michael"},{"first_name":"Eric","orcid":"0000-0003-3470-3647","last_name":"Bodden","full_name":"Bodden, Eric","id":"59256"}],"date_created":"2026-03-16T17:38:33Z","date_updated":"2026-03-16T17:40:31Z","citation":{"short":"T. Ohlmer, M. Schlichtig, E. Bodden, ArXiv:2603.10558 (2026).","bibtex":"@article{Ohlmer_Schlichtig_Bodden_2026, title={FP-Predictor - False Positive Prediction for Static Analysis Reports}, journal={arXiv:2603.10558}, author={Ohlmer, Tom and Schlichtig, Michael and Bodden, Eric}, year={2026} }","mla":"Ohlmer, Tom, et al. “FP-Predictor - False Positive Prediction for Static Analysis Reports.” <i>ArXiv:2603.10558</i>, 2026.","apa":"Ohlmer, T., Schlichtig, M., &#38; Bodden, E. (2026). FP-Predictor - False Positive Prediction for Static Analysis Reports. In <i>arXiv:2603.10558</i>.","ieee":"T. Ohlmer, M. Schlichtig, and E. Bodden, “FP-Predictor - False Positive Prediction for Static Analysis Reports,” <i>arXiv:2603.10558</i>. 2026.","chicago":"Ohlmer, Tom, Michael Schlichtig, and Eric Bodden. “FP-Predictor - False Positive Prediction for Static Analysis Reports.” <i>ArXiv:2603.10558</i>, 2026.","ama":"Ohlmer T, Schlichtig M, Bodden E. FP-Predictor - False Positive Prediction for Static Analysis Reports. <i>arXiv:260310558</i>. Published online 2026."},"year":"2026"},{"language":[{"iso":"eng"}],"user_id":"32312","department":[{"_id":"76"}],"_id":"65030","status":"public","type":"conference","publication":"2026 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER)","title":"From Legacy Designs to Vulnerability Fixes: Understanding SAST Adoption in Non-Technological Companies","author":[{"last_name":"Amaral","full_name":"Amaral, Luis","first_name":"Luis"},{"orcid":"0000-0001-6600-6171","last_name":"Schlichtig","full_name":"Schlichtig, Michael","id":"32312","first_name":"Michael"},{"full_name":"Emanuel, Wagner","last_name":"Emanuel","first_name":"Wagner"},{"first_name":"Joilton","full_name":"Almeida, Joilton","last_name":"Almeida"},{"first_name":"Carine","full_name":"Ferreira, Carine","last_name":"Ferreira"},{"first_name":"Jérôme","full_name":"Kempf, Jérôme","last_name":"Kempf"},{"first_name":"Rodrigo","last_name":"Bonifácio","full_name":"Bonifácio, Rodrigo"},{"first_name":"Eric","id":"59256","full_name":"Bodden, Eric","last_name":"Bodden","orcid":"0000-0003-3470-3647"},{"first_name":"Laerte","last_name":"Peotta","full_name":"Peotta, Laerte"},{"last_name":"Pinto","full_name":"Pinto, Gustavo","first_name":"Gustavo"},{"last_name":"Ribeiro","full_name":"Ribeiro, Márcio","first_name":"Márcio"}],"date_created":"2026-03-17T11:59:09Z","date_updated":"2026-03-17T12:02:14Z","citation":{"apa":"Amaral, L., Schlichtig, M., Emanuel, W., Almeida, J., Ferreira, C., Kempf, J., Bonifácio, R., Bodden, E., Peotta, L., Pinto, G., &#38; Ribeiro, M. (2026). From Legacy Designs to Vulnerability Fixes: Understanding SAST Adoption in Non-Technological Companies. <i>2026 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER)</i>.","bibtex":"@inproceedings{Amaral_Schlichtig_Emanuel_Almeida_Ferreira_Kempf_Bonifácio_Bodden_Peotta_Pinto_et al._2026, title={From Legacy Designs to Vulnerability Fixes: Understanding SAST Adoption in Non-Technological Companies}, booktitle={2026 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER)}, author={Amaral, Luis and Schlichtig, Michael and Emanuel, Wagner and Almeida, Joilton and Ferreira, Carine and Kempf, Jérôme and Bonifácio, Rodrigo and Bodden, Eric and Peotta, Laerte and Pinto, Gustavo and et al.}, year={2026} }","short":"L. Amaral, M. Schlichtig, W. Emanuel, J. Almeida, C. Ferreira, J. Kempf, R. Bonifácio, E. Bodden, L. Peotta, G. Pinto, M. Ribeiro, in: 2026 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER), 2026.","mla":"Amaral, Luis, et al. “From Legacy Designs to Vulnerability Fixes: Understanding SAST Adoption in Non-Technological Companies.” <i>2026 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER)</i>, 2026.","ieee":"L. Amaral <i>et al.</i>, “From Legacy Designs to Vulnerability Fixes: Understanding SAST Adoption in Non-Technological Companies,” 2026.","chicago":"Amaral, Luis, Michael Schlichtig, Wagner Emanuel, Joilton Almeida, Carine Ferreira, Jérôme Kempf, Rodrigo Bonifácio, et al. “From Legacy Designs to Vulnerability Fixes: Understanding SAST Adoption in Non-Technological Companies.” In <i>2026 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER)</i>, 2026.","ama":"Amaral L, Schlichtig M, Emanuel W, et al. From Legacy Designs to Vulnerability Fixes: Understanding SAST Adoption in Non-Technological Companies. In: <i>2026 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER)</i>. ; 2026."},"year":"2026"},{"publication_status":"published","citation":{"ama":"Trentinaglia R, Koch T, Bodden E. Using Attack and Failure Propagation Analysis for Context-Aware Security Control Suggestions. In: <i>Proceedings of the 14th International Conference on Model-Based Software and Systems Engineering</i>. SCITEPRESS - Science and Technology Publications; 2026. doi:<a href=\"https://doi.org/10.5220/0014278000004058\">10.5220/0014278000004058</a>","apa":"Trentinaglia, R., Koch, T., &#38; Bodden, E. (2026). Using Attack and Failure Propagation Analysis for Context-Aware Security Control Suggestions. <i>Proceedings of the 14th International Conference on Model-Based Software and Systems Engineering</i>. <a href=\"https://doi.org/10.5220/0014278000004058\">https://doi.org/10.5220/0014278000004058</a>","short":"R. Trentinaglia, T. Koch, E. Bodden, in: Proceedings of the 14th International Conference on Model-Based Software and Systems Engineering, SCITEPRESS - Science and Technology Publications, 2026.","bibtex":"@inproceedings{Trentinaglia_Koch_Bodden_2026, title={Using Attack and Failure Propagation Analysis for Context-Aware Security Control Suggestions}, DOI={<a href=\"https://doi.org/10.5220/0014278000004058\">10.5220/0014278000004058</a>}, booktitle={Proceedings of the 14th International Conference on Model-Based Software and Systems Engineering}, publisher={SCITEPRESS - Science and Technology Publications}, author={Trentinaglia, Roman and Koch, Thorsten and Bodden, Eric}, year={2026} }","mla":"Trentinaglia, Roman, et al. “Using Attack and Failure Propagation Analysis for Context-Aware Security Control Suggestions.” <i>Proceedings of the 14th International Conference on Model-Based Software and Systems Engineering</i>, SCITEPRESS - Science and Technology Publications, 2026, doi:<a href=\"https://doi.org/10.5220/0014278000004058\">10.5220/0014278000004058</a>.","chicago":"Trentinaglia, Roman, Thorsten Koch, and Eric Bodden. “Using Attack and Failure Propagation Analysis for Context-Aware Security Control Suggestions.” In <i>Proceedings of the 14th International Conference on Model-Based Software and Systems Engineering</i>. SCITEPRESS - Science and Technology Publications, 2026. <a href=\"https://doi.org/10.5220/0014278000004058\">https://doi.org/10.5220/0014278000004058</a>.","ieee":"R. Trentinaglia, T. Koch, and E. Bodden, “Using Attack and Failure Propagation Analysis for Context-Aware Security Control Suggestions,” 2026, doi: <a href=\"https://doi.org/10.5220/0014278000004058\">10.5220/0014278000004058</a>."},"year":"2026","date_created":"2026-03-31T13:52:36Z","author":[{"last_name":"Trentinaglia","orcid":"0000-0001-9728-4991","id":"49934","full_name":"Trentinaglia, Roman","first_name":"Roman"},{"first_name":"Thorsten","last_name":"Koch","full_name":"Koch, Thorsten","id":"13616"},{"orcid":"0000-0003-3470-3647","last_name":"Bodden","id":"59256","full_name":"Bodden, Eric","first_name":"Eric"}],"date_updated":"2026-03-31T13:53:55Z","publisher":"SCITEPRESS - Science and Technology Publications","doi":"10.5220/0014278000004058","title":"Using Attack and Failure Propagation Analysis for Context-Aware Security Control Suggestions","type":"conference","publication":"Proceedings of the 14th International Conference on Model-Based Software and Systems Engineering","status":"public","user_id":"49934","department":[{"_id":"241"},{"_id":"662"}],"_id":"65261","language":[{"iso":"eng"}]},{"_id":"60583","department":[{"_id":"241"},{"_id":"662"}],"user_id":"49934","language":[{"iso":"eng"}],"publication":"AHFE International","type":"conference","abstract":[{"lang":"eng","text":"<jats:p>Assessing and communicating software security has become a crucial concern in the era of digital transformation. As software systems grow more complex and interconnected, it becomes increasingly challenging to effectively evaluate and communicate a product's security status to both technical and non-technical stakeholders. The Software Product Health Assistant (SPHA) is designed to automatically collect and aggregate data from existing expert tools and derive, among other scores, a transparent Security Score. SPHA is designed to present and explain this Security Score to decision-makers to support their responsibilities. In this paper, we demonstrate how to integrate data from SMARAGD (System Modeler for Architectural Risk Assessment and Guidance on Defenses), a safety-informed threat modeling tool, into SPHA to enhance the existing definition of its Security Score. To achieve this, we combine information about known vulnerabilities with architectural and threat data to calculate a realistic risk score for the product in question.</jats:p>"}],"status":"public","date_updated":"2025-07-10T06:39:03Z","publisher":"AHFE International","volume":168,"author":[{"first_name":"Jan-niclas","full_name":"Strüwer, Jan-niclas","last_name":"Strüwer"},{"first_name":"Roman","orcid":"0000-0001-9728-4991","last_name":"Trentinaglia","id":"49934","full_name":"Trentinaglia, Roman"},{"last_name":"Wohlers","id":"53786","full_name":"Wohlers, Benedict","first_name":"Benedict"},{"id":"59256","full_name":"Bodden, Eric","orcid":"0000-0003-3470-3647","last_name":"Bodden","first_name":"Eric"},{"first_name":"Roman","last_name":"Dumitrescu","full_name":"Dumitrescu, Roman","id":"16190"}],"date_created":"2025-07-10T06:37:42Z","title":"Assessing and Communicating Software Security: Enhancing Software Product Health with Architectural Threat Analysis","doi":"10.54941/ahfe1006145","publication_identifier":{"issn":["2771-0718"]},"publication_status":"published","year":"2025","intvolume":"       168","citation":{"chicago":"Strüwer, Jan-niclas, Roman Trentinaglia, Benedict Wohlers, Eric Bodden, and Roman Dumitrescu. “Assessing and Communicating Software Security: Enhancing Software Product Health with Architectural Threat Analysis.” In <i>AHFE International</i>, Vol. 168. AHFE International, 2025. <a href=\"https://doi.org/10.54941/ahfe1006145\">https://doi.org/10.54941/ahfe1006145</a>.","ieee":"J. Strüwer, R. Trentinaglia, B. Wohlers, E. Bodden, and R. Dumitrescu, “Assessing and Communicating Software Security: Enhancing Software Product Health with Architectural Threat Analysis,” in <i>AHFE International</i>, 2025, vol. 168, doi: <a href=\"https://doi.org/10.54941/ahfe1006145\">10.54941/ahfe1006145</a>.","ama":"Strüwer J, Trentinaglia R, Wohlers B, Bodden E, Dumitrescu R. Assessing and Communicating Software Security: Enhancing Software Product Health with Architectural Threat Analysis. In: <i>AHFE International</i>. Vol 168. AHFE International; 2025. doi:<a href=\"https://doi.org/10.54941/ahfe1006145\">10.54941/ahfe1006145</a>","apa":"Strüwer, J., Trentinaglia, R., Wohlers, B., Bodden, E., &#38; Dumitrescu, R. (2025). Assessing and Communicating Software Security: Enhancing Software Product Health with Architectural Threat Analysis. <i>AHFE International</i>, <i>168</i>. <a href=\"https://doi.org/10.54941/ahfe1006145\">https://doi.org/10.54941/ahfe1006145</a>","mla":"Strüwer, Jan-niclas, et al. “Assessing and Communicating Software Security: Enhancing Software Product Health with Architectural Threat Analysis.” <i>AHFE International</i>, vol. 168, AHFE International, 2025, doi:<a href=\"https://doi.org/10.54941/ahfe1006145\">10.54941/ahfe1006145</a>.","bibtex":"@inproceedings{Strüwer_Trentinaglia_Wohlers_Bodden_Dumitrescu_2025, title={Assessing and Communicating Software Security: Enhancing Software Product Health with Architectural Threat Analysis}, volume={168}, DOI={<a href=\"https://doi.org/10.54941/ahfe1006145\">10.54941/ahfe1006145</a>}, booktitle={AHFE International}, publisher={AHFE International}, author={Strüwer, Jan-niclas and Trentinaglia, Roman and Wohlers, Benedict and Bodden, Eric and Dumitrescu, Roman}, year={2025} }","short":"J. Strüwer, R. Trentinaglia, B. Wohlers, E. Bodden, R. Dumitrescu, in: AHFE International, AHFE International, 2025."}},{"publication_identifier":{"issn":["1049-331X","1557-7392"]},"publication_status":"published","citation":{"ieee":"S. Kummita, M. Miao, E. Bodden, and S. Wei, “Visualization Task Taxonomy to Understand the Fuzzing Internals,” <i>ACM Transactions on Software Engineering and Methodology</i>, Art. no. 3718346, 2025, doi: <a href=\"https://doi.org/10.1145/3718346\">10.1145/3718346</a>.","chicago":"Kummita, Sriteja, Miao Miao, Eric Bodden, and Shiyi Wei. “Visualization Task Taxonomy to Understand the Fuzzing Internals.” <i>ACM Transactions on Software Engineering and Methodology</i>, 2025. <a href=\"https://doi.org/10.1145/3718346\">https://doi.org/10.1145/3718346</a>.","ama":"Kummita S, Miao M, Bodden E, Wei S. Visualization Task Taxonomy to Understand the Fuzzing Internals. <i>ACM Transactions on Software Engineering and Methodology</i>. Published online 2025. doi:<a href=\"https://doi.org/10.1145/3718346\">10.1145/3718346</a>","short":"S. Kummita, M. Miao, E. Bodden, S. Wei, ACM Transactions on Software Engineering and Methodology (2025).","bibtex":"@article{Kummita_Miao_Bodden_Wei_2025, title={Visualization Task Taxonomy to Understand the Fuzzing Internals}, DOI={<a href=\"https://doi.org/10.1145/3718346\">10.1145/3718346</a>}, number={3718346}, journal={ACM Transactions on Software Engineering and Methodology}, publisher={Association for Computing Machinery (ACM)}, author={Kummita, Sriteja and Miao, Miao and Bodden, Eric and Wei, Shiyi}, year={2025} }","mla":"Kummita, Sriteja, et al. “Visualization Task Taxonomy to Understand the Fuzzing Internals.” <i>ACM Transactions on Software Engineering and Methodology</i>, 3718346, Association for Computing Machinery (ACM), 2025, doi:<a href=\"https://doi.org/10.1145/3718346\">10.1145/3718346</a>.","apa":"Kummita, S., Miao, M., Bodden, E., &#38; Wei, S. (2025). Visualization Task Taxonomy to Understand the Fuzzing Internals. <i>ACM Transactions on Software Engineering and Methodology</i>, Article 3718346. <a href=\"https://doi.org/10.1145/3718346\">https://doi.org/10.1145/3718346</a>"},"year":"2025","author":[{"first_name":"Sriteja","id":"72582","full_name":"Kummita, Sriteja","last_name":"Kummita"},{"full_name":"Miao, Miao","last_name":"Miao","first_name":"Miao"},{"orcid":"0000-0003-3470-3647","last_name":"Bodden","id":"59256","full_name":"Bodden, Eric","first_name":"Eric"},{"first_name":"Shiyi","full_name":"Wei, Shiyi","last_name":"Wei"}],"date_created":"2025-09-01T10:15:26Z","date_updated":"2025-09-01T10:16:03Z","publisher":"Association for Computing Machinery (ACM)","doi":"10.1145/3718346","title":"Visualization Task Taxonomy to Understand the Fuzzing Internals","publication":"ACM Transactions on Software Engineering and Methodology","type":"journal_article","status":"public","abstract":[{"text":"<jats:p>Greybox fuzzing is used extensively in research and practice. There are umpteen publications that improve greybox fuzzing. However, to what extent do these improvements affect the internal components or internals of a given fuzzer is not yet understood as the improvements are mostly evaluated using code coverage and bug finding capability. Such an evaluation is insufficient to understand the effect of improvements on the fuzzer internals. Some of the literature visualizes the outcomes of fuzzing to enhance the understanding. However, they only focus on high-level information and no previous research on visualization has been dedicated to understanding fuzzing internals.</jats:p>\r\n          <jats:p>To close this gap, we propose the first step towards development of a fuzzing-specific visualization framework: a taxonomy of visualization analysis tasks that fuzzing experts desire to help them understand the fuzzing internals. Our approach involves conducting interviews with fuzzing experts and using qualitative data analysis to systematically extract the task taxonomy from the interview data. We also evaluate the support of existing fuzzing visualization tools through the lens of our taxonomy. In our study, we have conducted 33 interviews with fuzzing practitioners and extracted a taxonomy of 120 visualization analysis tasks. Our evaluation shows that the existing fuzzing visualization tools only provide aids to support 10 of them.</jats:p>","lang":"eng"}],"department":[{"_id":"76"}],"user_id":"15249","_id":"61108","language":[{"iso":"eng"}],"article_number":"3718346"},{"publication_identifier":{"issn":["2994-970X"]},"publication_status":"published","issue":"ISSTA","year":"2025","intvolume":"         2","page":"527-549","citation":{"bibtex":"@article{Miao_Kummita_Bodden_Wei_2025, title={Program Feature-Based Benchmarking for Fuzz Testing}, volume={2}, DOI={<a href=\"https://doi.org/10.1145/3728899\">10.1145/3728899</a>}, number={ISSTA}, journal={Proceedings of the ACM on Software Engineering}, publisher={Association for Computing Machinery (ACM)}, author={Miao, Miao and Kummita, Sriteja and Bodden, Eric and Wei, Shiyi}, year={2025}, pages={527–549} }","short":"M. Miao, S. Kummita, E. Bodden, S. Wei, Proceedings of the ACM on Software Engineering 2 (2025) 527–549.","mla":"Miao, Miao, et al. “Program Feature-Based Benchmarking for Fuzz Testing.” <i>Proceedings of the ACM on Software Engineering</i>, vol. 2, no. ISSTA, Association for Computing Machinery (ACM), 2025, pp. 527–49, doi:<a href=\"https://doi.org/10.1145/3728899\">10.1145/3728899</a>.","apa":"Miao, M., Kummita, S., Bodden, E., &#38; Wei, S. (2025). Program Feature-Based Benchmarking for Fuzz Testing. <i>Proceedings of the ACM on Software Engineering</i>, <i>2</i>(ISSTA), 527–549. <a href=\"https://doi.org/10.1145/3728899\">https://doi.org/10.1145/3728899</a>","chicago":"Miao, Miao, Sriteja Kummita, Eric Bodden, and Shiyi Wei. “Program Feature-Based Benchmarking for Fuzz Testing.” <i>Proceedings of the ACM on Software Engineering</i> 2, no. ISSTA (2025): 527–49. <a href=\"https://doi.org/10.1145/3728899\">https://doi.org/10.1145/3728899</a>.","ieee":"M. Miao, S. Kummita, E. Bodden, and S. Wei, “Program Feature-Based Benchmarking for Fuzz Testing,” <i>Proceedings of the ACM on Software Engineering</i>, vol. 2, no. ISSTA, pp. 527–549, 2025, doi: <a href=\"https://doi.org/10.1145/3728899\">10.1145/3728899</a>.","ama":"Miao M, Kummita S, Bodden E, Wei S. Program Feature-Based Benchmarking for Fuzz Testing. <i>Proceedings of the ACM on Software Engineering</i>. 2025;2(ISSTA):527-549. doi:<a href=\"https://doi.org/10.1145/3728899\">10.1145/3728899</a>"},"publisher":"Association for Computing Machinery (ACM)","date_updated":"2025-10-08T08:32:57Z","volume":2,"date_created":"2025-10-08T08:29:39Z","author":[{"full_name":"Miao, Miao","last_name":"Miao","first_name":"Miao"},{"last_name":"Kummita","full_name":"Kummita, Sriteja","id":"72582","first_name":"Sriteja"},{"full_name":"Bodden, Eric","id":"59256","last_name":"Bodden","orcid":"0000-0003-3470-3647","first_name":"Eric"},{"first_name":"Shiyi","last_name":"Wei","full_name":"Wei, Shiyi"}],"title":"Program Feature-Based Benchmarking for Fuzz Testing","doi":"10.1145/3728899","publication":"Proceedings of the ACM on Software Engineering","type":"journal_article","abstract":[{"lang":"eng","text":"<jats:p>Fuzzing is a powerful software testing technique renowned for its effectiveness in identifying software vulnerabilities. Traditional fuzzing evaluations typically focus on overall fuzzer performance across a set of target programs, yet few benchmarks consider how fine-grained program features influence fuzzing effectiveness. To bridge this gap, we introduce FeatureBench, a novel benchmark designed to generate programs with configurable, fine-grained program features to enhance fuzzing evaluations. We reviewed 25 recent grey-box fuzzing studies, extracting 7 program features related to control-flow and data-flow that can impact fuzzer performance. Using these features, we generated a benchmark consisting of 153 programs controlled by 10 fine-grained configurable parameters. We evaluated 11 fuzzers using this benchmark, with each fuzzer representing either distinct claimed improvements or serving as a widely used baseline in fuzzing evaluations. The results indicate that fuzzer performance varies significantly based on the program features and their strengths, highlighting the importance of incorporating program characteristics into fuzzing evaluations.</jats:p>"}],"status":"public","_id":"61546","department":[{"_id":"76"},{"_id":"662"}],"user_id":"15249","language":[{"iso":"eng"}]},{"language":[{"iso":"eng"}],"_id":"61969","user_id":"15782","department":[{"_id":"563"}],"abstract":[{"lang":"eng","text":"<jats:p>Assessing and communicating software security has become a crucial concern in the era of digital transformation. As software systems grow more complex and interconnected, it becomes increasingly challenging to effectively evaluate and communicate a product's security status to both technical and non-technical stakeholders. The Software Product Health Assistant (SPHA) is designed to automatically collect and aggregate data from existing expert tools and derive, among other scores, a transparent Security Score. SPHA is designed to present and explain this Security Score to decision-makers to support their responsibilities. In this paper, we demonstrate how to integrate data from SMARAGD (System Modeler for Architectural Risk Assessment and Guidance on Defenses), a safety-informed threat modeling tool, into SPHA to enhance the existing definition of its Security Score. To achieve this, we combine information about known vulnerabilities with architectural and threat data to calculate a realistic risk score for the product in question.</jats:p>"}],"status":"public","type":"conference","publication":"AHFE International","title":"Assessing and Communicating Software Security: Enhancing Software Product Health with Architectural Threat Analysis","doi":"10.54941/ahfe1006145","date_updated":"2025-10-24T08:12:16Z","publisher":"AHFE International","author":[{"last_name":"Strüwer","full_name":"Strüwer, Jan-Niclas","first_name":"Jan-Niclas"},{"last_name":"Trentinaglia","full_name":"Trentinaglia, Roman","first_name":"Roman"},{"first_name":"Benedict","full_name":"Wohlers, Benedict","last_name":"Wohlers"},{"full_name":"Bodden, Eric","id":"59256","orcid":"0000-0003-3470-3647","last_name":"Bodden","first_name":"Eric"},{"first_name":"Roman","last_name":"Dumitrescu","full_name":"Dumitrescu, Roman","id":"16190"}],"date_created":"2025-10-24T06:56:54Z","volume":168,"year":"2025","citation":{"ama":"Strüwer J-N, Trentinaglia R, Wohlers B, Bodden E, Dumitrescu R. Assessing and Communicating Software Security: Enhancing Software Product Health with Architectural Threat Analysis. In: <i>AHFE International</i>. Vol 168. AHFE International; 2025. doi:<a href=\"https://doi.org/10.54941/ahfe1006145\">10.54941/ahfe1006145</a>","ieee":"J.-N. Strüwer, R. Trentinaglia, B. Wohlers, E. Bodden, and R. Dumitrescu, “Assessing and Communicating Software Security: Enhancing Software Product Health with Architectural Threat Analysis,” in <i>AHFE International</i>, 2025, vol. 168, doi: <a href=\"https://doi.org/10.54941/ahfe1006145\">10.54941/ahfe1006145</a>.","chicago":"Strüwer, Jan-Niclas, Roman Trentinaglia, Benedict Wohlers, Eric Bodden, and Roman Dumitrescu. “Assessing and Communicating Software Security: Enhancing Software Product Health with Architectural Threat Analysis.” In <i>AHFE International</i>, Vol. 168. AHFE International, 2025. <a href=\"https://doi.org/10.54941/ahfe1006145\">https://doi.org/10.54941/ahfe1006145</a>.","mla":"Strüwer, Jan-Niclas, et al. “Assessing and Communicating Software Security: Enhancing Software Product Health with Architectural Threat Analysis.” <i>AHFE International</i>, vol. 168, AHFE International, 2025, doi:<a href=\"https://doi.org/10.54941/ahfe1006145\">10.54941/ahfe1006145</a>.","bibtex":"@inproceedings{Strüwer_Trentinaglia_Wohlers_Bodden_Dumitrescu_2025, title={Assessing and Communicating Software Security: Enhancing Software Product Health with Architectural Threat Analysis}, volume={168}, DOI={<a href=\"https://doi.org/10.54941/ahfe1006145\">10.54941/ahfe1006145</a>}, booktitle={AHFE International}, publisher={AHFE International}, author={Strüwer, Jan-Niclas and Trentinaglia, Roman and Wohlers, Benedict and Bodden, Eric and Dumitrescu, Roman}, year={2025} }","short":"J.-N. Strüwer, R. Trentinaglia, B. Wohlers, E. Bodden, R. Dumitrescu, in: AHFE International, AHFE International, 2025.","apa":"Strüwer, J.-N., Trentinaglia, R., Wohlers, B., Bodden, E., &#38; Dumitrescu, R. (2025). Assessing and Communicating Software Security: Enhancing Software Product Health with Architectural Threat Analysis. <i>AHFE International</i>, <i>168</i>. <a href=\"https://doi.org/10.54941/ahfe1006145\">https://doi.org/10.54941/ahfe1006145</a>"},"intvolume":"       168","publication_status":"published","publication_identifier":{"issn":["2771-0718"]}},{"type":"journal_article","publication":"Empirical Software Engineering","status":"public","abstract":[{"text":"Large Language Models (LLMs) are increasingly being explored for their potential in software engineering, particularly in static analysis tasks. In this study, we investigate the potential of current LLMs to enhance call-graph analysis and type inference for Python and JavaScript programs. We empirically evaluated 24 LLMs, including OpenAI's GPT series and open-source models like LLaMA and Mistral, using existing and newly developed benchmarks. Specifically, we enhanced TypeEvalPy, a micro-benchmarking framework for type inference in Python, with auto-generation capabilities, expanding its scope from 860 to 77,268 type annotations for Python. Additionally, we introduced SWARM-CG and SWARM-JS, comprehensive benchmarking suites for evaluating call-graph construction tools across multiple programming languages.\r\n Our findings reveal a contrasting performance of LLMs in static analysis tasks. For call-graph generation, traditional static analysis tools such as PyCG for Python and Jelly for JavaScript consistently outperform LLMs. While advanced models like mistral-large-it-2407-123b and gpt-4o show promise, they still struggle with completeness and soundness in call-graph analysis across both languages. In contrast, LLMs demonstrate a clear advantage in type inference for Python, surpassing traditional tools like HeaderGen and hybrid approaches such as HiTyper. These results suggest that, while LLMs hold promise in type inference, their limitations in call-graph analysis highlight the need for further research. Our study provides a foundation for integrating LLMs into static analysis workflows, offering insights into their strengths and current limitations.","lang":"eng"}],"user_id":"15249","department":[{"_id":"76"}],"_id":"62973","language":[{"iso":"eng"}],"issue":"6","citation":{"mla":"Shivarpatna Venkatesh, Ashwin Prasad, et al. “An Empirical Study of Large Language Models for Type and Call Graph Analysis in Python and JavaScript.” <i>Empirical Software Engineering</i>, vol. 30, no. 6, Springer, 2025, doi:<a href=\"https://doi.org/10.48550/ARXIV.2410.00603\">10.48550/ARXIV.2410.00603</a>.","short":"A.P. Shivarpatna Venkatesh, R. Sunil, S. Sabu, A.M. Mir, S. Reis, E. Bodden, Empirical Software Engineering 30 (2025).","bibtex":"@article{Shivarpatna Venkatesh_Sunil_Sabu_Mir_Reis_Bodden_2025, title={An Empirical Study of Large Language Models for Type and Call Graph Analysis in Python and JavaScript}, volume={30}, DOI={<a href=\"https://doi.org/10.48550/ARXIV.2410.00603\">10.48550/ARXIV.2410.00603</a>}, number={6}, journal={Empirical Software Engineering}, publisher={Springer}, author={Shivarpatna Venkatesh, Ashwin Prasad and Sunil, Rose and Sabu, Samkutty and Mir, Amir M. and Reis, Sofia and Bodden, Eric}, year={2025} }","apa":"Shivarpatna Venkatesh, A. P., Sunil, R., Sabu, S., Mir, A. M., Reis, S., &#38; Bodden, E. (2025). An Empirical Study of Large Language Models for Type and Call Graph Analysis in Python and JavaScript. <i>Empirical Software Engineering</i>, <i>30</i>(6). <a href=\"https://doi.org/10.48550/ARXIV.2410.00603\">https://doi.org/10.48550/ARXIV.2410.00603</a>","ama":"Shivarpatna Venkatesh AP, Sunil R, Sabu S, Mir AM, Reis S, Bodden E. An Empirical Study of Large Language Models for Type and Call Graph Analysis in Python and JavaScript. <i>Empirical Software Engineering</i>. 2025;30(6). doi:<a href=\"https://doi.org/10.48550/ARXIV.2410.00603\">10.48550/ARXIV.2410.00603</a>","chicago":"Shivarpatna Venkatesh, Ashwin Prasad, Rose Sunil, Samkutty Sabu, Amir M. Mir, Sofia Reis, and Eric Bodden. “An Empirical Study of Large Language Models for Type and Call Graph Analysis in Python and JavaScript.” <i>Empirical Software Engineering</i> 30, no. 6 (2025). <a href=\"https://doi.org/10.48550/ARXIV.2410.00603\">https://doi.org/10.48550/ARXIV.2410.00603</a>.","ieee":"A. P. Shivarpatna Venkatesh, R. Sunil, S. Sabu, A. M. Mir, S. Reis, and E. Bodden, “An Empirical Study of Large Language Models for Type and Call Graph Analysis in Python and JavaScript,” <i>Empirical Software Engineering</i>, vol. 30, no. 6, 2025, doi: <a href=\"https://doi.org/10.48550/ARXIV.2410.00603\">10.48550/ARXIV.2410.00603</a>."},"intvolume":"        30","year":"2025","date_created":"2025-12-08T13:20:30Z","author":[{"id":"66637","full_name":"Shivarpatna Venkatesh, Ashwin Prasad","last_name":"Shivarpatna Venkatesh","first_name":"Ashwin Prasad"},{"first_name":"Rose","id":"97670","full_name":"Sunil, Rose","last_name":"Sunil"},{"last_name":"Sabu","full_name":"Sabu, Samkutty","first_name":"Samkutty"},{"full_name":"Mir, Amir M.","last_name":"Mir","first_name":"Amir M."},{"full_name":"Reis, Sofia","last_name":"Reis","first_name":"Sofia"},{"first_name":"Eric","last_name":"Bodden","orcid":"0000-0003-3470-3647","id":"59256","full_name":"Bodden, Eric"}],"volume":30,"publisher":"Springer","date_updated":"2025-12-08T13:25:49Z","doi":"10.48550/ARXIV.2410.00603","title":"An Empirical Study of Large Language Models for Type and Call Graph Analysis in Python and JavaScript"},{"citation":{"mla":"Khedkar, Mugdha, et al. “Visualizing Privacy-Relevant Data Flows in Android Applications.” <i>ArXiv:2503.16640</i>, 2025.","bibtex":"@article{Khedkar_Schlichtig_Mohan_Bodden_2025, title={Visualizing Privacy-Relevant Data Flows in Android Applications}, journal={arXiv:2503.16640}, author={Khedkar, Mugdha and Schlichtig, Michael and Mohan, Santhosh and Bodden, Eric}, year={2025} }","short":"M. Khedkar, M. Schlichtig, S. Mohan, E. Bodden, ArXiv:2503.16640 (2025).","apa":"Khedkar, M., Schlichtig, M., Mohan, S., &#38; Bodden, E. (2025). Visualizing Privacy-Relevant Data Flows in Android Applications. In <i>arXiv:2503.16640</i>.","ieee":"M. Khedkar, M. Schlichtig, S. Mohan, and E. Bodden, “Visualizing Privacy-Relevant Data Flows in Android Applications,” <i>arXiv:2503.16640</i>. 2025.","chicago":"Khedkar, Mugdha, Michael Schlichtig, Santhosh Mohan, and Eric Bodden. “Visualizing Privacy-Relevant Data Flows in Android Applications.” <i>ArXiv:2503.16640</i>, 2025.","ama":"Khedkar M, Schlichtig M, Mohan S, Bodden E. Visualizing Privacy-Relevant Data Flows in Android Applications. <i>arXiv:250316640</i>. Published online 2025."},"year":"2025","title":"Visualizing Privacy-Relevant Data Flows in Android Applications","date_created":"2026-03-16T17:39:12Z","author":[{"last_name":"Khedkar","full_name":"Khedkar, Mugdha","id":"88024","first_name":"Mugdha"},{"orcid":"0000-0001-6600-6171","last_name":"Schlichtig","id":"32312","full_name":"Schlichtig, Michael","first_name":"Michael"},{"first_name":"Santhosh","full_name":"Mohan, Santhosh","last_name":"Mohan"},{"first_name":"Eric","orcid":"0000-0003-3470-3647","last_name":"Bodden","id":"59256","full_name":"Bodden, Eric"}],"date_updated":"2026-03-16T17:40:56Z","status":"public","abstract":[{"text":"Android applications collecting data from users must protect it according to the current legal frameworks. Such data protection has become even more important since in 2018 the European Union rolled out the General Data Protection Regulation (GDPR). Since app developers are not legal experts, they find it difficult to integrate privacy-aware practices into source code development. Despite these legal obligations, developers have limited tool support to reason about data protection throughout their app development process.\r\n  This paper explores the use of static program slicing and software visualization to analyze privacy-relevant data flows in Android apps. We introduce SliceViz, a web tool that analyzes an Android app by slicing all privacy-relevant data sources detected in the source code on the back-end. It then helps developers by visualizing these privacy-relevant program slices.\r\n  We conducted a user study with 12 participants demonstrating that SliceViz effectively aids developers in identifying privacy-relevant properties in Android apps.\r\n  Our findings indicate that program slicing can be employed to identify and reason about privacy-relevant data flows in Android applications. With further usability improvements, developers can be better equipped to handle privacy-sensitive information.","lang":"eng"}],"type":"preprint","publication":"arXiv:2503.16640","language":[{"iso":"eng"}],"user_id":"32312","department":[{"_id":"76"}],"external_id":{"arxiv":["2503.16640"]},"_id":"65018"},{"type":"misc","abstract":[{"lang":"eng","text":"Context\r\nStatic analyses are well-established to aid in understanding bugs or vulnerabilities during the development process or in large-scale studies. A low false-positive rate is essential for the adaption in practice and for precise results of empirical studies. Unfortunately, static analyses tend to report where a vulnerability manifests rather than the fix location. This can cause presumed false positives or imprecise results.\r\nMethod\r\nTo address this problem, we designed an adaption of an existing static analysis algorithm that can distinguish between a manifestation and fix location, and reports error chains. An error chain represents at least two interconnected errors that occur successively, thus building the connection between the fix and manifestation location. We used our tool CogniCryptSUBS for a case study on 471 GitHub repositories, a performance benchmark to compare different analysis configurations, and conducted an expert interview.\r\nResult\r\nWe found that 50 % of the projects with a report had at least one error chain. Our runtime benchmark demonstrated that our improvement caused only a minimal runtime overhead of less than 4 %. The results of our expert interview indicate that with our adapted version participants require fewer executions of the analysis.\r\nConclusion\r\nOur results indicate that error chains occur frequently in real-world projects, and ignoring them can lead to imprecise evaluation results. The runtime benchmark indicates that our tool is a feasible and efficient solution for detecting error chains in real-world projects. Further, our results gave a hint that the usability of static analyses may benefit from supporting error chains."}],"status":"public","_id":"52663","department":[{"_id":"76"}],"user_id":"32312","keyword":["Static analysis","error chains","false positive re- duction","empirical studies"],"language":[{"iso":"eng"}],"year":"2024","citation":{"ieee":"A.-K. Wickert, M. Schlichtig, M. Vogel, L. Winter, M. Mezini, and E. Bodden, <i>Supporting Error Chains in Static Analysis for Precise Evaluation Results and Enhanced Usability</i>. 2024.","chicago":"Wickert, Anna-Katharina, Michael Schlichtig, Marvin Vogel, Lukas Winter, Mira Mezini, and Eric Bodden. <i>Supporting Error Chains in Static Analysis for Precise Evaluation Results and Enhanced Usability</i>, 2024.","ama":"Wickert A-K, Schlichtig M, Vogel M, Winter L, Mezini M, Bodden E. <i>Supporting Error Chains in Static Analysis for Precise Evaluation Results and Enhanced Usability</i>.; 2024.","bibtex":"@book{Wickert_Schlichtig_Vogel_Winter_Mezini_Bodden_2024, title={Supporting Error Chains in Static Analysis for Precise Evaluation Results and Enhanced Usability}, author={Wickert, Anna-Katharina and Schlichtig, Michael and Vogel, Marvin and Winter, Lukas and Mezini, Mira and Bodden, Eric}, year={2024} }","short":"A.-K. Wickert, M. Schlichtig, M. Vogel, L. Winter, M. Mezini, E. Bodden, Supporting Error Chains in Static Analysis for Precise Evaluation Results and Enhanced Usability, 2024.","mla":"Wickert, Anna-Katharina, et al. <i>Supporting Error Chains in Static Analysis for Precise Evaluation Results and Enhanced Usability</i>. 2024.","apa":"Wickert, A.-K., Schlichtig, M., Vogel, M., Winter, L., Mezini, M., &#38; Bodden, E. (2024). <i>Supporting Error Chains in Static Analysis for Precise Evaluation Results and Enhanced Usability</i>."},"date_updated":"2024-03-20T09:32:29Z","author":[{"full_name":"Wickert, Anna-Katharina","last_name":"Wickert","first_name":"Anna-Katharina"},{"first_name":"Michael","id":"32312","full_name":"Schlichtig, Michael","last_name":"Schlichtig","orcid":"0000-0001-6600-6171"},{"first_name":"Marvin","last_name":"Vogel","full_name":"Vogel, Marvin"},{"first_name":"Lukas","full_name":"Winter, Lukas","last_name":"Winter"},{"first_name":"Mira","full_name":"Mezini, Mira","last_name":"Mezini"},{"first_name":"Eric","full_name":"Bodden, Eric","id":"59256","orcid":"0000-0003-3470-3647","last_name":"Bodden"}],"date_created":"2024-03-20T09:28:36Z","title":"Supporting Error Chains in Static Analysis for Precise Evaluation Results and Enhanced Usability","main_file_link":[{"url":"https://arxiv.org/abs/2403.07808"}]},{"language":[{"iso":"eng"}],"department":[{"_id":"76"}],"user_id":"15249","_id":"53938","status":"public","abstract":[{"lang":"eng","text":"Previous work has shown that one can often greatly speed up static analysis by computing data flows not for every edge in the program’s control-flow graph but instead only along definition-use chains. This yields a so-called sparse static analysis. Recent work on SparseDroid has shown that specifically taint analysis can be “sparsified” with extraordinary effectiveness because the taint state of one variable does not depend on those of others. This allows one to soundly omit more flow-function computations than in the general case. In this work, we now assess whether this result carries over to the more generic setting of so-called Interprocedural Distributive Environment (IDE) problems. Opposed to taint analysis, IDE comprises distributive problems with large or even infinitely broad domains, such as typestate analysis or linear constant propagation. Specifically, this paper presents Sparse IDE, a framework that realizes sparsification for any static analysis that fits the IDE framework. We implement Sparse IDE in SparseHeros, as an extension to the popular Heros IDE solver, and evaluate its performance on real-world Java libraries by comparing it to the baseline IDE algorithm. To this end, we design, implement and evaluate a linear constant propagation analysis client on top of SparseHeros. Our experiments show that, although IDE analyses can only be sparsified with respect to symbols and not (numeric) values, Sparse IDE can nonetheless yield significantly lower runtimes and often also memory consumptions compared to the original IDE."}],"publication":"Proceedings of the IEEE/ACM 46th International Conference on Software Engineering","type":"conference","doi":"10.1145/3597503.3639092","title":"Symbol-Specific Sparsification of Interprocedural Distributive Environment Problems","date_created":"2024-05-06T11:20:21Z","author":[{"full_name":"Karakaya, Kadiray","id":"70410","last_name":"Karakaya","orcid":"https://orcid.org/0000-0001-9266-2084","first_name":"Kadiray"},{"first_name":"Eric","full_name":"Bodden, Eric","id":"59256","last_name":"Bodden","orcid":"0000-0003-3470-3647"}],"date_updated":"2024-05-06T11:23:06Z","publisher":"ACM","citation":{"ama":"Karakaya K, Bodden E. Symbol-Specific Sparsification of Interprocedural Distributive Environment Problems. In: <i>Proceedings of the IEEE/ACM 46th International Conference on Software Engineering</i>. ACM; 2024. doi:<a href=\"https://doi.org/10.1145/3597503.3639092\">10.1145/3597503.3639092</a>","chicago":"Karakaya, Kadiray, and Eric Bodden. “Symbol-Specific Sparsification of Interprocedural Distributive Environment Problems.” In <i>Proceedings of the IEEE/ACM 46th International Conference on Software Engineering</i>. ACM, 2024. <a href=\"https://doi.org/10.1145/3597503.3639092\">https://doi.org/10.1145/3597503.3639092</a>.","ieee":"K. Karakaya and E. Bodden, “Symbol-Specific Sparsification of Interprocedural Distributive Environment Problems,” 2024, doi: <a href=\"https://doi.org/10.1145/3597503.3639092\">10.1145/3597503.3639092</a>.","apa":"Karakaya, K., &#38; Bodden, E. (2024). Symbol-Specific Sparsification of Interprocedural Distributive Environment Problems. <i>Proceedings of the IEEE/ACM 46th International Conference on Software Engineering</i>. <a href=\"https://doi.org/10.1145/3597503.3639092\">https://doi.org/10.1145/3597503.3639092</a>","bibtex":"@inproceedings{Karakaya_Bodden_2024, title={Symbol-Specific Sparsification of Interprocedural Distributive Environment Problems}, DOI={<a href=\"https://doi.org/10.1145/3597503.3639092\">10.1145/3597503.3639092</a>}, booktitle={Proceedings of the IEEE/ACM 46th International Conference on Software Engineering}, publisher={ACM}, author={Karakaya, Kadiray and Bodden, Eric}, year={2024} }","short":"K. Karakaya, E. Bodden, in: Proceedings of the IEEE/ACM 46th International Conference on Software Engineering, ACM, 2024.","mla":"Karakaya, Kadiray, and Eric Bodden. “Symbol-Specific Sparsification of Interprocedural Distributive Environment Problems.” <i>Proceedings of the IEEE/ACM 46th International Conference on Software Engineering</i>, ACM, 2024, doi:<a href=\"https://doi.org/10.1145/3597503.3639092\">10.1145/3597503.3639092</a>."},"year":"2024","publication_status":"published"},{"language":[{"iso":"eng"}],"_id":"53958","user_id":"15249","department":[{"_id":"76"},{"_id":"662"}],"abstract":[{"text":"To detect security vulnerabilities, static analysis tools need to be configured with security-relevant methods. Current approaches can automatically identify such methods using binary relevance machine learning approaches. However, they ignore dependencies among security-relevant methods, over-generalize and perform poorly in practice. Additionally, users have to nevertheless manually configure static analysis tools using the detected methods. Based on feedback from users and our observations, the excessive manual steps can often be tedious, error-prone and counter-intuitive.\r\n In this paper, we present Dev-Assist, an IntelliJ IDEA plugin that detects security-relevant methods using a multi-label machine learning approach that considers dependencies among labels. The plugin can automatically generate configurations for static analysis tools, run the static analysis, and show the results in IntelliJ IDEA. Our experiments reveal that Dev-Assist's machine learning approach has a higher F1-Measure than related approaches. Moreover, the plugin reduces and simplifies the manual effort required when configuring and using static analysis tools.","lang":"eng"}],"status":"public","type":"conference","publication":"Proceedings of the 46th International Conference on Software Engineering, IDE Workshop","title":"Detecting Security-Relevant Methods using Multi-label Machine Learning","doi":"10.48550/ARXIV.2403.07501","date_updated":"2024-05-06T11:47:14Z","author":[{"first_name":"Oshando","full_name":"Johnson, Oshando","id":"66583","last_name":"Johnson"},{"first_name":"Goran","full_name":"Piskachev, Goran","id":"41936","last_name":"Piskachev","orcid":"0000-0003-4424-5838"},{"first_name":"Ranjith","id":"78060","full_name":"Krishnamurthy, Ranjith","orcid":"0000-0002-0906-5463","last_name":"Krishnamurthy"},{"orcid":"0000-0003-3470-3647","last_name":"Bodden","id":"59256","full_name":"Bodden, Eric","first_name":"Eric"}],"date_created":"2024-05-06T11:43:19Z","year":"2024","citation":{"ama":"Johnson O, Piskachev G, Krishnamurthy R, Bodden E. Detecting Security-Relevant Methods using Multi-label Machine Learning. In: <i>Proceedings of the 46th International Conference on Software Engineering, IDE Workshop</i>. ; 2024. doi:<a href=\"https://doi.org/10.48550/ARXIV.2403.07501\">10.48550/ARXIV.2403.07501</a>","chicago":"Johnson, Oshando, Goran Piskachev, Ranjith Krishnamurthy, and Eric Bodden. “Detecting Security-Relevant Methods Using Multi-Label Machine Learning.” In <i>Proceedings of the 46th International Conference on Software Engineering, IDE Workshop</i>, 2024. <a href=\"https://doi.org/10.48550/ARXIV.2403.07501\">https://doi.org/10.48550/ARXIV.2403.07501</a>.","ieee":"O. Johnson, G. Piskachev, R. Krishnamurthy, and E. Bodden, “Detecting Security-Relevant Methods using Multi-label Machine Learning,” 2024, doi: <a href=\"https://doi.org/10.48550/ARXIV.2403.07501\">10.48550/ARXIV.2403.07501</a>.","mla":"Johnson, Oshando, et al. “Detecting Security-Relevant Methods Using Multi-Label Machine Learning.” <i>Proceedings of the 46th International Conference on Software Engineering, IDE Workshop</i>, 2024, doi:<a href=\"https://doi.org/10.48550/ARXIV.2403.07501\">10.48550/ARXIV.2403.07501</a>.","short":"O. Johnson, G. Piskachev, R. Krishnamurthy, E. Bodden, in: Proceedings of the 46th International Conference on Software Engineering, IDE Workshop, 2024.","bibtex":"@inproceedings{Johnson_Piskachev_Krishnamurthy_Bodden_2024, title={Detecting Security-Relevant Methods using Multi-label Machine Learning}, DOI={<a href=\"https://doi.org/10.48550/ARXIV.2403.07501\">10.48550/ARXIV.2403.07501</a>}, booktitle={Proceedings of the 46th International Conference on Software Engineering, IDE Workshop}, author={Johnson, Oshando and Piskachev, Goran and Krishnamurthy, Ranjith and Bodden, Eric}, year={2024} }","apa":"Johnson, O., Piskachev, G., Krishnamurthy, R., &#38; Bodden, E. (2024). Detecting Security-Relevant Methods using Multi-label Machine Learning. <i>Proceedings of the 46th International Conference on Software Engineering, IDE Workshop</i>. <a href=\"https://doi.org/10.48550/ARXIV.2403.07501\">https://doi.org/10.48550/ARXIV.2403.07501</a>"}},{"year":"2024","title":"TypeEvalPy: A Micro-benchmarking Framework for Python Type Inference  Tools","date_created":"2024-05-06T11:49:22Z","publisher":"Association for Computing Machinery","abstract":[{"lang":"eng","text":"In light of the growing interest in type inference research for Python, both researchers and practitioners require a standardized process to assess the performance of various type inference techniques. This paper introduces TypeEvalPy, a comprehensive micro-benchmarking framework for evaluating type inference tools. TypeEvalPy contains 154 code snippets with 845 type annotations across 18 categories that target various Python features. The framework manages the execution of containerized tools, transforms inferred types into a standardized format, and produces meaningful metrics for assessment. Through our analysis, we compare the performance of six type inference tools, highlighting their strengths and limitations. Our findings provide a foundation for further research and optimization in the domain of Python type inference."}],"publication":"Proceedings of the 2024 IEEE/ACM 46th International Conference on Software Engineering: Companion Proceedings","language":[{"iso":"eng"}],"external_id":{"arxiv":["2312.16882"]},"citation":{"short":"A.P. Shivarpatna Venkatesh, S. Sabu, J. Wang, A.M. Mir, L. Li, E. Bodden, in: Proceedings of the 2024 IEEE/ACM 46th International Conference on Software Engineering: Companion Proceedings, Association for Computing Machinery, New York, NY, USA, 2024, pp. 49–53.","bibtex":"@inproceedings{Shivarpatna Venkatesh_Sabu_Wang_Mir_Li_Bodden_2024, place={New York, NY, USA}, series={ICSE-Companion 24}, title={TypeEvalPy: A Micro-benchmarking Framework for Python Type Inference  Tools}, DOI={<a href=\"https://doi.org/10.1145/3639478.3640033\">10.1145/3639478.3640033</a>}, booktitle={Proceedings of the 2024 IEEE/ACM 46th International Conference on Software Engineering: Companion Proceedings}, publisher={Association for Computing Machinery}, author={Shivarpatna Venkatesh, Ashwin Prasad and Sabu, Samkutty and Wang, Jiawei and Mir, Amir M. and Li, Li and Bodden, Eric}, year={2024}, pages={49–53}, collection={ICSE-Companion 24} }","mla":"Shivarpatna Venkatesh, Ashwin Prasad, et al. “TypeEvalPy: A Micro-Benchmarking Framework for Python Type Inference  Tools.” <i>Proceedings of the 2024 IEEE/ACM 46th International Conference on Software Engineering: Companion Proceedings</i>, Association for Computing Machinery, 2024, pp. 49–53, doi:<a href=\"https://doi.org/10.1145/3639478.3640033\">10.1145/3639478.3640033</a>.","apa":"Shivarpatna Venkatesh, A. P., Sabu, S., Wang, J., Mir, A. M., Li, L., &#38; Bodden, E. (2024). TypeEvalPy: A Micro-benchmarking Framework for Python Type Inference  Tools. <i>Proceedings of the 2024 IEEE/ACM 46th International Conference on Software Engineering: Companion Proceedings</i>, 49–53. <a href=\"https://doi.org/10.1145/3639478.3640033\">https://doi.org/10.1145/3639478.3640033</a>","ieee":"A. P. Shivarpatna Venkatesh, S. Sabu, J. Wang, A. M. Mir, L. Li, and E. Bodden, “TypeEvalPy: A Micro-benchmarking Framework for Python Type Inference  Tools,” in <i>Proceedings of the 2024 IEEE/ACM 46th International Conference on Software Engineering: Companion Proceedings</i>, Lisbon, Portugal, 2024, pp. 49–53, doi: <a href=\"https://doi.org/10.1145/3639478.3640033\">10.1145/3639478.3640033</a>.","chicago":"Shivarpatna Venkatesh, Ashwin Prasad, Samkutty Sabu, Jiawei Wang, Amir M. Mir, Li Li, and Eric Bodden. “TypeEvalPy: A Micro-Benchmarking Framework for Python Type Inference  Tools.” In <i>Proceedings of the 2024 IEEE/ACM 46th International Conference on Software Engineering: Companion Proceedings</i>, 49–53. ICSE-Companion 24. New York, NY, USA: Association for Computing Machinery, 2024. <a href=\"https://doi.org/10.1145/3639478.3640033\">https://doi.org/10.1145/3639478.3640033</a>.","ama":"Shivarpatna Venkatesh AP, Sabu S, Wang J, Mir AM, Li L, Bodden E. TypeEvalPy: A Micro-benchmarking Framework for Python Type Inference  Tools. In: <i>Proceedings of the 2024 IEEE/ACM 46th International Conference on Software Engineering: Companion Proceedings</i>. ICSE-Companion 24. Association for Computing Machinery; 2024:49-53. doi:<a href=\"https://doi.org/10.1145/3639478.3640033\">10.1145/3639478.3640033</a>"},"page":"49-53","place":"New York, NY, USA","publication_identifier":{"isbn":["9798400705021"]},"doi":"10.1145/3639478.3640033","conference":{"location":"Lisbon, Portugal"},"author":[{"last_name":"Shivarpatna Venkatesh","full_name":"Shivarpatna Venkatesh, Ashwin Prasad","id":"66637","first_name":"Ashwin Prasad"},{"last_name":"Sabu","full_name":"Sabu, Samkutty","first_name":"Samkutty"},{"first_name":"Jiawei","last_name":"Wang","full_name":"Wang, Jiawei"},{"last_name":"Mir","full_name":"Mir, Amir M.","first_name":"Amir M."},{"last_name":"Li","full_name":"Li, Li","first_name":"Li"},{"last_name":"Bodden","orcid":"0000-0003-3470-3647","full_name":"Bodden, Eric","id":"59256","first_name":"Eric"}],"date_updated":"2024-08-05T07:49:33Z","status":"public","type":"conference","series_title":"ICSE-Companion 24","user_id":"15249","department":[{"_id":"76"}],"_id":"53959"},{"status":"public","publication":"Proceedings of the 2024 IEEE/ACM First International Conference on AI Foundation Models and Software Engineering","type":"conference","language":[{"iso":"eng"}],"department":[{"_id":"76"}],"user_id":"15249","_id":"55516","citation":{"chicago":"Shivarpatna Venkatesh, Ashwin Prasad, Samkutty Sabu, Amir M. Mir, Sofia Reis, and Eric Bodden. “The Emergence of Large Language Models in Static Analysis: A First Look through Micro-Benchmarks.” In <i>Proceedings of the 2024 IEEE/ACM First International Conference on AI Foundation Models and Software Engineering</i>. ACM, 2024. <a href=\"https://doi.org/10.1145/3650105.3652288\">https://doi.org/10.1145/3650105.3652288</a>.","ieee":"A. P. Shivarpatna Venkatesh, S. Sabu, A. M. Mir, S. Reis, and E. Bodden, “The Emergence of Large Language Models in Static Analysis: A First Look through Micro-Benchmarks,” 2024, doi: <a href=\"https://doi.org/10.1145/3650105.3652288\">10.1145/3650105.3652288</a>.","ama":"Shivarpatna Venkatesh AP, Sabu S, Mir AM, Reis S, Bodden E. The Emergence of Large Language Models in Static Analysis: A First Look through Micro-Benchmarks. In: <i>Proceedings of the 2024 IEEE/ACM First International Conference on AI Foundation Models and Software Engineering</i>. ACM; 2024. doi:<a href=\"https://doi.org/10.1145/3650105.3652288\">10.1145/3650105.3652288</a>","apa":"Shivarpatna Venkatesh, A. P., Sabu, S., Mir, A. M., Reis, S., &#38; Bodden, E. (2024). The Emergence of Large Language Models in Static Analysis: A First Look through Micro-Benchmarks. <i>Proceedings of the 2024 IEEE/ACM First International Conference on AI Foundation Models and Software Engineering</i>. <a href=\"https://doi.org/10.1145/3650105.3652288\">https://doi.org/10.1145/3650105.3652288</a>","bibtex":"@inproceedings{Shivarpatna Venkatesh_Sabu_Mir_Reis_Bodden_2024, title={The Emergence of Large Language Models in Static Analysis: A First Look through Micro-Benchmarks}, DOI={<a href=\"https://doi.org/10.1145/3650105.3652288\">10.1145/3650105.3652288</a>}, booktitle={Proceedings of the 2024 IEEE/ACM First International Conference on AI Foundation Models and Software Engineering}, publisher={ACM}, author={Shivarpatna Venkatesh, Ashwin Prasad and Sabu, Samkutty and Mir, Amir M. and Reis, Sofia and Bodden, Eric}, year={2024} }","mla":"Shivarpatna Venkatesh, Ashwin Prasad, et al. “The Emergence of Large Language Models in Static Analysis: A First Look through Micro-Benchmarks.” <i>Proceedings of the 2024 IEEE/ACM First International Conference on AI Foundation Models and Software Engineering</i>, ACM, 2024, doi:<a href=\"https://doi.org/10.1145/3650105.3652288\">10.1145/3650105.3652288</a>.","short":"A.P. Shivarpatna Venkatesh, S. Sabu, A.M. Mir, S. Reis, E. Bodden, in: Proceedings of the 2024 IEEE/ACM First International Conference on AI Foundation Models and Software Engineering, ACM, 2024."},"year":"2024","publication_status":"published","doi":"10.1145/3650105.3652288","title":"The Emergence of Large Language Models in Static Analysis: A First Look through Micro-Benchmarks","author":[{"id":"66637","full_name":"Shivarpatna Venkatesh, Ashwin Prasad","last_name":"Shivarpatna Venkatesh","first_name":"Ashwin Prasad"},{"full_name":"Sabu, Samkutty","last_name":"Sabu","first_name":"Samkutty"},{"first_name":"Amir M.","full_name":"Mir, Amir M.","last_name":"Mir"},{"last_name":"Reis","full_name":"Reis, Sofia","first_name":"Sofia"},{"first_name":"Eric","full_name":"Bodden, Eric","id":"59256","last_name":"Bodden","orcid":"0000-0003-3470-3647"}],"date_created":"2024-08-05T09:12:59Z","date_updated":"2024-08-05T09:14:11Z","publisher":"ACM"},{"year":"2024","citation":{"ieee":"M. Böhme, E. Bodden, T. Bultan, C. Cadar, Y. Liu, and G. Scanniello, “Software Security Analysis in 2030 and Beyond: A Research Roadmap,” <i>ACM Transactions on Software Engineering and Methodology</i>, 2024, doi: <a href=\"https://doi.org/10.1145/3708533\">10.1145/3708533</a>.","chicago":"Böhme, Marcel, Eric Bodden, Tevfik Bultan, Cristian Cadar, Yang Liu, and Giuseppe Scanniello. “Software Security Analysis in 2030 and Beyond: A Research Roadmap.” <i>ACM Transactions on Software Engineering and Methodology</i>, 2024. <a href=\"https://doi.org/10.1145/3708533\">https://doi.org/10.1145/3708533</a>.","ama":"Böhme M, Bodden E, Bultan T, Cadar C, Liu Y, Scanniello G. Software Security Analysis in 2030 and Beyond: A Research Roadmap. <i>ACM Transactions on Software Engineering and Methodology</i>. Published online 2024. doi:<a href=\"https://doi.org/10.1145/3708533\">10.1145/3708533</a>","mla":"Böhme, Marcel, et al. “Software Security Analysis in 2030 and Beyond: A Research Roadmap.” <i>ACM Transactions on Software Engineering and Methodology</i>, Association for Computing Machinery (ACM), 2024, doi:<a href=\"https://doi.org/10.1145/3708533\">10.1145/3708533</a>.","bibtex":"@article{Böhme_Bodden_Bultan_Cadar_Liu_Scanniello_2024, title={Software Security Analysis in 2030 and Beyond: A Research Roadmap}, DOI={<a href=\"https://doi.org/10.1145/3708533\">10.1145/3708533</a>}, journal={ACM Transactions on Software Engineering and Methodology}, publisher={Association for Computing Machinery (ACM)}, author={Böhme, Marcel and Bodden, Eric and Bultan, Tevfik and Cadar, Cristian and Liu, Yang and Scanniello, Giuseppe}, year={2024} }","short":"M. Böhme, E. Bodden, T. Bultan, C. Cadar, Y. Liu, G. Scanniello, ACM Transactions on Software Engineering and Methodology (2024).","apa":"Böhme, M., Bodden, E., Bultan, T., Cadar, C., Liu, Y., &#38; Scanniello, G. (2024). Software Security Analysis in 2030 and Beyond: A Research Roadmap. <i>ACM Transactions on Software Engineering and Methodology</i>. <a href=\"https://doi.org/10.1145/3708533\">https://doi.org/10.1145/3708533</a>"},"publication_status":"published","publication_identifier":{"issn":["1049-331X","1557-7392"]},"title":"Software Security Analysis in 2030 and Beyond: A Research Roadmap","doi":"10.1145/3708533","date_updated":"2025-04-07T10:05:15Z","publisher":"Association for Computing Machinery (ACM)","date_created":"2025-04-07T10:04:48Z","author":[{"first_name":"Marcel","full_name":"Böhme, Marcel","last_name":"Böhme"},{"orcid":"0000-0003-3470-3647","last_name":"Bodden","full_name":"Bodden, Eric","id":"59256","first_name":"Eric"},{"full_name":"Bultan, Tevfik","last_name":"Bultan","first_name":"Tevfik"},{"full_name":"Cadar, Cristian","last_name":"Cadar","first_name":"Cristian"},{"first_name":"Yang","last_name":"Liu","full_name":"Liu, Yang"},{"last_name":"Scanniello","full_name":"Scanniello, Giuseppe","first_name":"Giuseppe"}],"abstract":[{"text":"<jats:p>As our lives, our businesses, and indeed our world economy become increasingly reliant on the secure operation of many interconnected software systems, the software engineering research community is faced with unprecedented research challenges, but also with exciting new opportunities. In this roadmap paper, we outline our vision of Software Security Analysis for the systems of the future. Given the recent advances in generative AI, we need new methods to assess and maximize the security of code co-written by machines. As our systems become increasingly heterogeneous, we need practical approaches that work even if some functions are automatically generated, e.g., by deep neural networks. As software systems depend evermore on the software supply chain, we need tools that scale to an entire ecosystem. What kind of vulnerabilities exist in future systems and how do we detect them? When all the shallow bugs are found, how do we discover vulnerabilities hidden deeply in the system? Assuming we cannot find all security flaws, how can we nevertheless protect our system? To answer these questions, we start our roadmap with a survey of recent advances in software security, then discuss open challenges and opportunities, and conclude with a long-term perspective for the field.</jats:p>","lang":"eng"}],"status":"public","type":"journal_article","publication":"ACM Transactions on Software Engineering and Methodology","language":[{"iso":"eng"}],"_id":"59411","user_id":"15249","department":[{"_id":"76"}]},{"status":"public","type":"conference","file_date_updated":"2024-03-03T14:39:08Z","user_id":"88024","department":[{"_id":"76"}],"_id":"52235","citation":{"bibtex":"@inproceedings{Khedkar_Bodden_2024, title={Toward an Android Static Analysis Approach for Data Protection}, DOI={<a href=\"https://doi.org/10.1145/3647632.3651389\">10.1145/3647632.3651389</a>}, booktitle={Proceedings of the IEEE/ACM 11th International Conference on Mobile Software Engineering and Systems (MOBILESoft ’24). Association for Computing Machinery, New York, NY, USA, 65–68.}, author={Khedkar, Mugdha and Bodden, Eric}, year={2024} }","mla":"Khedkar, Mugdha, and Eric Bodden. “Toward an Android Static Analysis Approach for Data Protection.” <i>Proceedings of the IEEE/ACM 11th International Conference on Mobile Software Engineering and Systems (MOBILESoft ’24). Association for Computing Machinery, New York, NY, USA, 65–68.</i>, 2024, doi:<a href=\"https://doi.org/10.1145/3647632.3651389\">10.1145/3647632.3651389</a>.","short":"M. Khedkar, E. Bodden, in: Proceedings of the IEEE/ACM 11th International Conference on Mobile Software Engineering and Systems (MOBILESoft ’24). Association for Computing Machinery, New York, NY, USA, 65–68., 2024.","apa":"Khedkar, M., &#38; Bodden, E. (2024). Toward an Android Static Analysis Approach for Data Protection. <i>Proceedings of the IEEE/ACM 11th International Conference on Mobile Software Engineering and Systems (MOBILESoft ’24). Association for Computing Machinery, New York, NY, USA, 65–68.</i> 11th International Conference on Mobile Software Engineering and Systems 2024, Lisbon, Portugal. <a href=\"https://doi.org/10.1145/3647632.3651389\">https://doi.org/10.1145/3647632.3651389</a>","ama":"Khedkar M, Bodden E. Toward an Android Static Analysis Approach for Data Protection. In: <i>Proceedings of the IEEE/ACM 11th International Conference on Mobile Software Engineering and Systems (MOBILESoft ’24). Association for Computing Machinery, New York, NY, USA, 65–68.</i> ; 2024. doi:<a href=\"https://doi.org/10.1145/3647632.3651389\">10.1145/3647632.3651389</a>","ieee":"M. Khedkar and E. Bodden, “Toward an Android Static Analysis Approach for Data Protection,” presented at the 11th International Conference on Mobile Software Engineering and Systems 2024, Lisbon, Portugal, 2024, doi: <a href=\"https://doi.org/10.1145/3647632.3651389\">10.1145/3647632.3651389</a>.","chicago":"Khedkar, Mugdha, and Eric Bodden. “Toward an Android Static Analysis Approach for Data Protection.” In <i>Proceedings of the IEEE/ACM 11th International Conference on Mobile Software Engineering and Systems (MOBILESoft ’24). Association for Computing Machinery, New York, NY, USA, 65–68.</i>, 2024. <a href=\"https://doi.org/10.1145/3647632.3651389\">https://doi.org/10.1145/3647632.3651389</a>."},"has_accepted_license":"1","conference":{"end_date":"2024-04-15","location":"Lisbon, Portugal","name":"11th International Conference on Mobile Software Engineering and Systems 2024","start_date":"2024-04-14"},"doi":"10.1145/3647632.3651389","author":[{"first_name":"Mugdha","last_name":"Khedkar","full_name":"Khedkar, Mugdha","id":"88024"},{"first_name":"Eric","last_name":"Bodden","orcid":"0000-0003-3470-3647","full_name":"Bodden, Eric","id":"59256"}],"date_updated":"2026-03-04T08:11:48Z","file":[{"file_size":530812,"access_level":"closed","file_name":"2402.07889v1.pdf","file_id":"52236","date_updated":"2024-03-03T14:39:08Z","creator":"khedkarm","date_created":"2024-03-03T14:39:08Z","success":1,"relation":"main_file","content_type":"application/pdf"}],"abstract":[{"text":"Android applications collecting data from users must protect it according to the current legal frameworks. Such data protection has become even more important since the European Union rolled out the General Data Protection Regulation (GDPR). Since app developers are not legal experts, they find it difficult to write privacy-aware source code. Moreover, they have limited tool support to reason about data protection throughout their app development process.\r\nThis paper motivates the need for a static analysis approach to diagnose and explain data protection in Android apps. The analysis will recognize personal data sources in the source code, and aims to further examine the data flow originating from these sources. App developers can then address key questions about data manipulation, derived data, and the presence of technical measures. Despite challenges, we explore to what extent one can realize this analysis through static taint analysis, a common method for identifying security vulnerabilities. This is a first step towards designing a tool-based approach that aids app developers and assessors in ensuring data protection in Android apps, based on automated static program analysis. ","lang":"eng"}],"publication":"Proceedings of the IEEE/ACM 11th International Conference on Mobile Software Engineering and Systems (MOBILESoft '24). Association for Computing Machinery, New York, NY, USA, 65–68.","language":[{"iso":"eng"}],"ddc":["006"],"keyword":["static program analysis","data protection and privacy","GDPR compliance"],"external_id":{"arxiv":["2402.07889"]},"year":"2024","title":"Toward an Android Static Analysis Approach for Data Protection","date_created":"2024-03-03T14:37:53Z"}]