[{"_id":"52663","date_updated":"2024-03-20T09:32:29Z","year":"2024","type":"misc","citation":{"apa":"Wickert, A.-K., Schlichtig, M., Vogel, M., Winter, L., Mezini, M., & Bodden, E. (2024). Supporting Error Chains in Static Analysis for Precise Evaluation Results and Enhanced Usability.","ama":"Wickert A-K, Schlichtig M, Vogel M, Winter L, Mezini M, Bodden E. Supporting Error Chains in Static Analysis for Precise Evaluation Results and Enhanced Usability.; 2024.","chicago":"Wickert, Anna-Katharina, Michael Schlichtig, Marvin Vogel, Lukas Winter, Mira Mezini, and Eric Bodden. Supporting Error Chains in Static Analysis for Precise Evaluation Results and Enhanced Usability, 2024.","bibtex":"@book{Wickert_Schlichtig_Vogel_Winter_Mezini_Bodden_2024, title={Supporting Error Chains in Static Analysis for Precise Evaluation Results and Enhanced Usability}, author={Wickert, Anna-Katharina and Schlichtig, Michael and Vogel, Marvin and Winter, Lukas and Mezini, Mira and Bodden, Eric}, year={2024} }","mla":"Wickert, Anna-Katharina, et al. Supporting Error Chains in Static Analysis for Precise Evaluation Results and Enhanced Usability. 2024.","short":"A.-K. Wickert, M. Schlichtig, M. Vogel, L. Winter, M. Mezini, E. Bodden, Supporting Error Chains in Static Analysis for Precise Evaluation Results and Enhanced Usability, 2024.","ieee":"A.-K. Wickert, M. Schlichtig, M. Vogel, L. Winter, M. Mezini, and E. Bodden, Supporting Error Chains in Static Analysis for Precise Evaluation Results and Enhanced Usability. 2024."},"language":[{"iso":"eng"}],"main_file_link":[{"url":"https://arxiv.org/abs/2403.07808"}],"title":"Supporting Error Chains in Static Analysis for Precise Evaluation Results and Enhanced Usability","user_id":"32312","abstract":[{"text":"Context\r\nStatic analyses are well-established to aid in understanding bugs or vulnerabilities during the development process or in large-scale studies. A low false-positive rate is essential for the adaption in practice and for precise results of empirical studies. Unfortunately, static analyses tend to report where a vulnerability manifests rather than the fix location. This can cause presumed false positives or imprecise results.\r\nMethod\r\nTo address this problem, we designed an adaption of an existing static analysis algorithm that can distinguish between a manifestation and fix location, and reports error chains. An error chain represents at least two interconnected errors that occur successively, thus building the connection between the fix and manifestation location. We used our tool CogniCryptSUBS for a case study on 471 GitHub repositories, a performance benchmark to compare different analysis configurations, and conducted an expert interview.\r\nResult\r\nWe found that 50 % of the projects with a report had at least one error chain. Our runtime benchmark demonstrated that our improvement caused only a minimal runtime overhead of less than 4 %. The results of our expert interview indicate that with our adapted version participants require fewer executions of the analysis.\r\nConclusion\r\nOur results indicate that error chains occur frequently in real-world projects, and ignoring them can lead to imprecise evaluation results. The runtime benchmark indicates that our tool is a feasible and efficient solution for detecting error chains in real-world projects. Further, our results gave a hint that the usability of static analyses may benefit from supporting error chains.","lang":"eng"}],"status":"public","date_created":"2024-03-20T09:28:36Z","author":[{"full_name":"Wickert, Anna-Katharina","first_name":"Anna-Katharina","last_name":"Wickert"},{"last_name":"Schlichtig","id":"32312","first_name":"Michael","full_name":"Schlichtig, Michael","orcid":"0000-0001-6600-6171"},{"full_name":"Vogel, Marvin","first_name":"Marvin","last_name":"Vogel"},{"first_name":"Lukas","full_name":"Winter, Lukas","last_name":"Winter"},{"full_name":"Mezini, Mira","first_name":"Mira","last_name":"Mezini"},{"last_name":"Bodden","id":"59256","first_name":"Eric","orcid":"0000-0003-3470-3647","full_name":"Bodden, Eric"}],"department":[{"_id":"76"}],"keyword":["Static analysis","error chains","false positive re- duction","empirical studies"]},{"status":"public","has_accepted_license":"1","date_created":"2023-01-13T08:03:26Z","file":[{"access_level":"open_access","date_created":"2023-01-26T10:48:40Z","file_name":"2301.04419.pdf","content_type":"application/pdf","date_updated":"2023-01-26T10:48:40Z","relation":"main_file","file_size":1862440,"creator":"ashwin","file_id":"40304"}],"publisher":"IEEE SANER 2023 (International Conference on Software Analysis, Evolution and Reengineering)","author":[{"first_name":"Ashwin Prasad","full_name":"Shivarpatna Venkatesh, Ashwin Prasad","last_name":"Shivarpatna Venkatesh","id":"66637"},{"last_name":"Wang","first_name":"Jiawei","full_name":"Wang, Jiawei"},{"last_name":"Li","full_name":"Li, Li","first_name":"Li"},{"id":"59256","last_name":"Bodden","orcid":"0000-0003-3470-3647","full_name":"Bodden, Eric","first_name":"Eric"}],"file_date_updated":"2023-01-26T10:48:40Z","keyword":["static analysis","python","code comprehension","annotation","literate programming","jupyter notebook"],"user_id":"66637","ddc":["000"],"abstract":[{"lang":"eng","text":"Jupyter notebooks enable developers to interleave code snippets with rich-text and in-line visualizations. Data scientists use Jupyter notebook as the de-facto standard for creating and sharing machine-learning based solutions, primarily written in Python. Recent studies have demonstrated, however, that a large portion of Jupyter notebooks available on public platforms are undocumented and lacks a narrative structure. This reduces the readability of these notebooks. To address this shortcoming, this paper presents HeaderGen, a novel tool-based approach that automatically annotates code cells with categorical markdown headers based on a taxonomy of machine-learning operations, and classifies and displays function calls according to this taxonomy. For this functionality to be realized, HeaderGen enhances an existing call graph analysis in PyCG. To improve precision, HeaderGen extends PyCG's analysis with support for handling external library code and flow-sensitivity. The former is realized by facilitating the resolution of function return-types. Furthermore, HeaderGen uses type information to perform pattern matching on code syntax to annotate code cells.\r\nThe evaluation on 15 real-world Jupyter notebooks from Kaggle shows that HeaderGen's underlying call graph analysis yields high accuracy (96.4% precision and 95.9% recall). This is because HeaderGen can resolve return-types of external libraries where existing type inference tools such as pytype (by Google), pyright (by Microsoft), and Jedi fall short. The header generation has a precision of 82.2% and a recall rate of 96.8% with regard to headers created manually by experts. In a user study, HeaderGen helps participants finish comprehension and navigation tasks faster. All participants clearly perceive HeaderGen as useful to their task."}],"year":"2023","type":"conference","citation":{"mla":"Shivarpatna Venkatesh, Ashwin Prasad, et al. Enhancing Comprehension and Navigation in Jupyter Notebooks with Static Analysis. IEEE SANER 2023 (International Conference on Software Analysis, Evolution and Reengineering), 2023, doi:10.48550/ARXIV.2301.04419.","bibtex":"@inproceedings{Shivarpatna Venkatesh_Wang_Li_Bodden_2023, title={Enhancing Comprehension and Navigation in Jupyter Notebooks with Static Analysis}, DOI={10.48550/ARXIV.2301.04419}, publisher={IEEE SANER 2023 (International Conference on Software Analysis, Evolution and Reengineering)}, author={Shivarpatna Venkatesh, Ashwin Prasad and Wang, Jiawei and Li, Li and Bodden, Eric}, year={2023} }","apa":"Shivarpatna Venkatesh, A. P., Wang, J., Li, L., & Bodden, E. (2023). Enhancing Comprehension and Navigation in Jupyter Notebooks with Static Analysis. IEEE SANER 2023 (International Conference on Software Analysis, Evolution and Reengineering). https://doi.org/10.48550/ARXIV.2301.04419","ama":"Shivarpatna Venkatesh AP, Wang J, Li L, Bodden E. Enhancing Comprehension and Navigation in Jupyter Notebooks with Static Analysis. In: IEEE SANER 2023 (International Conference on Software Analysis, Evolution and Reengineering); 2023. doi:10.48550/ARXIV.2301.04419","chicago":"Shivarpatna Venkatesh, Ashwin Prasad, Jiawei Wang, Li Li, and Eric Bodden. “Enhancing Comprehension and Navigation in Jupyter Notebooks with Static Analysis.” IEEE SANER 2023 (International Conference on Software Analysis, Evolution and Reengineering), 2023. https://doi.org/10.48550/ARXIV.2301.04419.","ieee":"A. P. Shivarpatna Venkatesh, J. Wang, L. Li, and E. Bodden, “Enhancing Comprehension and Navigation in Jupyter Notebooks with Static Analysis,” presented at the IEEE SANER 2023 (International Conference on Software Analysis, Evolution and Reengineering), 2023, doi: 10.48550/ARXIV.2301.04419.","short":"A.P. Shivarpatna Venkatesh, J. Wang, L. Li, E. Bodden, in: IEEE SANER 2023 (International Conference on Software Analysis, Evolution and Reengineering), 2023."},"_id":"36522","conference":{"name":"IEEE SANER 2023 (International Conference on Software Analysis, Evolution and Reengineering)"},"title":"Enhancing Comprehension and Navigation in Jupyter Notebooks with Static Analysis","language":[{"iso":"eng"}],"oa":"1","doi":"10.48550/ARXIV.2301.04419","date_updated":"2023-01-26T10:50:42Z"},{"department":[{"_id":"76"}],"publication_status":"accepted","external_id":{"arxiv":["2303.09606"]},"title":"Static Analysis for Android GDPR Compliance Assurance","language":[{"iso":"eng"}],"date_updated":"2024-03-03T14:45:09Z","doi":"10.1109/ICSE-Companion58688.2023.00054","file":[{"content_type":"application/pdf","date_updated":"2023-04-24T12:15:27Z","success":1,"relation":"main_file","file_size":85313,"file_id":"44147","creator":"khedkarm","access_level":"closed","file_name":"2023047614.pdf","date_created":"2023-04-24T12:15:27Z"}],"author":[{"last_name":"Khedkar","id":"88024","first_name":"Mugdha","full_name":"Khedkar, Mugdha"}],"publication":"Proceedings of the 45th International Conference on Software Engineering: Companion Proceedings (ICSE ‘23)","keyword":["static analysis","data protection and privacy","GDPR compliance"],"file_date_updated":"2023-04-24T12:15:27Z","has_accepted_license":"1","status":"public","date_created":"2023-04-24T12:14:17Z","abstract":[{"text":"Many Android applications collect data from users. When they do, they must\r\nprotect this collected data according to the current legal frameworks. Such\r\ndata protection has become even more important since the European Union rolled\r\nout the General Data Protection Regulation (GDPR). App developers have limited\r\ntool support to reason about data protection throughout their app development\r\nprocess. Although many Android applications state a privacy policy, privacy\r\npolicy compliance checks are currently manual, expensive, and prone to error.\r\nOne of the major challenges in privacy audits is the significant gap between\r\nlegal privacy statements (in English text) and technical measures that Android\r\napps use to protect their user's privacy. In this thesis, we will explore to\r\nwhat extent we can use static analysis to answer important questions regarding\r\ndata protection. Our main goal is to design a tool based approach that aids app\r\ndevelopers and auditors in ensuring data protection in Android applications,\r\nbased on automated static program analysis.","lang":"eng"}],"user_id":"88024","ddc":["004"],"type":"conference","year":"2023","citation":{"mla":"Khedkar, Mugdha. “Static Analysis for Android GDPR Compliance Assurance.” Proceedings of the 45th International Conference on Software Engineering: Companion Proceedings (ICSE ‘23), doi:10.1109/ICSE-Companion58688.2023.00054.","bibtex":"@inproceedings{Khedkar, title={Static Analysis for Android GDPR Compliance Assurance}, DOI={10.1109/ICSE-Companion58688.2023.00054}, booktitle={Proceedings of the 45th International Conference on Software Engineering: Companion Proceedings (ICSE ‘23)}, author={Khedkar, Mugdha} }","apa":"Khedkar, M. (n.d.). Static Analysis for Android GDPR Compliance Assurance. Proceedings of the 45th International Conference on Software Engineering: Companion Proceedings (ICSE ‘23). https://doi.org/10.1109/ICSE-Companion58688.2023.00054","ama":"Khedkar M. Static Analysis for Android GDPR Compliance Assurance. In: Proceedings of the 45th International Conference on Software Engineering: Companion Proceedings (ICSE ‘23). doi:10.1109/ICSE-Companion58688.2023.00054","chicago":"Khedkar, Mugdha. “Static Analysis for Android GDPR Compliance Assurance.” In Proceedings of the 45th International Conference on Software Engineering: Companion Proceedings (ICSE ‘23), n.d. https://doi.org/10.1109/ICSE-Companion58688.2023.00054.","ieee":"M. Khedkar, “Static Analysis for Android GDPR Compliance Assurance,” doi: 10.1109/ICSE-Companion58688.2023.00054.","short":"M. Khedkar, in: Proceedings of the 45th International Conference on Software Engineering: Companion Proceedings (ICSE ‘23), n.d."},"_id":"44146"},{"title":"Evaluation of Usability Criteria Addressed by Static Analysis Tools on a Large Scale","user_id":"32312","place":"Bonn","abstract":[{"text":"Static analysis tools support developers in detecting potential coding issues, such as bugs or vulnerabilities. Research emphasizes technical challenges of such tools but also mentions severe usability shortcomings. These shortcomings hinder the adoption of static analysis tools, and user dissatisfaction may even lead to tool abandonment. To comprehensively assess the state of the art, we present the first systematic usability evaluation of a wide range of static analysis tools. We derived a set of 36 relevant criteria from the literature and used them to evaluate a total of 46 static analysis tools complying with our inclusion and exclusion criteria - a representative set of mainly non-proprietary tools. The evaluation against the usability criteria in a multiple-raters approach shows that two thirds of the considered tools off er poor warning messages, while about three-quarters provide hardly any fix support. Furthermore, the integration of user knowledge is strongly neglected, which could be used for instance, to improve handling of false positives. Finally, issues regarding workflow integration and specialized user interfaces are revealed. These findings should prove useful in guiding and focusing further research and development in user experience for static code analyses.","lang":"eng"}],"publication_identifier":{"isbn":["978-3-88579-726-5"]},"status":"public","date_created":"2024-03-20T09:26:29Z","author":[{"first_name":"Marcus","full_name":"Nachtigall, Marcus","last_name":"Nachtigall","id":"41213"},{"id":"32312","last_name":"Schlichtig","orcid":"0000-0001-6600-6171","full_name":"Schlichtig, Michael","first_name":"Michael"},{"id":"59256","last_name":"Bodden","full_name":"Bodden, Eric","orcid":"0000-0003-3470-3647","first_name":"Eric"}],"publisher":"Gesellschaft für Informatik e.V.","publication":"Software Engineering 2023","keyword":["Automated static analysis","Software usability"],"department":[{"_id":"76"}],"date_updated":"2024-03-20T09:27:41Z","_id":"52662","type":"book_chapter","year":"2023","citation":{"ieee":"M. Nachtigall, M. Schlichtig, and E. Bodden, “Evaluation of Usability Criteria Addressed by Static Analysis Tools on a Large Scale,” in Software Engineering 2023, Bonn: Gesellschaft für Informatik e.V., 2023, pp. 95–96.","short":"M. Nachtigall, M. Schlichtig, E. Bodden, in: Software Engineering 2023, Gesellschaft für Informatik e.V., Bonn, 2023, pp. 95–96.","bibtex":"@inbook{Nachtigall_Schlichtig_Bodden_2023, place={Bonn}, title={Evaluation of Usability Criteria Addressed by Static Analysis Tools on a Large Scale}, booktitle={Software Engineering 2023}, publisher={Gesellschaft für Informatik e.V.}, author={Nachtigall, Marcus and Schlichtig, Michael and Bodden, Eric}, year={2023}, pages={95–96} }","mla":"Nachtigall, Marcus, et al. “Evaluation of Usability Criteria Addressed by Static Analysis Tools on a Large Scale.” Software Engineering 2023, Gesellschaft für Informatik e.V., 2023, pp. 95–96.","apa":"Nachtigall, M., Schlichtig, M., & Bodden, E. (2023). Evaluation of Usability Criteria Addressed by Static Analysis Tools on a Large Scale. In Software Engineering 2023 (pp. 95–96). Gesellschaft für Informatik e.V.","ama":"Nachtigall M, Schlichtig M, Bodden E. Evaluation of Usability Criteria Addressed by Static Analysis Tools on a Large Scale. In: Software Engineering 2023. Gesellschaft für Informatik e.V.; 2023:95–96.","chicago":"Nachtigall, Marcus, Michael Schlichtig, and Eric Bodden. “Evaluation of Usability Criteria Addressed by Static Analysis Tools on a Large Scale.” In Software Engineering 2023, 95–96. Bonn: Gesellschaft für Informatik e.V., 2023."},"page":"95–96","language":[{"iso":"eng"}],"main_file_link":[{"url":"https://dl.gi.de/items/5afe477f-2f6a-4b3d-b391-f024baf0b7a5"}]},{"title":"Introducing FUM: A Framework for API Usage Constraint and Misuse Classification","user_id":"32312","place":"Bonn","abstract":[{"text":"Application Programming Interfaces (APIs) are the primary mechanism developers use to obtain access to third-party algorithms and services. Unfortunately, APIs can be misused, which can have catastrophic consequences, especially if the APIs provide security-critical functionalities like cryptography. Understanding what API misuses are, and how they are caused, is important to prevent them, eg, with API misuse detectors. However, definitions for API misuses and related terms in literature vary. This paper presents a systematic literature review to clarify these terms and introduces FUM, a novel Framework for API Usage constraint and Misuse classification. The literature review revealed that API misuses are violations of API usage constraints. To address this, we provide unified definitions and use them to derive FUM. To assess the extent to which FUM aids in determining and guiding the improvement of an API misuses detector’s capabilities, we performed a case study on the state-of the-art misuse detection tool CogniCrypt. The study showed that FUM can be used to properly assess CogniCrypt’s capabilities, identify weaknesses and assist in deriving mitigations and improvements.","lang":"eng"}],"publication_identifier":{"isbn":["978-3-88579-726-5"]},"status":"public","date_created":"2024-03-20T09:22:27Z","publisher":"Gesellschaft für Informatik e.V.","author":[{"last_name":"Schlichtig","id":"32312","first_name":"Michael","full_name":"Schlichtig, Michael","orcid":"0000-0001-6600-6171"},{"last_name":"Sassalla","full_name":"Sassalla, Steffen","first_name":"Steffen"},{"full_name":"Narasimhan, Krishna","first_name":"Krishna","last_name":"Narasimhan"},{"last_name":"Bodden","id":"59256","first_name":"Eric","full_name":"Bodden, Eric","orcid":"0000-0003-3470-3647"}],"publication":"Software Engineering 2023","keyword":["API misuses API usage constraints","classification framework","API misuse detection","static analysis"],"department":[{"_id":"76"}],"date_updated":"2024-03-20T09:25:46Z","_id":"52660","type":"book_chapter","citation":{"mla":"Schlichtig, Michael, et al. “Introducing FUM: A Framework for API Usage Constraint and Misuse Classification.” Software Engineering 2023, Gesellschaft für Informatik e.V., 2023, pp. 105–106.","bibtex":"@inbook{Schlichtig_Sassalla_Narasimhan_Bodden_2023, place={Bonn}, title={Introducing FUM: A Framework for API Usage Constraint and Misuse Classification}, booktitle={Software Engineering 2023}, publisher={Gesellschaft für Informatik e.V.}, author={Schlichtig, Michael and Sassalla, Steffen and Narasimhan, Krishna and Bodden, Eric}, year={2023}, pages={105–106} }","chicago":"Schlichtig, Michael, Steffen Sassalla, Krishna Narasimhan, and Eric Bodden. “Introducing FUM: A Framework for API Usage Constraint and Misuse Classification.” In Software Engineering 2023, 105–106. Bonn: Gesellschaft für Informatik e.V., 2023.","ama":"Schlichtig M, Sassalla S, Narasimhan K, Bodden E. Introducing FUM: A Framework for API Usage Constraint and Misuse Classification. In: Software Engineering 2023. Gesellschaft für Informatik e.V.; 2023:105–106.","apa":"Schlichtig, M., Sassalla, S., Narasimhan, K., & Bodden, E. (2023). Introducing FUM: A Framework for API Usage Constraint and Misuse Classification. In Software Engineering 2023 (pp. 105–106). Gesellschaft für Informatik e.V.","ieee":"M. Schlichtig, S. Sassalla, K. Narasimhan, and E. Bodden, “Introducing FUM: A Framework for API Usage Constraint and Misuse Classification,” in Software Engineering 2023, Bonn: Gesellschaft für Informatik e.V., 2023, pp. 105–106.","short":"M. Schlichtig, S. Sassalla, K. Narasimhan, E. Bodden, in: Software Engineering 2023, Gesellschaft für Informatik e.V., Bonn, 2023, pp. 105–106."},"year":"2023","page":"105–106","language":[{"iso":"eng"}],"main_file_link":[{"url":"https://dl.gi.de/items/c4825557-cf3d-4038-933a-d8f95fd324a2"}]},{"abstract":[{"lang":"eng","text":"Context: Cryptographic APIs are often misused in real-world applications. Therefore, many cryptographic API misuse detection tools have been introduced. However, there exists no established reference benchmark for a fair and comprehensive comparison and evaluation of these tools. While there are benchmarks, they often only address a subset of the domain or were only used to evaluate a subset of existing misuse detection tools. Objective: To fairly compare cryptographic API misuse detection tools and to drive future development in this domain, we will devise such a benchmark. Openness and transparency in the generation process are key factors to fairly generate and establish the needed benchmark. Method: We propose an approach where we derive the benchmark generation methodology from the literature which consists of general best practices in benchmarking and domain-specific benchmark generation. A part of this methodology is transparency and openness of the generation process, which is achieved by pre-registering this work. Based on our methodology we design CamBench, a fair \"Cryptographic API Misuse Detection Tool Benchmark Suite\". We will implement the first version of CamBench limiting the domain to Java, the JCA, and static analyses. Finally, we will use CamBench to compare current misuse detection tools and compare CamBench to related benchmarks of its domain."}],"related_material":{"link":[{"url":"https://arxiv.org/abs/2204.06447","relation":"confirmation"}]},"user_id":"32312","title":"CamBench -- Cryptographic API Misuse Detection Tool Benchmark Suite","author":[{"orcid":"0000-0001-6600-6171","full_name":"Schlichtig, Michael","first_name":"Michael","id":"32312","last_name":"Schlichtig"},{"first_name":"Anna-Katharina","full_name":"Wickert, Anna-Katharina","last_name":"Wickert"},{"last_name":"Krüger","full_name":"Krüger, Stefan","first_name":"Stefan"},{"full_name":"Bodden, Eric","orcid":"0000-0003-3470-3647","first_name":"Eric","id":"59256","last_name":"Bodden"},{"first_name":"Mira","full_name":"Mezini, Mira","last_name":"Mezini"}],"department":[{"_id":"76"}],"keyword":["cryptography","benchmark","API misuse","static analysis"],"status":"public","date_created":"2022-07-25T07:56:59Z","_id":"32409","date_updated":"2022-07-25T10:23:44Z","doi":"10.48550/ARXIV.2204.06447","language":[{"iso":"eng"}],"type":"misc","year":"2022","citation":{"mla":"Schlichtig, Michael, et al. CamBench -- Cryptographic API Misuse Detection Tool Benchmark Suite. 2022, doi:10.48550/ARXIV.2204.06447.","bibtex":"@book{Schlichtig_Wickert_Krüger_Bodden_Mezini_2022, title={CamBench -- Cryptographic API Misuse Detection Tool Benchmark Suite}, DOI={10.48550/ARXIV.2204.06447}, author={Schlichtig, Michael and Wickert, Anna-Katharina and Krüger, Stefan and Bodden, Eric and Mezini, Mira}, year={2022} }","apa":"Schlichtig, M., Wickert, A.-K., Krüger, S., Bodden, E., & Mezini, M. (2022). CamBench -- Cryptographic API Misuse Detection Tool Benchmark Suite. https://doi.org/10.48550/ARXIV.2204.06447","ama":"Schlichtig M, Wickert A-K, Krüger S, Bodden E, Mezini M. CamBench -- Cryptographic API Misuse Detection Tool Benchmark Suite.; 2022. doi:10.48550/ARXIV.2204.06447","chicago":"Schlichtig, Michael, Anna-Katharina Wickert, Stefan Krüger, Eric Bodden, and Mira Mezini. CamBench -- Cryptographic API Misuse Detection Tool Benchmark Suite, 2022. https://doi.org/10.48550/ARXIV.2204.06447.","ieee":"M. Schlichtig, A.-K. Wickert, S. Krüger, E. Bodden, and M. Mezini, CamBench -- Cryptographic API Misuse Detection Tool Benchmark Suite. 2022.","short":"M. Schlichtig, A.-K. Wickert, S. Krüger, E. Bodden, M. Mezini, CamBench -- Cryptographic API Misuse Detection Tool Benchmark Suite, 2022."}},{"doi":"10.1145/3533767","date_updated":"2022-07-26T11:42:23Z","language":[{"iso":"eng"}],"related_material":{"link":[{"url":"https://dl.acm.org/doi/10.1145/3533767.3534374","relation":"confirmation"}]},"title":"A Large-Scale Study of Usability Criteria Addressed by Static Analysis Tools","publication_status":"published","publication_identifier":{"isbn":["9781450393799"]},"department":[{"_id":"76"}],"_id":"32410","year":"2022","type":"conference","citation":{"short":"M. Nachtigall, M. Schlichtig, E. Bodden, in: Proceedings of the 31st ACM SIGSOFT International Symposium on Software Testing and Analysis, ACM, 2022, pp. 532–543.","ieee":"M. Nachtigall, M. Schlichtig, and E. Bodden, “A Large-Scale Study of Usability Criteria Addressed by Static Analysis Tools,” in Proceedings of the 31st ACM SIGSOFT International Symposium on Software Testing and Analysis, 2022, pp. 532–543, doi: 10.1145/3533767.","chicago":"Nachtigall, Marcus, Michael Schlichtig, and Eric Bodden. “A Large-Scale Study of Usability Criteria Addressed by Static Analysis Tools.” In Proceedings of the 31st ACM SIGSOFT International Symposium on Software Testing and Analysis, 532–43. ACM, 2022. https://doi.org/10.1145/3533767.","ama":"Nachtigall M, Schlichtig M, Bodden E. A Large-Scale Study of Usability Criteria Addressed by Static Analysis Tools. In: Proceedings of the 31st ACM SIGSOFT International Symposium on Software Testing and Analysis. ACM; 2022:532-543. doi:10.1145/3533767","apa":"Nachtigall, M., Schlichtig, M., & Bodden, E. (2022). A Large-Scale Study of Usability Criteria Addressed by Static Analysis Tools. Proceedings of the 31st ACM SIGSOFT International Symposium on Software Testing and Analysis, 532–543. https://doi.org/10.1145/3533767","mla":"Nachtigall, Marcus, et al. “A Large-Scale Study of Usability Criteria Addressed by Static Analysis Tools.” Proceedings of the 31st ACM SIGSOFT International Symposium on Software Testing and Analysis, ACM, 2022, pp. 532–43, doi:10.1145/3533767.","bibtex":"@inproceedings{Nachtigall_Schlichtig_Bodden_2022, title={A Large-Scale Study of Usability Criteria Addressed by Static Analysis Tools}, DOI={10.1145/3533767}, booktitle={Proceedings of the 31st ACM SIGSOFT International Symposium on Software Testing and Analysis}, publisher={ACM}, author={Nachtigall, Marcus and Schlichtig, Michael and Bodden, Eric}, year={2022}, pages={532–543} }"},"page":"532 - 543","user_id":"32312","abstract":[{"lang":"eng","text":"Static analysis tools support developers in detecting potential coding issues, such as bugs or vulnerabilities. Research on static analysis emphasizes its technical challenges but also mentions severe usability shortcomings. These shortcomings hinder the adoption of static analysis tools, and in some cases, user dissatisfaction even leads to tool abandonment.\r\nTo comprehensively assess the current state of the art, this paper presents the first systematic usability evaluation in a wide range of static analysis tools. We derived a set of 36 relevant criteria from the scientific literature and gathered a collection of 46 static analysis tools complying with our inclusion and exclusion criteria - a representative set of mainly non-proprietary tools. Then, we evaluated how well these tools fulfill the aforementioned criteria.\r\nThe evaluation shows that more than half of the considered tools offer poor warning messages, while about three-quarters of the tools provide hardly any fix support. Furthermore, the integration of user knowledge is strongly neglected, which could be used for improved handling of false positives and tuning the results for the corresponding developer. Finally, issues regarding workflow integration and specialized user interfaces are proved further.\r\nThese findings should prove useful in guiding and focusing further research and development in the area of user experience for static code analyses."}],"status":"public","date_created":"2022-07-25T08:02:36Z","publisher":"ACM","author":[{"full_name":"Nachtigall, Marcus","first_name":"Marcus","id":"41213","last_name":"Nachtigall"},{"first_name":"Michael","orcid":"0000-0001-6600-6171","full_name":"Schlichtig, Michael","last_name":"Schlichtig","id":"32312"},{"last_name":"Bodden","id":"59256","first_name":"Eric","orcid":"0000-0003-3470-3647","full_name":"Bodden, Eric"}],"quality_controlled":"1","keyword":["Automated static analysis","Software usability"],"publication":"Proceedings of the 31st ACM SIGSOFT International Symposium on Software Testing and Analysis"},{"abstract":[{"lang":"eng","text":"Application Programming Interfaces (APIs) are the primary mechanism that developers use to obtain access to third-party algorithms and services. Unfortunately, APIs can be misused, which can have catastrophic consequences, especially if the APIs provide security-critical functionalities like cryptography. Understanding what API misuses are, and for what reasons they are caused, is important to prevent them, e.g., with API misuse detectors. However, definitions and nominations for API misuses and related terms in literature vary and are diverse. This paper addresses the problem of scattered knowledge and definitions of API misuses by presenting a systematic literature review on the subject and introducing FUM, a novel Framework for API Usage constraint and Misuse classification. The literature review revealed that API misuses are violations of API usage constraints. To capture this, we provide unified definitions and use them to derive FUM. To assess the extent to which FUM aids in determining and guiding the improvement of an API misuses detectors' capabilities, we performed a case study on CogniCrypt, a state-of-the-art misuse detector for cryptographic APIs. The study showed that FUM can be used to properly assess CogniCrypt's capabilities, identify weaknesses and assist in deriving mitigations and improvements. And it appears that also more generally FUM can aid the development and improvement of misuse detection tools."}],"related_material":{"link":[{"relation":"confirmation","url":"https://ieeexplore.ieee.org/document/9825763"}]},"user_id":"32312","title":"FUM - A Framework for API Usage constraint and Misuse Classification","publication":"2022 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER)","department":[{"_id":"76"}],"keyword":["API misuses","API usage constraints","classification framework","API misuse detection","static analysis"],"quality_controlled":"1","author":[{"orcid":"0000-0001-6600-6171","full_name":"Schlichtig, Michael","first_name":"Michael","id":"32312","last_name":"Schlichtig"},{"last_name":"Sassalla","first_name":"Steffen","full_name":"Sassalla, Steffen"},{"full_name":"Narasimhan, Krishna","first_name":"Krishna","last_name":"Narasimhan"},{"id":"59256","last_name":"Bodden","orcid":"0000-0003-3470-3647","full_name":"Bodden, Eric","first_name":"Eric"}],"date_created":"2022-05-09T13:04:10Z","status":"public","date_updated":"2022-07-26T11:42:30Z","_id":"31133","doi":"https://doi.org/10.1109/SANER53432.2022.00085","language":[{"iso":"eng"}],"page":"673 - 684","citation":{"short":"M. Schlichtig, S. Sassalla, K. Narasimhan, E. Bodden, in: 2022 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER), 2022, pp. 673–684.","ieee":"M. Schlichtig, S. Sassalla, K. Narasimhan, and E. Bodden, “FUM - A Framework for API Usage constraint and Misuse Classification,” in 2022 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER), 2022, pp. 673–684, doi: https://doi.org/10.1109/SANER53432.2022.00085.","ama":"Schlichtig M, Sassalla S, Narasimhan K, Bodden E. FUM - A Framework for API Usage constraint and Misuse Classification. In: 2022 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER). ; 2022:673-684. doi:https://doi.org/10.1109/SANER53432.2022.00085","apa":"Schlichtig, M., Sassalla, S., Narasimhan, K., & Bodden, E. (2022). FUM - A Framework for API Usage constraint and Misuse Classification. 2022 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER), 673–684. https://doi.org/10.1109/SANER53432.2022.00085","chicago":"Schlichtig, Michael, Steffen Sassalla, Krishna Narasimhan, and Eric Bodden. “FUM - A Framework for API Usage Constraint and Misuse Classification.” In 2022 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER), 673–84, 2022. https://doi.org/10.1109/SANER53432.2022.00085.","mla":"Schlichtig, Michael, et al. “FUM - A Framework for API Usage Constraint and Misuse Classification.” 2022 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER), 2022, pp. 673–84, doi:https://doi.org/10.1109/SANER53432.2022.00085.","bibtex":"@inproceedings{Schlichtig_Sassalla_Narasimhan_Bodden_2022, title={FUM - A Framework for API Usage constraint and Misuse Classification}, DOI={https://doi.org/10.1109/SANER53432.2022.00085}, booktitle={2022 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER)}, author={Schlichtig, Michael and Sassalla, Steffen and Narasimhan, Krishna and Bodden, Eric}, year={2022}, pages={673–684} }"},"type":"conference","year":"2022"},{"date_updated":"2022-11-17T14:22:38Z","doi":"10.1007/s10515-022-00333-1","oa":"1","language":[{"iso":"eng"}],"title":"Static data-flow analysis for software product lines in C","department":[{"_id":"76"}],"publication_status":"published","publication_identifier":{"issn":["0928-8910","1573-7535"]},"project":[{"name":"SFB 901 - B4: SFB 901 - Subproject B4","_id":"12"},{"name":"SFB 901 - B: SFB 901 - Project Area B","_id":"3"},{"name":"SFB 901: SFB 901","_id":"1"}],"_id":"30511","intvolume":" 29","article_number":"35","issue":"1","main_file_link":[{"url":"https://link.springer.com/article/10.1007/s10515-022-00333-1","open_access":"1"}],"type":"journal_article","citation":{"ieee":"P. Schubert et al., “Static data-flow analysis for software product lines in C,” Automated Software Engineering, vol. 29, no. 1, Art. no. 35, 2022, doi: 10.1007/s10515-022-00333-1.","short":"P. Schubert, P. Gazzillo, Z. Patterson, J. Braha, F. Schiebel, B. Hermann, S. Wei, E. Bodden, Automated Software Engineering 29 (2022).","mla":"Schubert, Philipp, et al. “Static Data-Flow Analysis for Software Product Lines in C.” Automated Software Engineering, vol. 29, no. 1, 35, Springer Science and Business Media LLC, 2022, doi:10.1007/s10515-022-00333-1.","bibtex":"@article{Schubert_Gazzillo_Patterson_Braha_Schiebel_Hermann_Wei_Bodden_2022, title={Static data-flow analysis for software product lines in C}, volume={29}, DOI={10.1007/s10515-022-00333-1}, number={135}, journal={Automated Software Engineering}, publisher={Springer Science and Business Media LLC}, author={Schubert, Philipp and Gazzillo, Paul and Patterson, Zach and Braha, Julian and Schiebel, Fabian and Hermann, Ben and Wei, Shiyi and Bodden, Eric}, year={2022} }","ama":"Schubert P, Gazzillo P, Patterson Z, et al. Static data-flow analysis for software product lines in C. Automated Software Engineering. 2022;29(1). doi:10.1007/s10515-022-00333-1","apa":"Schubert, P., Gazzillo, P., Patterson, Z., Braha, J., Schiebel, F., Hermann, B., Wei, S., & Bodden, E. (2022). Static data-flow analysis for software product lines in C. Automated Software Engineering, 29(1), Article 35. https://doi.org/10.1007/s10515-022-00333-1","chicago":"Schubert, Philipp, Paul Gazzillo, Zach Patterson, Julian Braha, Fabian Schiebel, Ben Hermann, Shiyi Wei, and Eric Bodden. “Static Data-Flow Analysis for Software Product Lines in C.” Automated Software Engineering 29, no. 1 (2022). https://doi.org/10.1007/s10515-022-00333-1."},"year":"2022","abstract":[{"text":"AbstractMany critical codebases are written in C, and most of them use preprocessor directives to encode variability, effectively encoding software product lines. These preprocessor directives, however, challenge any static code analysis. SPLlift, a previously presented approach for analyzing software product lines, is limited to Java programs that use a rather simple feature encoding and to analysis problems with a finite and ideally small domain. Other approaches that allow the analysis of real-world C software product lines use special-purpose analyses, preventing the reuse of existing analysis infrastructures and ignoring the progress made by the static analysis community. This work presents VarAlyzer, a novel static analysis approach for software product lines. VarAlyzer first transforms preprocessor constructs to plain C while preserving their variability and semantics. It then solves any given distributive analysis problem on transformed product lines in a variability-aware manner. VarAlyzer ’s analysis results are annotated with feature constraints that encode in which configurations each result holds. Our experiments with 95 compilation units of OpenSSL show that applying VarAlyzer enables one to conduct inter-procedural, flow-, field- and context-sensitive data-flow analyses on entire product lines for the first time, outperforming the product-based approach for highly-configurable systems.","lang":"eng"}],"article_type":"original","user_id":"477","keyword":["inter-procedural static analysis","software product lines","preprocessor","LLVM","C/C++"],"publication":"Automated Software Engineering","author":[{"last_name":"Schubert","id":"60543","first_name":"Philipp","orcid":"0000-0002-8674-1859","full_name":"Schubert, Philipp"},{"first_name":"Paul","full_name":"Gazzillo, Paul","last_name":"Gazzillo"},{"last_name":"Patterson","full_name":"Patterson, Zach","first_name":"Zach"},{"full_name":"Braha, Julian","first_name":"Julian","last_name":"Braha"},{"full_name":"Schiebel, Fabian","first_name":"Fabian","last_name":"Schiebel"},{"full_name":"Hermann, Ben","orcid":"0000-0001-9848-2017","first_name":"Ben","id":"66173","last_name":"Hermann"},{"first_name":"Shiyi","full_name":"Wei, Shiyi","last_name":"Wei"},{"id":"59256","last_name":"Bodden","full_name":"Bodden, Eric","orcid":"0000-0003-3470-3647","first_name":"Eric"}],"publisher":"Springer Science and Business Media LLC","volume":29,"alternative_title":["Revoking the preprocessor’s special role"],"date_created":"2022-03-25T07:41:26Z","status":"public"},{"abstract":[{"lang":"eng","text":"As one of the most popular programming languages, PYTHON has become a relevant target language for static analysis tools. The primary data structure for performing an inter-procedural static analysis is call-graph (CG), which links call sites to potential call targets in a program. There exists multiple algorithms for constructing callgraphs, tailored to specific languages. However, comparatively few implementations target PYTHON. Moreover, there is still lack of empirical evidence as to how these few algorithms perform in terms of precision and recall. This paper thus presents EVAL_CG, an extensible framework for comparative analysis of Python call-graphs. We conducted two experiments which run the CG algorithms on different Python programming constructs and real-world applications. In both experiments, we evaluate three CG generation frameworks namely, Code2flow, Pyan, and Wala. We record precision, recall, and running time, and identify sources of unsoundness of each framework. Our evaluation shows that none of the current CG construction frameworks produce a sound CG. Moreover, the static CGs contain many spurious edges. Code2flow is also comparatively slow. Hence, further research is needed to support CG generation for Python programs."}],"title":"Qualitative and Quantitative Analysis of Callgraph Algorithms for PYTHON","user_id":"72582","author":[{"full_name":"Kummita, Sriteja","first_name":"Sriteja","id":"72582","last_name":"Kummita"},{"last_name":"Piskachev","id":"41936","first_name":"Goran","full_name":"Piskachev, Goran","orcid":"0000-0003-4424-5838"},{"full_name":"Spaeth, Johannes","first_name":"Johannes","last_name":"Spaeth"},{"orcid":"0000-0003-3470-3647","full_name":"Bodden, Eric","first_name":"Eric","id":"59256","last_name":"Bodden"}],"publication":"Proceedings of the 2021 International Conference on Code Quality (ICCQ)","keyword":["Static Analysis","Callgraph Analysis","Python","Qualitative Analysis","Quantitative Analysis","Empirical Evaluation"],"publication_status":"published","publication_identifier":{"isbn":["978-1-7281-8477-7"]},"status":"public","date_created":"2021-08-12T14:00:54Z","date_updated":"2022-01-06T06:55:52Z","_id":"23388","conference":{"name":"International Conference on Code Quality (ICCQ)","start_date":"2021-03-27","location":"Virtual"},"doi":"10.1109/ICCQ51190.2021.9392986","main_file_link":[{"url":"https://ieeexplore.ieee.org/document/9392986"}],"citation":{"mla":"Kummita, Sriteja, et al. “Qualitative and Quantitative Analysis of Callgraph Algorithms for PYTHON.” Proceedings of the 2021 International Conference on Code Quality (ICCQ), 2021, doi:10.1109/ICCQ51190.2021.9392986.","bibtex":"@inproceedings{Kummita_Piskachev_Spaeth_Bodden_2021, title={Qualitative and Quantitative Analysis of Callgraph Algorithms for PYTHON}, DOI={10.1109/ICCQ51190.2021.9392986}, booktitle={Proceedings of the 2021 International Conference on Code Quality (ICCQ)}, author={Kummita, Sriteja and Piskachev, Goran and Spaeth, Johannes and Bodden, Eric}, year={2021} }","apa":"Kummita, S., Piskachev, G., Spaeth, J., & Bodden, E. (2021). Qualitative and Quantitative Analysis of Callgraph Algorithms for PYTHON. In Proceedings of the 2021 International Conference on Code Quality (ICCQ). Virtual. https://doi.org/10.1109/ICCQ51190.2021.9392986","ama":"Kummita S, Piskachev G, Spaeth J, Bodden E. Qualitative and Quantitative Analysis of Callgraph Algorithms for PYTHON. In: Proceedings of the 2021 International Conference on Code Quality (ICCQ). ; 2021. doi:10.1109/ICCQ51190.2021.9392986","chicago":"Kummita, Sriteja, Goran Piskachev, Johannes Spaeth, and Eric Bodden. “Qualitative and Quantitative Analysis of Callgraph Algorithms for PYTHON.” In Proceedings of the 2021 International Conference on Code Quality (ICCQ), 2021. https://doi.org/10.1109/ICCQ51190.2021.9392986.","ieee":"S. Kummita, G. Piskachev, J. Spaeth, and E. Bodden, “Qualitative and Quantitative Analysis of Callgraph Algorithms for PYTHON,” in Proceedings of the 2021 International Conference on Code Quality (ICCQ), Virtual, 2021.","short":"S. Kummita, G. Piskachev, J. Spaeth, E. Bodden, in: Proceedings of the 2021 International Conference on Code Quality (ICCQ), 2021."},"type":"conference","year":"2021","language":[{"iso":"eng"}]},{"language":[{"iso":"eng"}],"page":"1-1","year":"2019","citation":{"short":"S. Krüger, J. Späth, K. Ali, E. Bodden, M. Mezini, IEEE Transactions on Software Engineering (2019) 1–1.","ieee":"S. Krüger, J. Späth, K. Ali, E. Bodden, and M. Mezini, “CrySL: An Extensible Approach to Validating the Correct Usage of Cryptographic APIs,” IEEE Transactions on Software Engineering, pp. 1–1, 2019, doi: 10.1109/TSE.2019.2948910.","ama":"Krüger S, Späth J, Ali K, Bodden E, Mezini M. CrySL: An Extensible Approach to Validating the Correct Usage of Cryptographic APIs. IEEE Transactions on Software Engineering. Published online 2019:1-1. doi:10.1109/TSE.2019.2948910","apa":"Krüger, S., Späth, J., Ali, K., Bodden, E., & Mezini, M. (2019). CrySL: An Extensible Approach to Validating the Correct Usage of Cryptographic APIs. IEEE Transactions on Software Engineering, 1–1. https://doi.org/10.1109/TSE.2019.2948910","chicago":"Krüger, Stefan, Johannes Späth, Karim Ali, Eric Bodden, and Mira Mezini. “CrySL: An Extensible Approach to Validating the Correct Usage of Cryptographic APIs.” IEEE Transactions on Software Engineering, 2019, 1–1. https://doi.org/10.1109/TSE.2019.2948910.","mla":"Krüger, Stefan, et al. “CrySL: An Extensible Approach to Validating the Correct Usage of Cryptographic APIs.” IEEE Transactions on Software Engineering, 2019, pp. 1–1, doi:10.1109/TSE.2019.2948910.","bibtex":"@article{Krüger_Späth_Ali_Bodden_Mezini_2019, title={CrySL: An Extensible Approach to Validating the Correct Usage of Cryptographic APIs}, DOI={10.1109/TSE.2019.2948910}, journal={IEEE Transactions on Software Engineering}, author={Krüger, Stefan and Späth, Johannes and Ali, Karim and Bodden, Eric and Mezini, Mira}, year={2019}, pages={1–1} }"},"type":"journal_article","main_file_link":[{"url":"http://www.bodden.de/pubs/tse19CrySL.pdf"}],"doi":"10.1109/TSE.2019.2948910","_id":"20533","date_updated":"2022-01-06T06:54:29Z","date_created":"2020-11-27T10:48:38Z","status":"public","publication_identifier":{"issn":["2326-3881"]},"publication":"IEEE Transactions on Software Engineering","department":[{"_id":"76"}],"keyword":["Java","Encryption","Static analysis","Tools","Ciphers","Semantics","cryptography","domain-specific language","static analysis"],"author":[{"full_name":"Krüger, Stefan","first_name":"Stefan","last_name":"Krüger"},{"first_name":"Johannes","full_name":"Späth, Johannes","last_name":"Späth"},{"full_name":"Ali, Karim","first_name":"Karim","last_name":"Ali"},{"id":"59256","last_name":"Bodden","full_name":"Bodden, Eric","orcid":"0000-0003-3470-3647","first_name":"Eric"},{"last_name":"Mezini","full_name":"Mezini, Mira","first_name":"Mira"}],"user_id":"5786","title":"CrySL: An Extensible Approach to Validating the Correct Usage of Cryptographic APIs"},{"year":"2019","type":"report","citation":{"mla":"Kummita, Sriteja, and Goran Piskachev. Integration of the Static Analysis Results Interchange Format in CogniCrypt. 2019.","bibtex":"@book{Kummita_Piskachev_2019, title={Integration of the Static Analysis Results Interchange Format in CogniCrypt}, author={Kummita, Sriteja and Piskachev, Goran}, year={2019} }","apa":"Kummita, S., & Piskachev, G. (2019). Integration of the Static Analysis Results Interchange Format in CogniCrypt.","ama":"Kummita S, Piskachev G. Integration of the Static Analysis Results Interchange Format in CogniCrypt.; 2019.","chicago":"Kummita, Sriteja, and Goran Piskachev. Integration of the Static Analysis Results Interchange Format in CogniCrypt, 2019.","ieee":"S. Kummita and G. Piskachev, Integration of the Static Analysis Results Interchange Format in CogniCrypt. 2019.","short":"S. Kummita, G. Piskachev, Integration of the Static Analysis Results Interchange Format in CogniCrypt, 2019."},"language":[{"iso":"eng"}],"main_file_link":[{"url":"https://arxiv.org/abs/1907.02558"}],"_id":"23389","date_updated":"2022-01-06T06:55:52Z","status":"public","date_created":"2021-08-12T14:04:46Z","author":[{"full_name":"Kummita, Sriteja","first_name":"Sriteja","id":"72582","last_name":"Kummita"},{"last_name":"Piskachev","id":"41936","first_name":"Goran","full_name":"Piskachev, Goran","orcid":"0000-0003-4424-5838"}],"keyword":["Static Analysis","Static Analysis Results Interchange Format","SARIF","Static Analysis Server Protocol","SASP"],"title":"Integration of the Static Analysis Results Interchange Format in CogniCrypt","user_id":"72582","extern":"1","abstract":[{"lang":"eng","text":"Background - Software companies increasingly rely on static analysis tools to detect potential bugs and security vulnerabilities in their software products. In the past decade, more and more commercial and open-source static analysis tools have been developed and are maintained. Each tool comes with its own reporting format, preventing an easy integration of multiple analysis tools in a single interface, such as the Static Analysis Server Protocol (SASP). In 2017, a collaborative effort in industry, including Microsoft and GrammaTech, has proposed the Static Analysis Results Interchange Format (SARIF) to address this issue. SARIF is a standardized format in which static analysis warnings can be encoded, to allow the import and export of analysis reports between different tools.\r\nPurpose - This paper explains the SARIF format through examples and presents a proof of concept of the connector that allows the static analysis tool CogniCrypt to generate and export its results in SARIF format.\r\nDesign/Approach - We conduct a cross-sectional study between the SARIF format and CogniCrypt's output format before detailing the implementation of the connector. The study aims to find the components of interest in CogniCrypt that the SARIF export module can complete.\r\nOriginality/Value - The integration of SARIF into CogniCrypt described in this paper can be reused to integrate SARIF into other static analysis tools.\r\nConclusion - After detailing the SARIF format, we present an initial implementation to integrate SARIF into CogniCrypt. After taking advantage of all the features provided by SARIF, CogniCrypt will be able to support SASP."}]},{"date_updated":"2022-01-06T06:54:29Z","_id":"20543","doi":"10.1109/TSE.2018.2868349","main_file_link":[{"url":"http://www.bodden.de/pubs/tse18debugging.pdf"}],"citation":{"short":"L. Nguyen Quang Do, S. Krüger, P. Hill, K. Ali, E. Bodden, IEEE Transactions on Software Engineering (2018) 1–1.","ieee":"L. Nguyen Quang Do, S. Krüger, P. Hill, K. Ali, and E. Bodden, “Debugging Static Analysis,” IEEE Transactions on Software Engineering, pp. 1–1, 2018, doi: 10.1109/TSE.2018.2868349.","chicago":"Nguyen Quang Do, Lisa, Stefan Krüger, Patrick Hill, Karim Ali, and Eric Bodden. “Debugging Static Analysis.” IEEE Transactions on Software Engineering, 2018, 1–1. https://doi.org/10.1109/TSE.2018.2868349.","apa":"Nguyen Quang Do, L., Krüger, S., Hill, P., Ali, K., & Bodden, E. (2018). Debugging Static Analysis. IEEE Transactions on Software Engineering, 1–1. https://doi.org/10.1109/TSE.2018.2868349","ama":"Nguyen Quang Do L, Krüger S, Hill P, Ali K, Bodden E. Debugging Static Analysis. IEEE Transactions on Software Engineering. Published online 2018:1-1. doi:10.1109/TSE.2018.2868349","mla":"Nguyen Quang Do, Lisa, et al. “Debugging Static Analysis.” IEEE Transactions on Software Engineering, 2018, pp. 1–1, doi:10.1109/TSE.2018.2868349.","bibtex":"@article{Nguyen Quang Do_Krüger_Hill_Ali_Bodden_2018, title={Debugging Static Analysis}, DOI={10.1109/TSE.2018.2868349}, journal={IEEE Transactions on Software Engineering}, author={Nguyen Quang Do, Lisa and Krüger, Stefan and Hill, Patrick and Ali, Karim and Bodden, Eric}, year={2018}, pages={1–1} }"},"year":"2018","type":"journal_article","page":"1-1","language":[{"iso":"eng"}],"title":"Debugging Static Analysis","user_id":"5786","author":[{"full_name":"Nguyen Quang Do, Lisa","first_name":"Lisa","last_name":"Nguyen Quang Do"},{"full_name":"Krüger, Stefan","first_name":"Stefan","last_name":"Krüger"},{"last_name":"Hill","first_name":"Patrick","full_name":"Hill, Patrick"},{"last_name":"Ali","full_name":"Ali, Karim","first_name":"Karim"},{"first_name":"Eric","orcid":"0000-0003-3470-3647","full_name":"Bodden, Eric","last_name":"Bodden","id":"59256"}],"department":[{"_id":"76"}],"keyword":["Debugging","Static analysis","Tools","Computer bugs","Standards","Writing","Encoding","Testing and Debugging","Program analysis","Development tools","Integrated environments","Graphical environments","Usability testing"],"publication":"IEEE Transactions on Software Engineering","publication_identifier":{"issn":["2326-3881"]},"status":"public","date_created":"2020-11-30T09:32:12Z"},{"title":"Tracking Load-time Configuration Options","user_id":"5786","keyword":["Androids","Bluetooth","Humanoid robots","Java","Software","Tools","Configuration options","Static analysis","Variability mining"],"department":[{"_id":"76"}],"publication":"IEEE Transactions on Software Engineering","author":[{"last_name":"Lillack","first_name":"Max","full_name":"Lillack, Max"},{"full_name":"Kästner, Christian","first_name":"Christian","last_name":"Kästner"},{"first_name":"Eric","orcid":"0000-0003-3470-3647","full_name":"Bodden, Eric","last_name":"Bodden","id":"59256"}],"volume":"PP","publication_identifier":{"issn":["0098-5589"]},"date_created":"2020-11-30T11:06:43Z","status":"public","_id":"20557","date_updated":"2022-01-06T06:54:30Z","doi":"10.1109/TSE.2017.2756048","issue":"99","main_file_link":[{"url":"http://bodden.de/pubs/lkb17lotrack.pdf"}],"page":"1-1","type":"journal_article","citation":{"ieee":"M. Lillack, C. Kästner, and E. Bodden, “Tracking Load-time Configuration Options,” IEEE Transactions on Software Engineering, vol. PP, no. 99, pp. 1–1, 2017, doi: 10.1109/TSE.2017.2756048.","short":"M. Lillack, C. Kästner, E. Bodden, IEEE Transactions on Software Engineering PP (2017) 1–1.","bibtex":"@article{Lillack_Kästner_Bodden_2017, title={Tracking Load-time Configuration Options}, volume={PP}, DOI={10.1109/TSE.2017.2756048}, number={99}, journal={IEEE Transactions on Software Engineering}, author={Lillack, Max and Kästner, Christian and Bodden, Eric}, year={2017}, pages={1–1} }","mla":"Lillack, Max, et al. “Tracking Load-Time Configuration Options.” IEEE Transactions on Software Engineering, vol. PP, no. 99, 2017, pp. 1–1, doi:10.1109/TSE.2017.2756048.","ama":"Lillack M, Kästner C, Bodden E. Tracking Load-time Configuration Options. IEEE Transactions on Software Engineering. 2017;PP(99):1-1. doi:10.1109/TSE.2017.2756048","apa":"Lillack, M., Kästner, C., & Bodden, E. (2017). Tracking Load-time Configuration Options. IEEE Transactions on Software Engineering, PP(99), 1–1. https://doi.org/10.1109/TSE.2017.2756048","chicago":"Lillack, Max, Christian Kästner, and Eric Bodden. “Tracking Load-Time Configuration Options.” IEEE Transactions on Software Engineering PP, no. 99 (2017): 1–1. https://doi.org/10.1109/TSE.2017.2756048."},"year":"2017","language":[{"iso":"eng"}]},{"series_title":"ISSTA 2017","language":[{"iso":"eng"}],"date_updated":"2022-01-06T06:54:30Z","doi":"10.1145/3092703.3092705","department":[{"_id":"76"}],"publication_identifier":{"isbn":["978-1-4503-5076-1"]},"place":"New York, NY, USA","title":"Just-in-time Static Analysis","main_file_link":[{"url":"http://bodden.de/pubs/nal+17jit.pdf"}],"type":"conference","year":"2017","citation":{"bibtex":"@inproceedings{Do_Ali_Livshits_Bodden_Smith_Murphy-Hill_2017, place={New York, NY, USA}, series={ISSTA 2017}, title={Just-in-time Static Analysis}, DOI={10.1145/3092703.3092705}, booktitle={Proceedings of the 26th ACM SIGSOFT International Symposium on Software Testing and Analysis}, publisher={ACM}, author={Do, Lisa Nguyen Quang and Ali, Karim and Livshits, Benjamin and Bodden, Eric and Smith, Justin and Murphy-Hill, Emerson}, year={2017}, pages={307–317}, collection={ISSTA 2017} }","mla":"Do, Lisa Nguyen Quang, et al. “Just-in-Time Static Analysis.” Proceedings of the 26th ACM SIGSOFT International Symposium on Software Testing and Analysis, ACM, 2017, pp. 307–17, doi:10.1145/3092703.3092705.","chicago":"Do, Lisa Nguyen Quang, Karim Ali, Benjamin Livshits, Eric Bodden, Justin Smith, and Emerson Murphy-Hill. “Just-in-Time Static Analysis.” In Proceedings of the 26th ACM SIGSOFT International Symposium on Software Testing and Analysis, 307–17. ISSTA 2017. New York, NY, USA: ACM, 2017. https://doi.org/10.1145/3092703.3092705.","apa":"Do, L. N. Q., Ali, K., Livshits, B., Bodden, E., Smith, J., & Murphy-Hill, E. (2017). Just-in-time Static Analysis. Proceedings of the 26th ACM SIGSOFT International Symposium on Software Testing and Analysis, 307–317. https://doi.org/10.1145/3092703.3092705","ama":"Do LNQ, Ali K, Livshits B, Bodden E, Smith J, Murphy-Hill E. Just-in-time Static Analysis. In: Proceedings of the 26th ACM SIGSOFT International Symposium on Software Testing and Analysis. ISSTA 2017. ACM; 2017:307-317. doi:10.1145/3092703.3092705","ieee":"L. N. Q. Do, K. Ali, B. Livshits, E. Bodden, J. Smith, and E. Murphy-Hill, “Just-in-time Static Analysis,” in Proceedings of the 26th ACM SIGSOFT International Symposium on Software Testing and Analysis, 2017, pp. 307–317, doi: 10.1145/3092703.3092705.","short":"L.N.Q. Do, K. Ali, B. Livshits, E. Bodden, J. Smith, E. Murphy-Hill, in: Proceedings of the 26th ACM SIGSOFT International Symposium on Software Testing and Analysis, ACM, New York, NY, USA, 2017, pp. 307–317."},"page":"307-317","_id":"20559","author":[{"last_name":"Do","full_name":"Do, Lisa Nguyen Quang","first_name":"Lisa Nguyen Quang"},{"last_name":"Ali","first_name":"Karim","full_name":"Ali, Karim"},{"full_name":"Livshits, Benjamin","first_name":"Benjamin","last_name":"Livshits"},{"orcid":"0000-0003-3470-3647","full_name":"Bodden, Eric","first_name":"Eric","id":"59256","last_name":"Bodden"},{"last_name":"Smith","full_name":"Smith, Justin","first_name":"Justin"},{"full_name":"Murphy-Hill, Emerson","first_name":"Emerson","last_name":"Murphy-Hill"}],"publisher":"ACM","keyword":["Just-in-Time","Layered analysis","Static analysis"],"publication":"Proceedings of the 26th ACM SIGSOFT International Symposium on Software Testing and Analysis","status":"public","date_created":"2020-11-30T11:10:01Z","user_id":"5786"}]