---
_id: '64823'
abstract:
- lang: eng
text: "Current legal frameworks enforce that Android developers accurately report
the data their apps collect. However, large codebases can make this reporting
challenging. This paper employs an empirical approach to understand developers'
experience with Google Play Store's Data Safety Section (DSS) form.\r\n\r\nWe
first survey 41 Android developers to understand how they categorize privacy-related
data into DSS categories and how confident they feel when completing the DSS form.
To gain a broader and more detailed view of the challenges developers encounter
during the process, we complement the survey with an analysis of 172 online developer
discussions, capturing the perspectives of 642 additional developers. Together,
these two data sources represent insights from 683 developers.\r\n\r\nOur findings
reveal that developers often manually classify the privacy-related data their
apps collect into the data categories defined by Google-or, in some cases, omit
classification entirely-and rely heavily on existing online resources when completing
the form. Moreover, developers are generally confident in recognizing the data
their apps collect, yet they lack confidence in translating this knowledge into
DSS-compliant disclosures. Key challenges include issues in identifying privacy-relevant
data to complete the form, limited understanding of the form, and concerns about
app rejection due to discrepancies with Google's privacy requirements.\r\nThese
results underscore the need for clearer guidance and more accessible tooling to
support developers in meeting privacy-aware reporting obligations. "
author:
- first_name: Mugdha
full_name: Khedkar, Mugdha
id: '88024'
last_name: Khedkar
- first_name: Michael
full_name: Schlichtig, Michael
id: '32312'
last_name: Schlichtig
orcid: 0000-0001-6600-6171
- first_name: Mohamed Aboubakr Mohamed
full_name: Soliman, Mohamed Aboubakr Mohamed
id: '102489'
last_name: Soliman
- first_name: Eric
full_name: Bodden, Eric
id: '59256'
last_name: Bodden
orcid: 0000-0003-3470-3647
citation:
ama: 'Khedkar M, Schlichtig M, Soliman MAM, Bodden E. Challenges in Android Data
Disclosure: An Empirical Study. In: Proceedings of the IEEE/ACM 13th International
Conference on Mobile Software Engineering and Systems (MOBILESoft ’26). Association
for Computing Machinery, New York, NY, USA, 65–68. ; 2026.'
apa: 'Khedkar, M., Schlichtig, M., Soliman, M. A. M., & Bodden, E. (2026). Challenges
in Android Data Disclosure: An Empirical Study. Proceedings of the IEEE/ACM
13th International Conference on Mobile Software Engineering and Systems (MOBILESoft
’26). Association for Computing Machinery, New York, NY, USA, 65–68. 13th
International Conference on Mobile Software Engineering and Systems 2024, Rio
de Janeiro, Brazil.'
bibtex: '@inproceedings{Khedkar_Schlichtig_Soliman_Bodden_2026, title={Challenges
in Android Data Disclosure: An Empirical Study.}, booktitle={Proceedings of the
IEEE/ACM 13th International Conference on Mobile Software Engineering and Systems
(MOBILESoft ’26). Association for Computing Machinery, New York, NY, USA, 65–68.},
author={Khedkar, Mugdha and Schlichtig, Michael and Soliman, Mohamed Aboubakr
Mohamed and Bodden, Eric}, year={2026} }'
chicago: 'Khedkar, Mugdha, Michael Schlichtig, Mohamed Aboubakr Mohamed Soliman,
and Eric Bodden. “Challenges in Android Data Disclosure: An Empirical Study.”
In Proceedings of the IEEE/ACM 13th International Conference on Mobile Software
Engineering and Systems (MOBILESoft ’26). Association for Computing Machinery,
New York, NY, USA, 65–68., 2026.'
ieee: 'M. Khedkar, M. Schlichtig, M. A. M. Soliman, and E. Bodden, “Challenges in
Android Data Disclosure: An Empirical Study.,” presented at the 13th International
Conference on Mobile Software Engineering and Systems 2024, Rio de Janeiro, Brazil,
2026.'
mla: 'Khedkar, Mugdha, et al. “Challenges in Android Data Disclosure: An Empirical
Study.” Proceedings of the IEEE/ACM 13th International Conference on Mobile
Software Engineering and Systems (MOBILESoft ’26). Association for Computing Machinery,
New York, NY, USA, 65–68., 2026.'
short: 'M. Khedkar, M. Schlichtig, M.A.M. Soliman, E. Bodden, in: Proceedings of
the IEEE/ACM 13th International Conference on Mobile Software Engineering and
Systems (MOBILESoft ’26). Association for Computing Machinery, New York, NY, USA,
65–68., 2026.'
conference:
end_date: 2026-04-18
location: Rio de Janeiro, Brazil
name: 13th International Conference on Mobile Software Engineering and Systems 2024
start_date: 2026-04-12
date_created: 2026-03-04T08:10:43Z
date_updated: 2026-03-13T12:10:10Z
department:
- _id: '76'
external_id:
arxiv:
- '2601.20459'
keyword:
- static analysis
- data collection
- data protection
- privacy-aware reporting
language:
- iso: eng
publication: Proceedings of the IEEE/ACM 13th International Conference on Mobile Software
Engineering and Systems (MOBILESoft '26). Association for Computing Machinery, New
York, NY, USA, 65–68.
status: public
title: 'Challenges in Android Data Disclosure: An Empirical Study.'
type: conference
user_id: '88024'
year: '2026'
...
---
_id: '52663'
abstract:
- lang: eng
text: "Context\r\nStatic analyses are well-established to aid in understanding bugs
or vulnerabilities during the development process or in large-scale studies. A
low false-positive rate is essential for the adaption in practice and for precise
results of empirical studies. Unfortunately, static analyses tend to report where
a vulnerability manifests rather than the fix location. This can cause presumed
false positives or imprecise results.\r\nMethod\r\nTo address this problem, we
designed an adaption of an existing static analysis algorithm that can distinguish
between a manifestation and fix location, and reports error chains. An error chain
represents at least two interconnected errors that occur successively, thus building
the connection between the fix and manifestation location. We used our tool CogniCryptSUBS
for a case study on 471 GitHub repositories, a performance benchmark to compare
different analysis configurations, and conducted an expert interview.\r\nResult\r\nWe
found that 50 % of the projects with a report had at least one error chain. Our
runtime benchmark demonstrated that our improvement caused only a minimal runtime
overhead of less than 4 %. The results of our expert interview indicate that with
our adapted version participants require fewer executions of the analysis.\r\nConclusion\r\nOur
results indicate that error chains occur frequently in real-world projects, and
ignoring them can lead to imprecise evaluation results. The runtime benchmark
indicates that our tool is a feasible and efficient solution for detecting error
chains in real-world projects. Further, our results gave a hint that the usability
of static analyses may benefit from supporting error chains."
author:
- first_name: Anna-Katharina
full_name: Wickert, Anna-Katharina
last_name: Wickert
- first_name: Michael
full_name: Schlichtig, Michael
id: '32312'
last_name: Schlichtig
orcid: 0000-0001-6600-6171
- first_name: Marvin
full_name: Vogel, Marvin
last_name: Vogel
- first_name: Lukas
full_name: Winter, Lukas
last_name: Winter
- first_name: Mira
full_name: Mezini, Mira
last_name: Mezini
- first_name: Eric
full_name: Bodden, Eric
id: '59256'
last_name: Bodden
orcid: 0000-0003-3470-3647
citation:
ama: Wickert A-K, Schlichtig M, Vogel M, Winter L, Mezini M, Bodden E. Supporting
Error Chains in Static Analysis for Precise Evaluation Results and Enhanced Usability.;
2024.
apa: Wickert, A.-K., Schlichtig, M., Vogel, M., Winter, L., Mezini, M., & Bodden,
E. (2024). Supporting Error Chains in Static Analysis for Precise Evaluation
Results and Enhanced Usability.
bibtex: '@book{Wickert_Schlichtig_Vogel_Winter_Mezini_Bodden_2024, title={Supporting
Error Chains in Static Analysis for Precise Evaluation Results and Enhanced Usability},
author={Wickert, Anna-Katharina and Schlichtig, Michael and Vogel, Marvin and
Winter, Lukas and Mezini, Mira and Bodden, Eric}, year={2024} }'
chicago: Wickert, Anna-Katharina, Michael Schlichtig, Marvin Vogel, Lukas Winter,
Mira Mezini, and Eric Bodden. Supporting Error Chains in Static Analysis for
Precise Evaluation Results and Enhanced Usability, 2024.
ieee: A.-K. Wickert, M. Schlichtig, M. Vogel, L. Winter, M. Mezini, and E. Bodden,
Supporting Error Chains in Static Analysis for Precise Evaluation Results and
Enhanced Usability. 2024.
mla: Wickert, Anna-Katharina, et al. Supporting Error Chains in Static Analysis
for Precise Evaluation Results and Enhanced Usability. 2024.
short: A.-K. Wickert, M. Schlichtig, M. Vogel, L. Winter, M. Mezini, E. Bodden,
Supporting Error Chains in Static Analysis for Precise Evaluation Results and
Enhanced Usability, 2024.
date_created: 2024-03-20T09:28:36Z
date_updated: 2024-03-20T09:32:29Z
department:
- _id: '76'
keyword:
- Static analysis
- error chains
- false positive re- duction
- empirical studies
language:
- iso: eng
main_file_link:
- url: https://arxiv.org/abs/2403.07808
status: public
title: Supporting Error Chains in Static Analysis for Precise Evaluation Results and
Enhanced Usability
type: misc
user_id: '32312'
year: '2024'
...
---
_id: '52662'
abstract:
- lang: eng
text: Static analysis tools support developers in detecting potential coding issues,
such as bugs or vulnerabilities. Research emphasizes technical challenges of such
tools but also mentions severe usability shortcomings. These shortcomings hinder
the adoption of static analysis tools, and user dissatisfaction may even lead
to tool abandonment. To comprehensively assess the state of the art, we present
the first systematic usability evaluation of a wide range of static analysis tools.
We derived a set of 36 relevant criteria from the literature and used them to
evaluate a total of 46 static analysis tools complying with our inclusion and
exclusion criteria - a representative set of mainly non-proprietary tools. The
evaluation against the usability criteria in a multiple-raters approach shows
that two thirds of the considered tools off er poor warning messages, while about
three-quarters provide hardly any fix support. Furthermore, the integration of
user knowledge is strongly neglected, which could be used for instance, to improve
handling of false positives. Finally, issues regarding workflow integration and
specialized user interfaces are revealed. These findings should prove useful in
guiding and focusing further research and development in user experience for static
code analyses.
author:
- first_name: Marcus
full_name: Nachtigall, Marcus
id: '41213'
last_name: Nachtigall
- first_name: Michael
full_name: Schlichtig, Michael
id: '32312'
last_name: Schlichtig
orcid: 0000-0001-6600-6171
- first_name: Eric
full_name: Bodden, Eric
id: '59256'
last_name: Bodden
orcid: 0000-0003-3470-3647
citation:
ama: 'Nachtigall M, Schlichtig M, Bodden E. Evaluation of Usability Criteria Addressed
by Static Analysis Tools on a Large Scale. In: Software Engineering 2023.
Gesellschaft für Informatik e.V.; 2023:95–96.'
apa: Nachtigall, M., Schlichtig, M., & Bodden, E. (2023). Evaluation of Usability
Criteria Addressed by Static Analysis Tools on a Large Scale. In Software Engineering
2023 (pp. 95–96). Gesellschaft für Informatik e.V.
bibtex: '@inbook{Nachtigall_Schlichtig_Bodden_2023, place={Bonn}, title={Evaluation
of Usability Criteria Addressed by Static Analysis Tools on a Large Scale}, booktitle={Software
Engineering 2023}, publisher={Gesellschaft für Informatik e.V.}, author={Nachtigall,
Marcus and Schlichtig, Michael and Bodden, Eric}, year={2023}, pages={95–96} }'
chicago: 'Nachtigall, Marcus, Michael Schlichtig, and Eric Bodden. “Evaluation of
Usability Criteria Addressed by Static Analysis Tools on a Large Scale.” In Software
Engineering 2023, 95–96. Bonn: Gesellschaft für Informatik e.V., 2023.'
ieee: 'M. Nachtigall, M. Schlichtig, and E. Bodden, “Evaluation of Usability Criteria
Addressed by Static Analysis Tools on a Large Scale,” in Software Engineering
2023, Bonn: Gesellschaft für Informatik e.V., 2023, pp. 95–96.'
mla: Nachtigall, Marcus, et al. “Evaluation of Usability Criteria Addressed by Static
Analysis Tools on a Large Scale.” Software Engineering 2023, Gesellschaft
für Informatik e.V., 2023, pp. 95–96.
short: 'M. Nachtigall, M. Schlichtig, E. Bodden, in: Software Engineering 2023,
Gesellschaft für Informatik e.V., Bonn, 2023, pp. 95–96.'
date_created: 2024-03-20T09:26:29Z
date_updated: 2024-03-20T09:27:41Z
department:
- _id: '76'
keyword:
- Automated static analysis
- Software usability
language:
- iso: eng
main_file_link:
- url: https://dl.gi.de/items/5afe477f-2f6a-4b3d-b391-f024baf0b7a5
page: 95–96
place: Bonn
publication: Software Engineering 2023
publication_identifier:
isbn:
- 978-3-88579-726-5
publisher: Gesellschaft für Informatik e.V.
status: public
title: Evaluation of Usability Criteria Addressed by Static Analysis Tools on a Large
Scale
type: book_chapter
user_id: '32312'
year: '2023'
...
---
_id: '52660'
abstract:
- lang: eng
text: Application Programming Interfaces (APIs) are the primary mechanism developers
use to obtain access to third-party algorithms and services. Unfortunately, APIs
can be misused, which can have catastrophic consequences, especially if the APIs
provide security-critical functionalities like cryptography. Understanding what
API misuses are, and how they are caused, is important to prevent them, eg, with
API misuse detectors. However, definitions for API misuses and related terms in
literature vary. This paper presents a systematic literature review to clarify
these terms and introduces FUM, a novel Framework for API Usage constraint and
Misuse classification. The literature review revealed that API misuses are violations
of API usage constraints. To address this, we provide unified definitions and
use them to derive FUM. To assess the extent to which FUM aids in determining
and guiding the improvement of an API misuses detector’s capabilities, we performed
a case study on the state-of the-art misuse detection tool CogniCrypt. The study
showed that FUM can be used to properly assess CogniCrypt’s capabilities, identify
weaknesses and assist in deriving mitigations and improvements.
author:
- first_name: Michael
full_name: Schlichtig, Michael
id: '32312'
last_name: Schlichtig
orcid: 0000-0001-6600-6171
- first_name: Steffen
full_name: Sassalla, Steffen
last_name: Sassalla
- first_name: Krishna
full_name: Narasimhan, Krishna
last_name: Narasimhan
- first_name: Eric
full_name: Bodden, Eric
id: '59256'
last_name: Bodden
orcid: 0000-0003-3470-3647
citation:
ama: 'Schlichtig M, Sassalla S, Narasimhan K, Bodden E. Introducing FUM: A Framework
for API Usage Constraint and Misuse Classification. In: Software Engineering
2023. Gesellschaft für Informatik e.V.; 2023:105–106.'
apa: 'Schlichtig, M., Sassalla, S., Narasimhan, K., & Bodden, E. (2023). Introducing
FUM: A Framework for API Usage Constraint and Misuse Classification. In Software
Engineering 2023 (pp. 105–106). Gesellschaft für Informatik e.V.'
bibtex: '@inbook{Schlichtig_Sassalla_Narasimhan_Bodden_2023, place={Bonn}, title={Introducing
FUM: A Framework for API Usage Constraint and Misuse Classification}, booktitle={Software
Engineering 2023}, publisher={Gesellschaft für Informatik e.V.}, author={Schlichtig,
Michael and Sassalla, Steffen and Narasimhan, Krishna and Bodden, Eric}, year={2023},
pages={105–106} }'
chicago: 'Schlichtig, Michael, Steffen Sassalla, Krishna Narasimhan, and Eric Bodden.
“Introducing FUM: A Framework for API Usage Constraint and Misuse Classification.”
In Software Engineering 2023, 105–106. Bonn: Gesellschaft für Informatik
e.V., 2023.'
ieee: 'M. Schlichtig, S. Sassalla, K. Narasimhan, and E. Bodden, “Introducing FUM:
A Framework for API Usage Constraint and Misuse Classification,” in Software
Engineering 2023, Bonn: Gesellschaft für Informatik e.V., 2023, pp. 105–106.'
mla: 'Schlichtig, Michael, et al. “Introducing FUM: A Framework for API Usage Constraint
and Misuse Classification.” Software Engineering 2023, Gesellschaft für
Informatik e.V., 2023, pp. 105–106.'
short: 'M. Schlichtig, S. Sassalla, K. Narasimhan, E. Bodden, in: Software Engineering
2023, Gesellschaft für Informatik e.V., Bonn, 2023, pp. 105–106.'
date_created: 2024-03-20T09:22:27Z
date_updated: 2024-03-20T09:25:46Z
department:
- _id: '76'
keyword:
- API misuses API usage constraints
- classification framework
- API misuse detection
- static analysis
language:
- iso: eng
main_file_link:
- url: https://dl.gi.de/items/c4825557-cf3d-4038-933a-d8f95fd324a2
page: 105–106
place: Bonn
publication: Software Engineering 2023
publication_identifier:
isbn:
- 978-3-88579-726-5
publisher: Gesellschaft für Informatik e.V.
status: public
title: 'Introducing FUM: A Framework for API Usage Constraint and Misuse Classification'
type: book_chapter
user_id: '32312'
year: '2023'
...
---
_id: '44146'
abstract:
- lang: eng
text: "Many Android applications collect data from users. When they do, they must\r\nprotect
this collected data according to the current legal frameworks. Such\r\ndata protection
has become even more important since the European Union rolled\r\nout the General
Data Protection Regulation (GDPR). App developers have limited\r\ntool support
to reason about data protection throughout their app development\r\nprocess. Although
many Android applications state a privacy policy, privacy\r\npolicy compliance
checks are currently manual, expensive, and prone to error.\r\nOne of the major
challenges in privacy audits is the significant gap between\r\nlegal privacy statements
(in English text) and technical measures that Android\r\napps use to protect their
user's privacy. In this thesis, we will explore to\r\nwhat extent we can use static
analysis to answer important questions regarding\r\ndata protection. Our main
goal is to design a tool based approach that aids app\r\ndevelopers and auditors
in ensuring data protection in Android applications,\r\nbased on automated static
program analysis."
author:
- first_name: Mugdha
full_name: Khedkar, Mugdha
id: '88024'
last_name: Khedkar
citation:
ama: 'Khedkar M. Static Analysis for Android GDPR Compliance Assurance. In: 2023
IEEE/ACM 45th International Conference on Software Engineering: Companion Proceedings
(ICSE-Companion), Melbourne, Australia, 2023, Pp. 197-199. doi:10.1109/ICSE-Companion58688.2023.00054'
apa: 'Khedkar, M. (n.d.). Static Analysis for Android GDPR Compliance Assurance.
2023 IEEE/ACM 45th International Conference on Software Engineering: Companion
Proceedings (ICSE-Companion), Melbourne, Australia, 2023, Pp. 197-199. https://doi.org/10.1109/ICSE-Companion58688.2023.00054'
bibtex: '@inproceedings{Khedkar, title={Static Analysis for Android GDPR Compliance
Assurance}, DOI={10.1109/ICSE-Companion58688.2023.00054},
booktitle={2023 IEEE/ACM 45th International Conference on Software Engineering:
Companion Proceedings (ICSE-Companion), Melbourne, Australia, 2023, pp. 197-199},
author={Khedkar, Mugdha} }'
chicago: 'Khedkar, Mugdha. “Static Analysis for Android GDPR Compliance Assurance.”
In 2023 IEEE/ACM 45th International Conference on Software Engineering: Companion
Proceedings (ICSE-Companion), Melbourne, Australia, 2023, Pp. 197-199, n.d.
https://doi.org/10.1109/ICSE-Companion58688.2023.00054.'
ieee: 'M. Khedkar, “Static Analysis for Android GDPR Compliance Assurance,” doi:
10.1109/ICSE-Companion58688.2023.00054.'
mla: 'Khedkar, Mugdha. “Static Analysis for Android GDPR Compliance Assurance.”
2023 IEEE/ACM 45th International Conference on Software Engineering: Companion
Proceedings (ICSE-Companion), Melbourne, Australia, 2023, Pp. 197-199, doi:10.1109/ICSE-Companion58688.2023.00054.'
short: 'M. Khedkar, in: 2023 IEEE/ACM 45th International Conference on Software
Engineering: Companion Proceedings (ICSE-Companion), Melbourne, Australia, 2023,
Pp. 197-199, n.d.'
date_created: 2023-04-24T12:14:17Z
date_updated: 2024-09-16T08:46:25Z
ddc:
- '004'
department:
- _id: '76'
doi: 10.1109/ICSE-Companion58688.2023.00054
external_id:
arxiv:
- '2303.09606'
file:
- access_level: closed
content_type: application/pdf
creator: khedkarm
date_created: 2023-04-24T12:15:27Z
date_updated: 2023-04-24T12:15:27Z
file_id: '44147'
file_name: 2023047614.pdf
file_size: 85313
relation: main_file
success: 1
file_date_updated: 2023-04-24T12:15:27Z
has_accepted_license: '1'
keyword:
- static analysis
- data protection and privacy
- GDPR compliance
language:
- iso: eng
license: https://creativecommons.org/licenses/by/4.0/
publication: '2023 IEEE/ACM 45th International Conference on Software Engineering:
Companion Proceedings (ICSE-Companion), Melbourne, Australia, 2023, pp. 197-199'
publication_status: accepted
status: public
title: Static Analysis for Android GDPR Compliance Assurance
type: conference
user_id: '88024'
year: '2023'
...
---
_id: '36522'
abstract:
- lang: eng
text: "Jupyter notebooks enable developers to interleave code snippets with rich-text
and in-line visualizations. Data scientists use Jupyter notebook as the de-facto
standard for creating and sharing machine-learning based solutions, primarily
written in Python. Recent studies have demonstrated, however, that a large portion
of Jupyter notebooks available on public platforms are undocumented and lacks
a narrative structure. This reduces the readability of these notebooks. To address
this shortcoming, this paper presents HeaderGen, a novel tool-based approach that
automatically annotates code cells with categorical markdown headers based on
a taxonomy of machine-learning operations, and classifies and displays function
calls according to this taxonomy. For this functionality to be realized, HeaderGen
enhances an existing call graph analysis in PyCG. To improve precision, HeaderGen
extends PyCG's analysis with support for handling external library code and flow-sensitivity.
The former is realized by facilitating the resolution of function return-types.
Furthermore, HeaderGen uses type information to perform pattern matching on code
syntax to annotate code cells.\r\nThe evaluation on 15 real-world Jupyter notebooks
from Kaggle shows that HeaderGen's underlying call graph analysis yields high
accuracy (96.4% precision and 95.9% recall). This is because HeaderGen can resolve
return-types of external libraries where existing type inference tools such as
pytype (by Google), pyright (by Microsoft), and Jedi fall short. The header generation
has a precision of 82.2% and a recall rate of 96.8% with regard to headers created
manually by experts. In a user study, HeaderGen helps participants finish comprehension
and navigation tasks faster. All participants clearly perceive HeaderGen as useful
to their task."
author:
- first_name: Ashwin Prasad
full_name: Shivarpatna Venkatesh, Ashwin Prasad
id: '66637'
last_name: Shivarpatna Venkatesh
- first_name: Jiawei
full_name: Wang, Jiawei
last_name: Wang
- first_name: Li
full_name: Li, Li
last_name: Li
- first_name: Eric
full_name: Bodden, Eric
id: '59256'
last_name: Bodden
orcid: 0000-0003-3470-3647
citation:
ama: 'Shivarpatna Venkatesh AP, Wang J, Li L, Bodden E. Enhancing Comprehension
and Navigation in Jupyter Notebooks with Static Analysis. In: IEEE SANER 2023
(International Conference on Software Analysis, Evolution and Reengineering);
2023. doi:10.48550/ARXIV.2301.04419'
apa: Shivarpatna Venkatesh, A. P., Wang, J., Li, L., & Bodden, E. (2023). Enhancing
Comprehension and Navigation in Jupyter Notebooks with Static Analysis. IEEE
SANER 2023 (International Conference on Software Analysis, Evolution and Reengineering).
https://doi.org/10.48550/ARXIV.2301.04419
bibtex: '@inproceedings{Shivarpatna Venkatesh_Wang_Li_Bodden_2023, title={Enhancing
Comprehension and Navigation in Jupyter Notebooks with Static Analysis}, DOI={10.48550/ARXIV.2301.04419},
publisher={IEEE SANER 2023 (International Conference on Software Analysis, Evolution
and Reengineering)}, author={Shivarpatna Venkatesh, Ashwin Prasad and Wang, Jiawei
and Li, Li and Bodden, Eric}, year={2023} }'
chicago: Shivarpatna Venkatesh, Ashwin Prasad, Jiawei Wang, Li Li, and Eric Bodden.
“Enhancing Comprehension and Navigation in Jupyter Notebooks with Static Analysis.”
IEEE SANER 2023 (International Conference on Software Analysis, Evolution and
Reengineering), 2023. https://doi.org/10.48550/ARXIV.2301.04419.
ieee: 'A. P. Shivarpatna Venkatesh, J. Wang, L. Li, and E. Bodden, “Enhancing Comprehension
and Navigation in Jupyter Notebooks with Static Analysis,” presented at the IEEE
SANER 2023 (International Conference on Software Analysis, Evolution and Reengineering),
2023, doi: 10.48550/ARXIV.2301.04419.'
mla: Shivarpatna Venkatesh, Ashwin Prasad, et al. Enhancing Comprehension and
Navigation in Jupyter Notebooks with Static Analysis. IEEE SANER 2023 (International
Conference on Software Analysis, Evolution and Reengineering), 2023, doi:10.48550/ARXIV.2301.04419.
short: 'A.P. Shivarpatna Venkatesh, J. Wang, L. Li, E. Bodden, in: IEEE SANER 2023
(International Conference on Software Analysis, Evolution and Reengineering),
2023.'
conference:
name: IEEE SANER 2023 (International Conference on Software Analysis, Evolution
and Reengineering)
date_created: 2023-01-13T08:03:26Z
date_updated: 2025-04-07T10:18:03Z
ddc:
- '000'
doi: 10.48550/ARXIV.2301.04419
file:
- access_level: open_access
content_type: application/pdf
creator: ashwin
date_created: 2023-01-26T10:48:40Z
date_updated: 2023-01-26T10:48:40Z
file_id: '40304'
file_name: 2301.04419.pdf
file_size: 1862440
relation: main_file
file_date_updated: 2023-01-26T10:48:40Z
has_accepted_license: '1'
keyword:
- static analysis
- python
- code comprehension
- annotation
- literate programming
- jupyter notebook
language:
- iso: eng
oa: '1'
publisher: IEEE SANER 2023 (International Conference on Software Analysis, Evolution
and Reengineering)
status: public
title: Enhancing Comprehension and Navigation in Jupyter Notebooks with Static Analysis
type: conference
user_id: '15249'
year: '2023'
...
---
_id: '32409'
abstract:
- lang: eng
text: 'Context: Cryptographic APIs are often misused in real-world applications.
Therefore, many cryptographic API misuse detection tools have been introduced.
However, there exists no established reference benchmark for a fair and comprehensive
comparison and evaluation of these tools. While there are benchmarks, they often
only address a subset of the domain or were only used to evaluate a subset of
existing misuse detection tools. Objective: To fairly compare cryptographic API
misuse detection tools and to drive future development in this domain, we will
devise such a benchmark. Openness and transparency in the generation process are
key factors to fairly generate and establish the needed benchmark. Method: We
propose an approach where we derive the benchmark generation methodology from
the literature which consists of general best practices in benchmarking and domain-specific
benchmark generation. A part of this methodology is transparency and openness
of the generation process, which is achieved by pre-registering this work. Based
on our methodology we design CamBench, a fair "Cryptographic API Misuse Detection
Tool Benchmark Suite". We will implement the first version of CamBench limiting
the domain to Java, the JCA, and static analyses. Finally, we will use CamBench
to compare current misuse detection tools and compare CamBench to related benchmarks
of its domain.'
author:
- first_name: Michael
full_name: Schlichtig, Michael
id: '32312'
last_name: Schlichtig
orcid: 0000-0001-6600-6171
- first_name: Anna-Katharina
full_name: Wickert, Anna-Katharina
last_name: Wickert
- first_name: Stefan
full_name: Krüger, Stefan
last_name: Krüger
- first_name: Eric
full_name: Bodden, Eric
id: '59256'
last_name: Bodden
orcid: 0000-0003-3470-3647
- first_name: Mira
full_name: Mezini, Mira
last_name: Mezini
citation:
ama: Schlichtig M, Wickert A-K, Krüger S, Bodden E, Mezini M. CamBench -- Cryptographic
API Misuse Detection Tool Benchmark Suite.; 2022. doi:10.48550/ARXIV.2204.06447
apa: Schlichtig, M., Wickert, A.-K., Krüger, S., Bodden, E., & Mezini, M. (2022).
CamBench -- Cryptographic API Misuse Detection Tool Benchmark Suite. https://doi.org/10.48550/ARXIV.2204.06447
bibtex: '@book{Schlichtig_Wickert_Krüger_Bodden_Mezini_2022, title={CamBench --
Cryptographic API Misuse Detection Tool Benchmark Suite}, DOI={10.48550/ARXIV.2204.06447},
author={Schlichtig, Michael and Wickert, Anna-Katharina and Krüger, Stefan and
Bodden, Eric and Mezini, Mira}, year={2022} }'
chicago: Schlichtig, Michael, Anna-Katharina Wickert, Stefan Krüger, Eric Bodden,
and Mira Mezini. CamBench -- Cryptographic API Misuse Detection Tool Benchmark
Suite, 2022. https://doi.org/10.48550/ARXIV.2204.06447.
ieee: M. Schlichtig, A.-K. Wickert, S. Krüger, E. Bodden, and M. Mezini, CamBench
-- Cryptographic API Misuse Detection Tool Benchmark Suite. 2022.
mla: Schlichtig, Michael, et al. CamBench -- Cryptographic API Misuse Detection
Tool Benchmark Suite. 2022, doi:10.48550/ARXIV.2204.06447.
short: M. Schlichtig, A.-K. Wickert, S. Krüger, E. Bodden, M. Mezini, CamBench --
Cryptographic API Misuse Detection Tool Benchmark Suite, 2022.
date_created: 2022-07-25T07:56:59Z
date_updated: 2022-07-25T10:23:44Z
department:
- _id: '76'
doi: 10.48550/ARXIV.2204.06447
keyword:
- cryptography
- benchmark
- API misuse
- static analysis
language:
- iso: eng
related_material:
link:
- relation: confirmation
url: https://arxiv.org/abs/2204.06447
status: public
title: CamBench -- Cryptographic API Misuse Detection Tool Benchmark Suite
type: misc
user_id: '32312'
year: '2022'
...
---
_id: '32410'
abstract:
- lang: eng
text: "Static analysis tools support developers in detecting potential coding issues,
such as bugs or vulnerabilities. Research on static analysis emphasizes its technical
challenges but also mentions severe usability shortcomings. These shortcomings
hinder the adoption of static analysis tools, and in some cases, user dissatisfaction
even leads to tool abandonment.\r\nTo comprehensively assess the current state
of the art, this paper presents the first systematic usability evaluation in a
wide range of static analysis tools. We derived a set of 36 relevant criteria
from the scientific literature and gathered a collection of 46 static analysis
tools complying with our inclusion and exclusion criteria - a representative set
of mainly non-proprietary tools. Then, we evaluated how well these tools fulfill
the aforementioned criteria.\r\nThe evaluation shows that more than half of the
considered tools offer poor warning messages, while about three-quarters of the
tools provide hardly any fix support. Furthermore, the integration of user knowledge
is strongly neglected, which could be used for improved handling of false positives
and tuning the results for the corresponding developer. Finally, issues regarding
workflow integration and specialized user interfaces are proved further.\r\nThese
findings should prove useful in guiding and focusing further research and development
in the area of user experience for static code analyses."
author:
- first_name: Marcus
full_name: Nachtigall, Marcus
id: '41213'
last_name: Nachtigall
- first_name: Michael
full_name: Schlichtig, Michael
id: '32312'
last_name: Schlichtig
orcid: 0000-0001-6600-6171
- first_name: Eric
full_name: Bodden, Eric
id: '59256'
last_name: Bodden
orcid: 0000-0003-3470-3647
citation:
ama: 'Nachtigall M, Schlichtig M, Bodden E. A Large-Scale Study of Usability Criteria
Addressed by Static Analysis Tools. In: Proceedings of the 31st ACM SIGSOFT
International Symposium on Software Testing and Analysis. ACM; 2022:532-543.
doi:10.1145/3533767'
apa: Nachtigall, M., Schlichtig, M., & Bodden, E. (2022). A Large-Scale Study
of Usability Criteria Addressed by Static Analysis Tools. Proceedings of the
31st ACM SIGSOFT International Symposium on Software Testing and Analysis,
532–543. https://doi.org/10.1145/3533767
bibtex: '@inproceedings{Nachtigall_Schlichtig_Bodden_2022, title={A Large-Scale
Study of Usability Criteria Addressed by Static Analysis Tools}, DOI={10.1145/3533767},
booktitle={Proceedings of the 31st ACM SIGSOFT International Symposium on Software
Testing and Analysis}, publisher={ACM}, author={Nachtigall, Marcus and Schlichtig,
Michael and Bodden, Eric}, year={2022}, pages={532–543} }'
chicago: Nachtigall, Marcus, Michael Schlichtig, and Eric Bodden. “A Large-Scale
Study of Usability Criteria Addressed by Static Analysis Tools.” In Proceedings
of the 31st ACM SIGSOFT International Symposium on Software Testing and Analysis,
532–43. ACM, 2022. https://doi.org/10.1145/3533767.
ieee: 'M. Nachtigall, M. Schlichtig, and E. Bodden, “A Large-Scale Study of Usability
Criteria Addressed by Static Analysis Tools,” in Proceedings of the 31st ACM
SIGSOFT International Symposium on Software Testing and Analysis, 2022, pp.
532–543, doi: 10.1145/3533767.'
mla: Nachtigall, Marcus, et al. “A Large-Scale Study of Usability Criteria Addressed
by Static Analysis Tools.” Proceedings of the 31st ACM SIGSOFT International
Symposium on Software Testing and Analysis, ACM, 2022, pp. 532–43, doi:10.1145/3533767.
short: 'M. Nachtigall, M. Schlichtig, E. Bodden, in: Proceedings of the 31st ACM
SIGSOFT International Symposium on Software Testing and Analysis, ACM, 2022, pp.
532–543.'
date_created: 2022-07-25T08:02:36Z
date_updated: 2022-07-26T11:42:23Z
department:
- _id: '76'
doi: 10.1145/3533767
keyword:
- Automated static analysis
- Software usability
language:
- iso: eng
page: 532 - 543
publication: Proceedings of the 31st ACM SIGSOFT International Symposium on Software
Testing and Analysis
publication_identifier:
isbn:
- '9781450393799'
publication_status: published
publisher: ACM
quality_controlled: '1'
related_material:
link:
- relation: confirmation
url: https://dl.acm.org/doi/10.1145/3533767.3534374
status: public
title: A Large-Scale Study of Usability Criteria Addressed by Static Analysis Tools
type: conference
user_id: '32312'
year: '2022'
...
---
_id: '31133'
abstract:
- lang: eng
text: Application Programming Interfaces (APIs) are the primary mechanism that developers
use to obtain access to third-party algorithms and services. Unfortunately, APIs
can be misused, which can have catastrophic consequences, especially if the APIs
provide security-critical functionalities like cryptography. Understanding what
API misuses are, and for what reasons they are caused, is important to prevent
them, e.g., with API misuse detectors. However, definitions and nominations for
API misuses and related terms in literature vary and are diverse. This paper addresses
the problem of scattered knowledge and definitions of API misuses by presenting
a systematic literature review on the subject and introducing FUM, a novel Framework
for API Usage constraint and Misuse classification. The literature review revealed
that API misuses are violations of API usage constraints. To capture this, we
provide unified definitions and use them to derive FUM. To assess the extent to
which FUM aids in determining and guiding the improvement of an API misuses detectors'
capabilities, we performed a case study on CogniCrypt, a state-of-the-art misuse
detector for cryptographic APIs. The study showed that FUM can be used to properly
assess CogniCrypt's capabilities, identify weaknesses and assist in deriving mitigations
and improvements. And it appears that also more generally FUM can aid the development
and improvement of misuse detection tools.
author:
- first_name: Michael
full_name: Schlichtig, Michael
id: '32312'
last_name: Schlichtig
orcid: 0000-0001-6600-6171
- first_name: Steffen
full_name: Sassalla, Steffen
last_name: Sassalla
- first_name: Krishna
full_name: Narasimhan, Krishna
last_name: Narasimhan
- first_name: Eric
full_name: Bodden, Eric
id: '59256'
last_name: Bodden
orcid: 0000-0003-3470-3647
citation:
ama: 'Schlichtig M, Sassalla S, Narasimhan K, Bodden E. FUM - A Framework for API
Usage constraint and Misuse Classification. In: 2022 IEEE International Conference
on Software Analysis, Evolution and Reengineering (SANER). ; 2022:673-684.
doi:https://doi.org/10.1109/SANER53432.2022.00085'
apa: Schlichtig, M., Sassalla, S., Narasimhan, K., & Bodden, E. (2022). FUM
- A Framework for API Usage constraint and Misuse Classification. 2022 IEEE
International Conference on Software Analysis, Evolution and Reengineering (SANER),
673–684. https://doi.org/10.1109/SANER53432.2022.00085
bibtex: '@inproceedings{Schlichtig_Sassalla_Narasimhan_Bodden_2022, title={FUM -
A Framework for API Usage constraint and Misuse Classification}, DOI={https://doi.org/10.1109/SANER53432.2022.00085},
booktitle={2022 IEEE International Conference on Software Analysis, Evolution
and Reengineering (SANER)}, author={Schlichtig, Michael and Sassalla, Steffen
and Narasimhan, Krishna and Bodden, Eric}, year={2022}, pages={673–684} }'
chicago: Schlichtig, Michael, Steffen Sassalla, Krishna Narasimhan, and Eric Bodden.
“FUM - A Framework for API Usage Constraint and Misuse Classification.” In 2022
IEEE International Conference on Software Analysis, Evolution and Reengineering
(SANER), 673–84, 2022. https://doi.org/10.1109/SANER53432.2022.00085.
ieee: 'M. Schlichtig, S. Sassalla, K. Narasimhan, and E. Bodden, “FUM - A Framework
for API Usage constraint and Misuse Classification,” in 2022 IEEE International
Conference on Software Analysis, Evolution and Reengineering (SANER), 2022,
pp. 673–684, doi: https://doi.org/10.1109/SANER53432.2022.00085.'
mla: Schlichtig, Michael, et al. “FUM - A Framework for API Usage Constraint and
Misuse Classification.” 2022 IEEE International Conference on Software Analysis,
Evolution and Reengineering (SANER), 2022, pp. 673–84, doi:https://doi.org/10.1109/SANER53432.2022.00085.
short: 'M. Schlichtig, S. Sassalla, K. Narasimhan, E. Bodden, in: 2022 IEEE International
Conference on Software Analysis, Evolution and Reengineering (SANER), 2022, pp.
673–684.'
date_created: 2022-05-09T13:04:10Z
date_updated: 2022-07-26T11:42:30Z
department:
- _id: '76'
doi: https://doi.org/10.1109/SANER53432.2022.00085
keyword:
- API misuses
- API usage constraints
- classification framework
- API misuse detection
- static analysis
language:
- iso: eng
page: 673 - 684
publication: 2022 IEEE International Conference on Software Analysis, Evolution and
Reengineering (SANER)
quality_controlled: '1'
related_material:
link:
- relation: confirmation
url: https://ieeexplore.ieee.org/document/9825763
status: public
title: FUM - A Framework for API Usage constraint and Misuse Classification
type: conference
user_id: '32312'
year: '2022'
...
---
_id: '30511'
abstract:
- lang: eng
text: AbstractMany critical codebases are written
in C, and most of them use preprocessor directives to encode variability, effectively
encoding software product lines. These preprocessor directives, however, challenge
any static code analysis. SPLlift, a previously presented approach for analyzing
software product lines, is limited to Java programs that use a rather simple feature
encoding and to analysis problems with a finite and ideally small domain. Other
approaches that allow the analysis of real-world C software product lines use
special-purpose analyses, preventing the reuse of existing analysis infrastructures
and ignoring the progress made by the static analysis community. This work presents
VarAlyzer, a novel static analysis approach for software product
lines. VarAlyzer first transforms preprocessor constructs to
plain C while preserving their variability and semantics. It then solves any given
distributive analysis problem on transformed product lines in a variability-aware
manner. VarAlyzer ’s analysis results are annotated with feature
constraints that encode in which configurations each result holds. Our experiments
with 95 compilation units of OpenSSL show that applying VarAlyzer
enables one to conduct inter-procedural, flow-, field- and context-sensitive data-flow
analyses on entire product lines for the first time, outperforming the product-based
approach for highly-configurable systems.
alternative_title:
- Revoking the preprocessor’s special role
article_number: '35'
article_type: original
author:
- first_name: Philipp
full_name: Schubert, Philipp
id: '60543'
last_name: Schubert
orcid: 0000-0002-8674-1859
- first_name: Paul
full_name: Gazzillo, Paul
last_name: Gazzillo
- first_name: Zach
full_name: Patterson, Zach
last_name: Patterson
- first_name: Julian
full_name: Braha, Julian
last_name: Braha
- first_name: Fabian Benedikt
full_name: Schiebel, Fabian Benedikt
id: '55745'
last_name: Schiebel
orcid: 0009-0008-6867-9802
- first_name: Ben
full_name: Hermann, Ben
id: '66173'
last_name: Hermann
orcid: 0000-0001-9848-2017
- first_name: Shiyi
full_name: Wei, Shiyi
last_name: Wei
- first_name: Eric
full_name: Bodden, Eric
id: '59256'
last_name: Bodden
orcid: 0000-0003-3470-3647
citation:
ama: Schubert P, Gazzillo P, Patterson Z, et al. Static data-flow analysis for software
product lines in C. Automated Software Engineering. 2022;29(1). doi:10.1007/s10515-022-00333-1
apa: Schubert, P., Gazzillo, P., Patterson, Z., Braha, J., Schiebel, F. B., Hermann,
B., Wei, S., & Bodden, E. (2022). Static data-flow analysis for software product
lines in C. Automated Software Engineering, 29(1), Article 35. https://doi.org/10.1007/s10515-022-00333-1
bibtex: '@article{Schubert_Gazzillo_Patterson_Braha_Schiebel_Hermann_Wei_Bodden_2022,
title={Static data-flow analysis for software product lines in C}, volume={29},
DOI={10.1007/s10515-022-00333-1},
number={135}, journal={Automated Software Engineering}, publisher={Springer Science
and Business Media LLC}, author={Schubert, Philipp and Gazzillo, Paul and Patterson,
Zach and Braha, Julian and Schiebel, Fabian Benedikt and Hermann, Ben and Wei,
Shiyi and Bodden, Eric}, year={2022} }'
chicago: Schubert, Philipp, Paul Gazzillo, Zach Patterson, Julian Braha, Fabian
Benedikt Schiebel, Ben Hermann, Shiyi Wei, and Eric Bodden. “Static Data-Flow
Analysis for Software Product Lines in C.” Automated Software Engineering
29, no. 1 (2022). https://doi.org/10.1007/s10515-022-00333-1.
ieee: 'P. Schubert et al., “Static data-flow analysis for software product
lines in C,” Automated Software Engineering, vol. 29, no. 1, Art. no. 35,
2022, doi: 10.1007/s10515-022-00333-1.'
mla: Schubert, Philipp, et al. “Static Data-Flow Analysis for Software Product Lines
in C.” Automated Software Engineering, vol. 29, no. 1, 35, Springer Science
and Business Media LLC, 2022, doi:10.1007/s10515-022-00333-1.
short: P. Schubert, P. Gazzillo, Z. Patterson, J. Braha, F.B. Schiebel, B. Hermann,
S. Wei, E. Bodden, Automated Software Engineering 29 (2022).
date_created: 2022-03-25T07:41:26Z
date_updated: 2025-12-04T10:42:38Z
department:
- _id: '76'
doi: 10.1007/s10515-022-00333-1
intvolume: ' 29'
issue: '1'
keyword:
- inter-procedural static analysis
- software product lines
- preprocessor
- LLVM
- C/C++
language:
- iso: eng
main_file_link:
- open_access: '1'
url: https://link.springer.com/article/10.1007/s10515-022-00333-1
oa: '1'
project:
- _id: '12'
name: 'SFB 901 - B4: SFB 901 - Subproject B4'
- _id: '3'
name: 'SFB 901 - B: SFB 901 - Project Area B'
- _id: '1'
name: 'SFB 901: SFB 901'
publication: Automated Software Engineering
publication_identifier:
issn:
- 0928-8910
- 1573-7535
publication_status: published
publisher: Springer Science and Business Media LLC
status: public
title: Static data-flow analysis for software product lines in C
type: journal_article
user_id: '15249'
volume: 29
year: '2022'
...
---
_id: '23388'
abstract:
- lang: eng
text: As one of the most popular programming languages, PYTHON has become a relevant
target language for static analysis tools. The primary data structure for performing
an inter-procedural static analysis is call-graph (CG), which links call sites
to potential call targets in a program. There exists multiple algorithms for constructing
callgraphs, tailored to specific languages. However, comparatively few implementations
target PYTHON. Moreover, there is still lack of empirical evidence as to how these
few algorithms perform in terms of precision and recall. This paper thus presents
EVAL_CG, an extensible framework for comparative analysis of Python call-graphs.
We conducted two experiments which run the CG algorithms on different Python programming
constructs and real-world applications. In both experiments, we evaluate three
CG generation frameworks namely, Code2flow, Pyan, and Wala. We record precision,
recall, and running time, and identify sources of unsoundness of each framework.
Our evaluation shows that none of the current CG construction frameworks produce
a sound CG. Moreover, the static CGs contain many spurious edges. Code2flow is
also comparatively slow. Hence, further research is needed to support CG generation
for Python programs.
author:
- first_name: Sriteja
full_name: Kummita, Sriteja
id: '72582'
last_name: Kummita
- first_name: Goran
full_name: Piskachev, Goran
id: '41936'
last_name: Piskachev
orcid: 0000-0003-4424-5838
- first_name: Johannes
full_name: Spaeth, Johannes
last_name: Spaeth
- first_name: Eric
full_name: Bodden, Eric
id: '59256'
last_name: Bodden
orcid: 0000-0003-3470-3647
citation:
ama: 'Kummita S, Piskachev G, Spaeth J, Bodden E. Qualitative and Quantitative Analysis
of Callgraph Algorithms for PYTHON. In: Proceedings of the 2021 International
Conference on Code Quality (ICCQ). ; 2021. doi:10.1109/ICCQ51190.2021.9392986'
apa: Kummita, S., Piskachev, G., Spaeth, J., & Bodden, E. (2021). Qualitative
and Quantitative Analysis of Callgraph Algorithms for PYTHON. In Proceedings
of the 2021 International Conference on Code Quality (ICCQ). Virtual. https://doi.org/10.1109/ICCQ51190.2021.9392986
bibtex: '@inproceedings{Kummita_Piskachev_Spaeth_Bodden_2021, title={Qualitative
and Quantitative Analysis of Callgraph Algorithms for PYTHON}, DOI={10.1109/ICCQ51190.2021.9392986},
booktitle={Proceedings of the 2021 International Conference on Code Quality (ICCQ)},
author={Kummita, Sriteja and Piskachev, Goran and Spaeth, Johannes and Bodden,
Eric}, year={2021} }'
chicago: Kummita, Sriteja, Goran Piskachev, Johannes Spaeth, and Eric Bodden. “Qualitative
and Quantitative Analysis of Callgraph Algorithms for PYTHON.” In Proceedings
of the 2021 International Conference on Code Quality (ICCQ), 2021. https://doi.org/10.1109/ICCQ51190.2021.9392986.
ieee: S. Kummita, G. Piskachev, J. Spaeth, and E. Bodden, “Qualitative and Quantitative
Analysis of Callgraph Algorithms for PYTHON,” in Proceedings of the 2021 International
Conference on Code Quality (ICCQ), Virtual, 2021.
mla: Kummita, Sriteja, et al. “Qualitative and Quantitative Analysis of Callgraph
Algorithms for PYTHON.” Proceedings of the 2021 International Conference on
Code Quality (ICCQ), 2021, doi:10.1109/ICCQ51190.2021.9392986.
short: 'S. Kummita, G. Piskachev, J. Spaeth, E. Bodden, in: Proceedings of the 2021
International Conference on Code Quality (ICCQ), 2021.'
conference:
location: Virtual
name: International Conference on Code Quality (ICCQ)
start_date: 2021-03-27
date_created: 2021-08-12T14:00:54Z
date_updated: 2022-01-06T06:55:52Z
doi: 10.1109/ICCQ51190.2021.9392986
keyword:
- Static Analysis
- Callgraph Analysis
- Python
- Qualitative Analysis
- Quantitative Analysis
- Empirical Evaluation
language:
- iso: eng
main_file_link:
- url: https://ieeexplore.ieee.org/document/9392986
publication: Proceedings of the 2021 International Conference on Code Quality (ICCQ)
publication_identifier:
isbn:
- 978-1-7281-8477-7
publication_status: published
status: public
title: Qualitative and Quantitative Analysis of Callgraph Algorithms for PYTHON
type: conference
user_id: '72582'
year: '2021'
...
---
_id: '20533'
author:
- first_name: Stefan
full_name: Krüger, Stefan
last_name: Krüger
- first_name: Johannes
full_name: Späth, Johannes
last_name: Späth
- first_name: Karim
full_name: Ali, Karim
last_name: Ali
- first_name: Eric
full_name: Bodden, Eric
id: '59256'
last_name: Bodden
orcid: 0000-0003-3470-3647
- first_name: Mira
full_name: Mezini, Mira
last_name: Mezini
citation:
ama: 'Krüger S, Späth J, Ali K, Bodden E, Mezini M. CrySL: An Extensible Approach
to Validating the Correct Usage of Cryptographic APIs. IEEE Transactions on
Software Engineering. Published online 2019:1-1. doi:10.1109/TSE.2019.2948910'
apa: 'Krüger, S., Späth, J., Ali, K., Bodden, E., & Mezini, M. (2019). CrySL:
An Extensible Approach to Validating the Correct Usage of Cryptographic APIs.
IEEE Transactions on Software Engineering, 1–1. https://doi.org/10.1109/TSE.2019.2948910'
bibtex: '@article{Krüger_Späth_Ali_Bodden_Mezini_2019, title={CrySL: An Extensible
Approach to Validating the Correct Usage of Cryptographic APIs}, DOI={10.1109/TSE.2019.2948910},
journal={IEEE Transactions on Software Engineering}, author={Krüger, Stefan and
Späth, Johannes and Ali, Karim and Bodden, Eric and Mezini, Mira}, year={2019},
pages={1–1} }'
chicago: 'Krüger, Stefan, Johannes Späth, Karim Ali, Eric Bodden, and Mira Mezini.
“CrySL: An Extensible Approach to Validating the Correct Usage of Cryptographic
APIs.” IEEE Transactions on Software Engineering, 2019, 1–1. https://doi.org/10.1109/TSE.2019.2948910.'
ieee: 'S. Krüger, J. Späth, K. Ali, E. Bodden, and M. Mezini, “CrySL: An Extensible
Approach to Validating the Correct Usage of Cryptographic APIs,” IEEE Transactions
on Software Engineering, pp. 1–1, 2019, doi: 10.1109/TSE.2019.2948910.'
mla: 'Krüger, Stefan, et al. “CrySL: An Extensible Approach to Validating the Correct
Usage of Cryptographic APIs.” IEEE Transactions on Software Engineering,
2019, pp. 1–1, doi:10.1109/TSE.2019.2948910.'
short: S. Krüger, J. Späth, K. Ali, E. Bodden, M. Mezini, IEEE Transactions on Software
Engineering (2019) 1–1.
date_created: 2020-11-27T10:48:38Z
date_updated: 2022-01-06T06:54:29Z
department:
- _id: '76'
doi: 10.1109/TSE.2019.2948910
keyword:
- Java
- Encryption
- Static analysis
- Tools
- Ciphers
- Semantics
- cryptography
- domain-specific language
- static analysis
language:
- iso: eng
main_file_link:
- url: http://www.bodden.de/pubs/tse19CrySL.pdf
page: 1-1
publication: IEEE Transactions on Software Engineering
publication_identifier:
issn:
- 2326-3881
status: public
title: 'CrySL: An Extensible Approach to Validating the Correct Usage of Cryptographic
APIs'
type: journal_article
user_id: '5786'
year: '2019'
...
---
_id: '23389'
abstract:
- lang: eng
text: "Background - Software companies increasingly rely on static analysis tools
to detect potential bugs and security vulnerabilities in their software products.
In the past decade, more and more commercial and open-source static analysis tools
have been developed and are maintained. Each tool comes with its own reporting
format, preventing an easy integration of multiple analysis tools in a single
interface, such as the Static Analysis Server Protocol (SASP). In 2017, a collaborative
effort in industry, including Microsoft and GrammaTech, has proposed the Static
Analysis Results Interchange Format (SARIF) to address this issue. SARIF is a
standardized format in which static analysis warnings can be encoded, to allow
the import and export of analysis reports between different tools.\r\nPurpose
- This paper explains the SARIF format through examples and presents a proof of
concept of the connector that allows the static analysis tool CogniCrypt to generate
and export its results in SARIF format.\r\nDesign/Approach - We conduct a cross-sectional
study between the SARIF format and CogniCrypt's output format before detailing
the implementation of the connector. The study aims to find the components of
interest in CogniCrypt that the SARIF export module can complete.\r\nOriginality/Value
- The integration of SARIF into CogniCrypt described in this paper can be reused
to integrate SARIF into other static analysis tools.\r\nConclusion - After detailing
the SARIF format, we present an initial implementation to integrate SARIF into
CogniCrypt. After taking advantage of all the features provided by SARIF, CogniCrypt
will be able to support SASP."
author:
- first_name: Sriteja
full_name: Kummita, Sriteja
id: '72582'
last_name: Kummita
- first_name: Goran
full_name: Piskachev, Goran
id: '41936'
last_name: Piskachev
orcid: 0000-0003-4424-5838
citation:
ama: Kummita S, Piskachev G. Integration of the Static Analysis Results Interchange
Format in CogniCrypt.; 2019.
apa: Kummita, S., & Piskachev, G. (2019). Integration of the Static Analysis
Results Interchange Format in CogniCrypt.
bibtex: '@book{Kummita_Piskachev_2019, title={Integration of the Static Analysis
Results Interchange Format in CogniCrypt}, author={Kummita, Sriteja and Piskachev,
Goran}, year={2019} }'
chicago: Kummita, Sriteja, and Goran Piskachev. Integration of the Static Analysis
Results Interchange Format in CogniCrypt, 2019.
ieee: S. Kummita and G. Piskachev, Integration of the Static Analysis Results
Interchange Format in CogniCrypt. 2019.
mla: Kummita, Sriteja, and Goran Piskachev. Integration of the Static Analysis
Results Interchange Format in CogniCrypt. 2019.
short: S. Kummita, G. Piskachev, Integration of the Static Analysis Results Interchange
Format in CogniCrypt, 2019.
date_created: 2021-08-12T14:04:46Z
date_updated: 2022-01-06T06:55:52Z
extern: '1'
keyword:
- Static Analysis
- Static Analysis Results Interchange Format
- SARIF
- Static Analysis Server Protocol
- SASP
language:
- iso: eng
main_file_link:
- url: https://arxiv.org/abs/1907.02558
status: public
title: Integration of the Static Analysis Results Interchange Format in CogniCrypt
type: report
user_id: '72582'
year: '2019'
...
---
_id: '20543'
author:
- first_name: Lisa
full_name: Nguyen Quang Do, Lisa
last_name: Nguyen Quang Do
- first_name: Stefan
full_name: Krüger, Stefan
last_name: Krüger
- first_name: Patrick
full_name: Hill, Patrick
last_name: Hill
- first_name: Karim
full_name: Ali, Karim
last_name: Ali
- first_name: Eric
full_name: Bodden, Eric
id: '59256'
last_name: Bodden
orcid: 0000-0003-3470-3647
citation:
ama: Nguyen Quang Do L, Krüger S, Hill P, Ali K, Bodden E. Debugging Static Analysis.
IEEE Transactions on Software Engineering. Published online 2018:1-1. doi:10.1109/TSE.2018.2868349
apa: Nguyen Quang Do, L., Krüger, S., Hill, P., Ali, K., & Bodden, E. (2018).
Debugging Static Analysis. IEEE Transactions on Software Engineering, 1–1.
https://doi.org/10.1109/TSE.2018.2868349
bibtex: '@article{Nguyen Quang Do_Krüger_Hill_Ali_Bodden_2018, title={Debugging
Static Analysis}, DOI={10.1109/TSE.2018.2868349},
journal={IEEE Transactions on Software Engineering}, author={Nguyen Quang Do,
Lisa and Krüger, Stefan and Hill, Patrick and Ali, Karim and Bodden, Eric}, year={2018},
pages={1–1} }'
chicago: Nguyen Quang Do, Lisa, Stefan Krüger, Patrick Hill, Karim Ali, and Eric
Bodden. “Debugging Static Analysis.” IEEE Transactions on Software Engineering,
2018, 1–1. https://doi.org/10.1109/TSE.2018.2868349.
ieee: 'L. Nguyen Quang Do, S. Krüger, P. Hill, K. Ali, and E. Bodden, “Debugging
Static Analysis,” IEEE Transactions on Software Engineering, pp. 1–1, 2018,
doi: 10.1109/TSE.2018.2868349.'
mla: Nguyen Quang Do, Lisa, et al. “Debugging Static Analysis.” IEEE Transactions
on Software Engineering, 2018, pp. 1–1, doi:10.1109/TSE.2018.2868349.
short: L. Nguyen Quang Do, S. Krüger, P. Hill, K. Ali, E. Bodden, IEEE Transactions
on Software Engineering (2018) 1–1.
date_created: 2020-11-30T09:32:12Z
date_updated: 2022-01-06T06:54:29Z
department:
- _id: '76'
doi: 10.1109/TSE.2018.2868349
keyword:
- Debugging
- Static analysis
- Tools
- Computer bugs
- Standards
- Writing
- Encoding
- Testing and Debugging
- Program analysis
- Development tools
- Integrated environments
- Graphical environments
- Usability testing
language:
- iso: eng
main_file_link:
- url: http://www.bodden.de/pubs/tse18debugging.pdf
page: 1-1
publication: IEEE Transactions on Software Engineering
publication_identifier:
issn:
- 2326-3881
status: public
title: Debugging Static Analysis
type: journal_article
user_id: '5786'
year: '2018'
...
---
_id: '20557'
author:
- first_name: Max
full_name: Lillack, Max
last_name: Lillack
- first_name: Christian
full_name: Kästner, Christian
last_name: Kästner
- first_name: Eric
full_name: Bodden, Eric
id: '59256'
last_name: Bodden
orcid: 0000-0003-3470-3647
citation:
ama: Lillack M, Kästner C, Bodden E. Tracking Load-time Configuration Options. IEEE
Transactions on Software Engineering. 2017;PP(99):1-1. doi:10.1109/TSE.2017.2756048
apa: Lillack, M., Kästner, C., & Bodden, E. (2017). Tracking Load-time Configuration
Options. IEEE Transactions on Software Engineering, PP(99), 1–1.
https://doi.org/10.1109/TSE.2017.2756048
bibtex: '@article{Lillack_Kästner_Bodden_2017, title={Tracking Load-time Configuration
Options}, volume={PP}, DOI={10.1109/TSE.2017.2756048},
number={99}, journal={IEEE Transactions on Software Engineering}, author={Lillack,
Max and Kästner, Christian and Bodden, Eric}, year={2017}, pages={1–1} }'
chicago: 'Lillack, Max, Christian Kästner, and Eric Bodden. “Tracking Load-Time
Configuration Options.” IEEE Transactions on Software Engineering PP, no.
99 (2017): 1–1. https://doi.org/10.1109/TSE.2017.2756048.'
ieee: 'M. Lillack, C. Kästner, and E. Bodden, “Tracking Load-time Configuration
Options,” IEEE Transactions on Software Engineering, vol. PP, no. 99, pp.
1–1, 2017, doi: 10.1109/TSE.2017.2756048.'
mla: Lillack, Max, et al. “Tracking Load-Time Configuration Options.” IEEE Transactions
on Software Engineering, vol. PP, no. 99, 2017, pp. 1–1, doi:10.1109/TSE.2017.2756048.
short: M. Lillack, C. Kästner, E. Bodden, IEEE Transactions on Software Engineering
PP (2017) 1–1.
date_created: 2020-11-30T11:06:43Z
date_updated: 2022-01-06T06:54:30Z
department:
- _id: '76'
doi: 10.1109/TSE.2017.2756048
issue: '99'
keyword:
- Androids
- Bluetooth
- Humanoid robots
- Java
- Software
- Tools
- Configuration options
- Static analysis
- Variability mining
language:
- iso: eng
main_file_link:
- url: http://bodden.de/pubs/lkb17lotrack.pdf
page: 1-1
publication: IEEE Transactions on Software Engineering
publication_identifier:
issn:
- 0098-5589
status: public
title: Tracking Load-time Configuration Options
type: journal_article
user_id: '5786'
volume: PP
year: '2017'
...
---
_id: '20559'
author:
- first_name: Lisa Nguyen Quang
full_name: Do, Lisa Nguyen Quang
last_name: Do
- first_name: Karim
full_name: Ali, Karim
last_name: Ali
- first_name: Benjamin
full_name: Livshits, Benjamin
last_name: Livshits
- first_name: Eric
full_name: Bodden, Eric
id: '59256'
last_name: Bodden
orcid: 0000-0003-3470-3647
- first_name: Justin
full_name: Smith, Justin
last_name: Smith
- first_name: Emerson
full_name: Murphy-Hill, Emerson
last_name: Murphy-Hill
citation:
ama: 'Do LNQ, Ali K, Livshits B, Bodden E, Smith J, Murphy-Hill E. Just-in-time
Static Analysis. In: Proceedings of the 26th ACM SIGSOFT International Symposium
on Software Testing and Analysis. ISSTA 2017. ACM; 2017:307-317. doi:10.1145/3092703.3092705'
apa: Do, L. N. Q., Ali, K., Livshits, B., Bodden, E., Smith, J., & Murphy-Hill,
E. (2017). Just-in-time Static Analysis. Proceedings of the 26th ACM SIGSOFT
International Symposium on Software Testing and Analysis, 307–317. https://doi.org/10.1145/3092703.3092705
bibtex: '@inproceedings{Do_Ali_Livshits_Bodden_Smith_Murphy-Hill_2017, place={New
York, NY, USA}, series={ISSTA 2017}, title={Just-in-time Static Analysis}, DOI={10.1145/3092703.3092705}, booktitle={Proceedings
of the 26th ACM SIGSOFT International Symposium on Software Testing and Analysis},
publisher={ACM}, author={Do, Lisa Nguyen Quang and Ali, Karim and Livshits, Benjamin
and Bodden, Eric and Smith, Justin and Murphy-Hill, Emerson}, year={2017}, pages={307–317},
collection={ISSTA 2017} }'
chicago: 'Do, Lisa Nguyen Quang, Karim Ali, Benjamin Livshits, Eric Bodden, Justin
Smith, and Emerson Murphy-Hill. “Just-in-Time Static Analysis.” In Proceedings
of the 26th ACM SIGSOFT International Symposium on Software Testing and Analysis,
307–17. ISSTA 2017. New York, NY, USA: ACM, 2017. https://doi.org/10.1145/3092703.3092705.'
ieee: 'L. N. Q. Do, K. Ali, B. Livshits, E. Bodden, J. Smith, and E. Murphy-Hill,
“Just-in-time Static Analysis,” in Proceedings of the 26th ACM SIGSOFT International
Symposium on Software Testing and Analysis, 2017, pp. 307–317, doi: 10.1145/3092703.3092705.'
mla: Do, Lisa Nguyen Quang, et al. “Just-in-Time Static Analysis.” Proceedings
of the 26th ACM SIGSOFT International Symposium on Software Testing and Analysis,
ACM, 2017, pp. 307–17, doi:10.1145/3092703.3092705.
short: 'L.N.Q. Do, K. Ali, B. Livshits, E. Bodden, J. Smith, E. Murphy-Hill, in:
Proceedings of the 26th ACM SIGSOFT International Symposium on Software Testing
and Analysis, ACM, New York, NY, USA, 2017, pp. 307–317.'
date_created: 2020-11-30T11:10:01Z
date_updated: 2022-01-06T06:54:30Z
department:
- _id: '76'
doi: 10.1145/3092703.3092705
keyword:
- Just-in-Time
- Layered analysis
- Static analysis
language:
- iso: eng
main_file_link:
- url: http://bodden.de/pubs/nal+17jit.pdf
page: 307-317
place: New York, NY, USA
publication: Proceedings of the 26th ACM SIGSOFT International Symposium on Software
Testing and Analysis
publication_identifier:
isbn:
- 978-1-4503-5076-1
publisher: ACM
series_title: ISSTA 2017
status: public
title: Just-in-time Static Analysis
type: conference
user_id: '5786'
year: '2017'
...