Journal of Systems and Software, Journal Year: 2023, Volume and Issue: 206, P. 111851 - 111851
Published: Sept. 15, 2023
Language: Английский
ACM Transactions on Software Engineering and Methodology, Journal Year: 2025, Volume and Issue: unknown
Published: Jan. 16, 2025
DevOps has emerged as one of the most rapidly evolving software development paradigms. With growing concerns surrounding security in systems, DevSecOps paradigm gained prominence, urging practitioners to incorporate practices seamlessly into workflow. However, integrating workflow can impact agility and impede delivery speed. Recently, advancement artificial intelligence (AI) revolutionized automation various domains, including security. AI-driven approaches, particularly those leveraging machine learning or deep learning, hold promise automating workflows. They have potential reduce manual efforts be incorporated support consistent speed while aligning with principles paradigm. This paper seeks contribute critical intersection AI by presenting a comprehensive landscape techniques applicable identifying avenues for enhancing security, trust, efficiency processes. We analyzed 99 research papers spanning from 2017 2023. Specifically, we address two key questions (RQs). In RQ1, identified 12 tasks associated process reviewed existing problems they addressed, 65 benchmarks used evaluate approaches. Drawing insights our findings, RQ2, discussed state-of-the-art highlighted 15 challenges research, proposed corresponding future opportunities.
Language: Английский
Citations
2
Published: May 1, 2023
Infrastructure as Code is the practice of developing and maintaining computing infrastructure through executable source code. Unfortunately, IaC has also brought about new cyber attack vectors. Prior work therefore proposed static analyses that detect security smells in files. However, they have so far remained at a shallow level, disregarding control data flow scripts under analysis, may lack awareness specific syntactic constructs. These limitations inhibit quality their results. To address these limitations, this paper, we present GASEL, novel smell detector for Ansible language. It uses graph queries on program dependence graphs to 7 smells. Our evaluation an oracle 243 real-world comparison against two state-of-the-art detectors shows syntax, flow, enables our approach substantially improve both precision recall. We further question whether additional effort required develop run such justified practice. end, investigate prevalence indirection across more than 15 000 scripts. find over 55% contain data-flow indirection, 32% require whole-project analysis detect. findings motivate need deeper tools vulnerabilities IaC.
Language: Английский
Citations
13
IEEE Transactions on Software Engineering, Journal Year: 2024, Volume and Issue: 50(6), P. 1585 - 1599
Published: May 1, 2024
Infrastructure as Code (IaC) enables efficient deployment and operation, which are crucial to releasing software quickly. As setups can be complex, developers implement IaC programs in general-purpose programming languages like TypeScript Python, using PL-IaC solutions Pulumi AWS CDK. The reliability of such is even more relevant than traditional because a bug impacts the whole system. Yet, though testing standard development practice, it rarely used for programs. For instance, August 2022, less 1% public on GitHub implemented tests. Available program techniques severely limit velocity or require much effort.
To solve these issues, we propose Automated Configuration Testing (ACT), methodology test many configurations quickly with low ACT automatically mocks all resource definitions uses generator oracle plugins generation validation. We ProTI, tool type-based oracle, support application specifications. Our evaluation 6 081 from artificial benchmarks shows that ProTI directly applied existing programs, finds bugs where current infeasible, reusing generators oracles thanks its pluggable architecture.
Language: Английский
Citations
3
Published: Oct. 26, 2023
Background. Infrastructure-as-Code (IaC) is an emerging practice to manage cloud infrastructure resources for software systems. Modern development has evolved embrace IaC as a best consistently provisioning and managing using various tools such Terraform Ansible. However, recent studies highlighted that developers still encounter challenges with tools. Aims. We aim in this paper understand the different analyze trend of seeking assistance on Q&A platforms context IaC. To end, we conduct large-scale empirical study investigating developers' discussions Stack Overflow. Method. first collect IaC-relevant tags Overflow, constituting dataset comprises 52,692 questions 64,078 answers. Then, group into specific topics Latent Dirichlet Allocation (LDA) method, which optimize Genetic Algorithm (GA) parameter's fine-tuning. Finally, gain better insights, identified based criteria popularity difficulty. Results. Our findings reveal average yearly increase 150% terms IaC-related 135% users between 2011 2022. Furthermore, observe revolve around seven main topics: server configuration, policy networking, deployment pipelines, variable management, templating, file management. Notably, found configuration management are most popular topics, i.e., discussed among developers, while pipelines templating difficult. Conclusions. results shed light often encountered by platforms. These important implications practitioners support real-world settings researchers community needs further investigate aspects.
Language: Английский
Citations
6
Published: March 1, 2023
Documenting
software
architecture
is
important
for
a
system's
success.
Software
documentation
(SAD)
makes
information
about
the
system
available
and
eases
comprehensibility.
There
are
different
forms
of
SADs
like
natural
language
texts
formal
models
with
benefits
purposes.
However,
there
can
be
inconsistent
in
same
system.
Inconsistent
then
cause
flaws
development
maintenance.
To
tackle
this,
we
present
an
approach
inconsistency
detection
SAD
models.
We
make
use
traceability
link
recovery
(TLR)
extend
existing
approach.
utilize
results
from
TLR
to
detect
unmentioned
(i.e.,
model
elements
without
documentation)
missing
described
but
not
modeled
elements).
In
our
evaluation,
measure
how
adaptations
on
affected
its
performance.
Moreover,
evaluate
detection.
benchmark
multiple
open
source
projects
compare
baseline
approaches.
For
TLR,
achieve
excellent
F
Language: Английский
Citations
3
Springer eBooks, Journal Year: 2023, Volume and Issue: unknown, P. 215 - 245
Published: Jan. 1, 2023
Language: Английский
Citations
2
Empirical Software Engineering, Journal Year: 2023, Volume and Issue: 29(1)
Published: Dec. 29, 2023
Language: Английский
Citations
2
Lecture notes in computer science, Journal Year: 2023, Volume and Issue: unknown, P. 261 - 275
Published: Jan. 1, 2023
Language: Английский
Citations
1
Communications in computer and information science, Journal Year: 2024, Volume and Issue: unknown, P. 83 - 103
Published: Oct. 18, 2024
Language: Английский
Citations
0
Journal of Systems and Software, Journal Year: 2023, Volume and Issue: 206, P. 111851 - 111851
Published: Sept. 15, 2023
Language: Английский
Citations
0