Journal of Systems and Software, Год журнала: 2023, Номер 206, С. 111851 - 111851
Опубликована: Сен. 15, 2023
Язык: Английский
ACM Transactions on Software Engineering and Methodology, Год журнала: 2025, Номер unknown
Опубликована: Янв. 16, 2025
DevOps has emerged as one of the most rapidly evolving software development paradigms. With growing concerns surrounding security in systems, DevSecOps paradigm gained prominence, urging practitioners to incorporate practices seamlessly into workflow. However, integrating workflow can impact agility and impede delivery speed. Recently, advancement artificial intelligence (AI) revolutionized automation various domains, including security. AI-driven approaches, particularly those leveraging machine learning or deep learning, hold promise automating workflows. They have potential reduce manual efforts be incorporated support consistent speed while aligning with principles paradigm. This paper seeks contribute critical intersection AI by presenting a comprehensive landscape techniques applicable identifying avenues for enhancing security, trust, efficiency processes. We analyzed 99 research papers spanning from 2017 2023. Specifically, we address two key questions (RQs). In RQ1, identified 12 tasks associated process reviewed existing problems they addressed, 65 benchmarks used evaluate approaches. Drawing insights our findings, RQ2, discussed state-of-the-art highlighted 15 challenges research, proposed corresponding future opportunities.
Язык: Английский
Процитировано
2
Опубликована: Май 1, 2023
Infrastructure as Code is the practice of developing and maintaining computing infrastructure through executable source code. Unfortunately, IaC has also brought about new cyber attack vectors. Prior work therefore proposed static analyses that detect security smells in files. However, they have so far remained at a shallow level, disregarding control data flow scripts under analysis, may lack awareness specific syntactic constructs. These limitations inhibit quality their results. To address these limitations, this paper, we present GASEL, novel smell detector for Ansible language. It uses graph queries on program dependence graphs to 7 smells. Our evaluation an oracle 243 real-world comparison against two state-of-the-art detectors shows syntax, flow, enables our approach substantially improve both precision recall. We further question whether additional effort required develop run such justified practice. end, investigate prevalence indirection across more than 15 000 scripts. find over 55% contain data-flow indirection, 32% require whole-project analysis detect. findings motivate need deeper tools vulnerabilities IaC.
Язык: Английский
Процитировано
13
IEEE Transactions on Software Engineering, Год журнала: 2024, Номер 50(6), С. 1585 - 1599
Опубликована: Май 1, 2024
Infrastructure as Code (IaC) enables efficient deployment and operation, which are crucial to releasing software quickly. As setups can be complex, developers implement IaC programs in general-purpose programming languages like TypeScript Python, using PL-IaC solutions Pulumi AWS CDK. The reliability of such is even more relevant than traditional because a bug impacts the whole system. Yet, though testing standard development practice, it rarely used for programs. For instance, August 2022, less 1% public on GitHub implemented tests. Available program techniques severely limit velocity or require much effort.
To solve these issues, we propose Automated Configuration Testing (ACT), methodology test many configurations quickly with low ACT automatically mocks all resource definitions uses generator oracle plugins generation validation. We ProTI, tool type-based oracle, support application specifications. Our evaluation 6 081 from artificial benchmarks shows that ProTI directly applied existing programs, finds bugs where current infeasible, reusing generators oracles thanks its pluggable architecture.
Язык: Английский
Процитировано
3
Опубликована: Окт. 26, 2023
Background. Infrastructure-as-Code (IaC) is an emerging practice to manage cloud infrastructure resources for software systems. Modern development has evolved embrace IaC as a best consistently provisioning and managing using various tools such Terraform Ansible. However, recent studies highlighted that developers still encounter challenges with tools. Aims. We aim in this paper understand the different analyze trend of seeking assistance on Q&A platforms context IaC. To end, we conduct large-scale empirical study investigating developers' discussions Stack Overflow. Method. first collect IaC-relevant tags Overflow, constituting dataset comprises 52,692 questions 64,078 answers. Then, group into specific topics Latent Dirichlet Allocation (LDA) method, which optimize Genetic Algorithm (GA) parameter's fine-tuning. Finally, gain better insights, identified based criteria popularity difficulty. Results. Our findings reveal average yearly increase 150% terms IaC-related 135% users between 2011 2022. Furthermore, observe revolve around seven main topics: server configuration, policy networking, deployment pipelines, variable management, templating, file management. Notably, found configuration management are most popular topics, i.e., discussed among developers, while pipelines templating difficult. Conclusions. results shed light often encountered by platforms. These important implications practitioners support real-world settings researchers community needs further investigate aspects.
Язык: Английский
Процитировано
6
Опубликована: Март 1, 2023
Documenting
software
architecture
is
important
for
a
system's
success.
Software
documentation
(SAD)
makes
information
about
the
system
available
and
eases
comprehensibility.
There
are
different
forms
of
SADs
like
natural
language
texts
formal
models
with
benefits
purposes.
However,
there
can
be
inconsistent
in
same
system.
Inconsistent
then
cause
flaws
development
maintenance.
To
tackle
this,
we
present
an
approach
inconsistency
detection
SAD
models.
We
make
use
traceability
link
recovery
(TLR)
extend
existing
approach.
utilize
results
from
TLR
to
detect
unmentioned
(i.e.,
model
elements
without
documentation)
missing
described
but
not
modeled
elements).
In
our
evaluation,
measure
how
adaptations
on
affected
its
performance.
Moreover,
evaluate
detection.
benchmark
multiple
open
source
projects
compare
baseline
approaches.
For
TLR,
achieve
excellent
F
Язык: Английский
Процитировано
3
Springer eBooks, Год журнала: 2023, Номер unknown, С. 215 - 245
Опубликована: Янв. 1, 2023
Язык: Английский
Процитировано
2
Empirical Software Engineering, Год журнала: 2023, Номер 29(1)
Опубликована: Дек. 29, 2023
Язык: Английский
Процитировано
2
Lecture notes in computer science, Год журнала: 2023, Номер unknown, С. 261 - 275
Опубликована: Янв. 1, 2023
Язык: Английский
Процитировано
1
Communications in computer and information science, Год журнала: 2024, Номер unknown, С. 83 - 103
Опубликована: Окт. 18, 2024
Язык: Английский
Процитировано
0
Journal of Systems and Software, Год журнала: 2023, Номер 206, С. 111851 - 111851
Опубликована: Сен. 15, 2023
Язык: Английский
Процитировано
0