Security-related issues have become more significant due to the proliferation of IT. Collating security-related information in a database improves security. For example, Common Vulnerabilities and Exposures (CVE) is a security knowledge repository containing descriptions of vulnerabilities about software or source code. Although the descriptions include various entities, there is not a uniform entity structure, making security analysis difficult using individual entities. Developing a consistent entity structure will enhance the security field. Herein we propose a method to automatically label select entities from CVE descriptions by applying the Named Entity Recognition (NER) technique. We manually labeled 3287 CVE descriptions and conducted experiments using a machine learning model called BERT to compare the proposed method to labeling with regular expressions. Machine learning using the proposed method significantly improves the labeling accuracy. It has an f1 score of about 0.93, precision of about 0.91, and recall of about 0.95, demonstrating that our method has potential to automatically label select entities from CVE descriptions.

Deterioration of software quality developed by multiple organizations has become a serious problem. To predict software degradation after an organizational change, this paper investigates the influence of quality deterioration on software metrics by analyzing three software projects. To detect factors indicating a low evolvability, we focus on the relationships between the change in software metric values and refactoring tendencies. Refactoring after an organization change impacts the quality.

Permission warnings and privacy policy enforcement are widely used to inform mobile app users of privacy threats. These mechanisms disclose information about use of privacy-sensitive resources such as user location or contact list. However, it has been reported that very few users pay attention to these mechanisms during installation. Instead, a user may focus on a more user-friendly source of information: text description, which is written by a developer who has an incentive to attract user attention. When a user searches for an app in a marketplace, his/her query keywords are generally searched on text descriptions of mobile apps. Then, users review the search results, often by reading the text descriptions; i.e., text descriptions are associated with user expectation. Given these observations, this paper aims to address the following research question: What are the primary reasons that text descriptions of mobile apps fail to refer to the use of privacy-sensitive resources? To answer the research question, we performed empirical large-scale study using a huge volume of apps with our ACODE (Analyzing COde and DEscription) framework, which combines static code analysis and text analysis. We developed light-weight techniques so that we can handle hundred of thousands of distinct text descriptions. We note that our text analysis technique does not require manually labeled descriptions; hence, it enables us to conduct a large-scale measurement study without requiring expensive labeling tasks. Our analysis of 210,000 apps, including free and paid, and multilingual text descriptions collected from official and third-party Android marketplaces revealed four primary factors that are associated with the inconsistencies between text descriptions and the use of privacy-sensitive resources: (1) existence of app building services/frameworks that tend to add API permissions/code unnecessarily, (2) existence of prolific developers who publish many applications that unnecessarily install permissions and code, (3) existence of secondary functions that tend to be unmentioned, and (4) existence of third-party libraries that access to the privacy-sensitive resources. We believe that these findings will be useful for improving users' awareness of privacy on mobile software distribution platforms.

To achieve overall business goals, GQM+Strategies is one approach that aligns business goals at each level of an organization to strategies and assesses the achievement of goals. Strategies are based on rationales (contexts and assumptions). Because extracting all rationales is an important process in the GQM+Strategies approach, we propose the Context-Assumption-Matrix (CAM), which refines the GQM+Strategies model by extracting rationales based on analyzing the relationships between stakeholders, and the process of using GQM+Strategies with CAM effectively. To demonstrate the effectiveness of the CAM and the defined process, we conducted three experiments involving students majoring in information sciences at two different Japanese universities. Moreover, we applied the GQM+Strategies approach with CAM to the Recruit Sumai Company in Japan. The results reveal that compared to GQM+Strategies alone, GQM+Strategies with CAM can extract rationales of the same quality more efficiently and exhaustively.

Object caching is a common feature in the scalable distributed object systems. Fine-grained replication optimizes the performance and resource utilization in object caching by enabling a remote object-oriented application to be partially and incrementally on-demand replicated in units of cluster. Despite these benefits, the lack of common and simple implementation framework makes the fine-grained replication scheme not extensively used. This paper proposes the novel frameworks for dynamic, transparent, partial and automatically incremental replication of distributed Java objects based on three techniques that are lazy-object creation, proxy and hook. One framework enables the fine-grained replication of server-side stateful in-memory application, and the other framework enables the fine-grained replication of server-side stateless in-memory application, client-side program, or standalone application. The experimental evaluation demonstrates that the efficiency in terms of response time of both frameworks are relatively practical to the extent of a local method invocation.

Traceability links between software artifacts can assist in several software development tasks. There are some automatic traceability recovery methods that help with managing the massive number of software artifacts and their relationships, but they do not work well for software artifacts whose descriptions are different in terms of language or abstraction level. To overcome these weakness, we propose the Connecting Links Method (CLM), which recovers transitive traceability links between two artifacts by intermediating a third artifact. In order to apply CLM for general use without limitation in terms of software artifact type, we have designed a standardized method to calculate the relation score of transitive traceability links using the scores of direct traceability links between three artifacts. Furthermore, we propose an improvement of CLM by considering software version. We evaluated CLM by applying it to three software products and found that it is more effective for software artifacts whose language type or vocabulary are different compared to previous methods using textual similarity.

In the age of pervasive computing, ubiquitous collaboration has become an every-day life paradigm. Without an ideal computing infrastructure, issues with ubiquitous collaboration, such as network unreliability, platform heterogeneity, and client's resource constraints, are inevitable. The traditional replication scheme copes with network unreliability by replicating all the objects of a shared application together at once. This is, however, suitable for neither cooperative applications nor mobile computing devices. These problems can be naturally addressed by using a fine-grained replication scheme that enables a portion of the application objects to be replicated. This paper presents an object-oriented middleware that is capable of dynamically and transparently replicating remotely shared Java applications in a partially and on-demand incremental manner. It is also able to maintain various consistency semantics and enables the coexistence of fine-grained replications and conventional remote method invocations. Empirical results indicate several practical benefits of the middleware.

Resource limitations require that bugs be resolved efficiently. The bug modification process uses bug reports, which are generated from service user reports. Developers read these reports and fix bugs. Developers discuss bugs by posting comments directly in bug reports. Although several studies have investigated the initial report in bug reports, few have researched the comments. Our research focuses on bug reports. Currently, everyone is free to comment, but the bug fixing time may be affected by how to comment. Herein we investigate the topic of comments in bug reports. Mixed topics do not affect the bug fixing time. However, the bug fixing time tends to be shorter when the discussion length of the phenomenon is short.

Traceability links between requirements and source code are helpful in software reuse and maintenance tasks. However, manually recovering links in a large group of products requires significant costs and some links may be overlooked. Here, we propose a semi-automatic method to recover traceability links between requirements and source code in the same series of large software products. In order to support differences in representation between requirements and source code, we recover links by using the configuration management log as an intermediary. We refine the links by classifying requirements and code elements in terms of whether they are common to multiple products or specific to one. As a result of applying our method to real products that have 60KLOC, we have recovered valid traceability links within a reasonable amount of time. Automatic parts have taken 13 minutes 36 seconds, and non-automatic parts have taken about 3 hours, with a recall of 76.2% and a precision of 94.1%. Moreover, we recovered some links that were unknown to engineers. By recovering traceability links, software reusability and maintainability will be improved.

A component connection enables a component to use the functionality of other components directly, without generating adapters or other mechanisms at run-time. In conventional component connection models, the connection between components, particularly third-party components, is very costly for code reuse because the component source code must be modified if the types of requester-side and provider-side are different. This paper proposes a new component model, built upon an existing component architecture, which abandons a component service type and connects components based on a method type collection of the provider and requester components. Our model enables flexible connections owing to relaxed component matching, in which the system that implements our model automatically converts values of parameters, return values, and exceptions between required methods and provided ones within a well-defined range. As a result of experimental evaluations, it is found that our model is superior to conventional models in terms of the component-use cost and the capability of changing connections.

Test coverage is an important indicator of whether software has been sufficiently tested. However, there are several problems with the existing measurement tools for test coverage, such as their cost of development and maintenance, inconsistency, and inflexibility in measurement. We propose a consistent and flexible measurement framework for test coverage that we call the Open Code Coverage Framework (OCCF). It supports multiple programming languages by extracting the commonalities from multiple programming languages using an abstract syntax tree to help in the development of the measurement tools for the test coverage of new programming languages. OCCF allows users to add programming language support independently of the test-coverage-criteria and also to add test-coverage-criteria support independently of programming languages in order to take consistent measurements in each programming language. Moreover, OCCF provides two methods for changin the measurement range and elements using XPath and adding user code in order to make more flexible measurements. We implemented a sample tool for C, Java, and Python using OCCF. OCCF can measure four test-coverage-criteria. We also confirmed that OCCF can support C#, Ruby, JavaScript, and Lua. Moreover, we reduced the lines of code (LOCs) required to implement measurement tools for test coverage by approximately 90% and the time to implement a new test-coverage-criterion by over 80% in an experiment that compared OCCF with the conventional non-framework-based tools.