Generic Model-Based Approaches for Software Reverse Engineering and Comprehension

Total Page:16

File Type:pdf, Size:1020Kb

Generic Model-Based Approaches for Software Reverse Engineering and Comprehension THESE DE DOCTORAT DE L'UNIVERSITE DE NANTES COMUE UNIVERSITE BRETAGNE LOIRE ECOLE DOCTORALE N° 601 Mathématiques et Sciences et Technologies de l'Information et de la Communication Spécialité : Informatique Par Hugo BRUNELIERE Generic Model-based Approaches for Software Reverse Engineering and Comprehension Thèse présentée et soutenue à Nantes le jeudi 20 décembre 2018 Unité de recherche : IMT Atlantique Bretagne-Pays de la Loire, Ecole Mines-Télécom Laboratoire des Sciences du Numérique de Nantes – LS2N (CNRS, UMR 6004) Rapporteurs avant soutenance : Richard Paige Professeur – University of York, York (United Kingdom) Benoit Baudry Professeur – KTH Royal Institute of Technology, Stockholm (Sweden) Composition du Jury : Président : Jordi Cabot Professeur – ICREA & Open University of Catalonia, Barcelona (Spain) Examinateurs : Richard Paige Professeur – University of York, York (United Kingdom) Benoit Baudry Professeur – KTH Royal Institute of Technology, Stockholm (Sweden) Corinne Miral Maître de conférences HDR – Université de Nantes, Nantes (France) Référent : Gerson Sunye Maître de conférences HDR – Université de Nantes, Nantes (France) Note : Les travaux scientifiques présentés dans ce manuscrit de thèse ont été réalisés sous la supervision du Professeur Jordi Cabot, également membre du jury. Acknowledgement Foremost, I would like to express my sincere gratitude to Dr. Gerson Sunye and Prof. Jordi Cabot for their precious advices and feedback when writing down this Ph.D. thesis manuscript that summarizes a significant part of my professional life. This has been quite a constructive experience for me. I also would like to thank Prof. Jordi Cabot for mentoring me during his years in Nantes, and I hope we can continue having more good collaborations in the future. Besides them, I would like to thank Prof. Richard Paige and Prof. Benoit Baudry for reviewing the present manuscript and providing their insightful comments on this work. In addition, I would like to thank Dr. Corinne Miral for also taking part in my thesis committee. I thank all the so-called AtlanMod & Friends (and now NaoMod folks) for the stimu- lating, international and fun working environment in which I have the chance to evolve since more than 12 years. Notably, I would like to give extra thanks to the project engi- neers that did a great job on the implementation of MoDisco & EMF Views: people from Mia-Software (Frédéric Madiot, Grégoire Dupé, Fabien Giquel and others), Guillaume Doux, Juan David Villa Calle, Jokin García Pérez and Florent Marchand de Kerchove. More generally, I thank everyone I had the chance to meet, discuss and work with all along these years in the context of various projects or conferences/events, here in Nantes or elsewhere in Europe and the rest of the world. It has been a long enriching journey! Last but not least, I would like to give very special thanks to Prof. Jean Bézivin for convincing me to work in a research environment in the first place. I am grateful for this great opportunity he offered me back then. 3 4 To my wife and little boy To my parents and younger sister To my entire family, and to the new Brazilian one To my other family: friends from my hometown, from here and elsewhere Résumé Français Introduction Avec l’avènement des technologies de l’information dans notre société, les organi- sations entreprennent de plus en plus de projets de migration et/ou de modernisation lo- giciel. De nombreuses entreprises, indépendamment de leur taille et secteur d’activité, font désormais face au problème bien connu de devoir gérer, maintenir, faire évoluer ou remplacer leurs systèmes logiciel existants [135]. Une telle situation est principalement due aux fréquentes et rapides modifications dans le paysage technologique. Cependant, les raisons sont généralement multiples: nouveaux besoins utilisateurs, stratégies métiers en évolution, aspects organisationnels en mouvement, législations changeantes, etc. Dans tous les cas, la motivation principale derrière les projets de migration/modernisation est habituellement économique [130]. En raison de cela, les entreprises sont régulièrement poussées à faire évoluer (au moins en partie) leurs systèmes logiciel déjà existants avant que ceux-ci ne deviennent véritablement obsolètes ou ne commencent à dysfonctionner. Ces systèmes patrimo- niaux sont souvent de grandes applications jouant un rôle critique au sein du système d’information de l’entreprise [15]. De plus, ils ont habituellement un impact non-négli- geable sur son fonctionnement au quotidien. Les projets de migration/modernisation associés ne peuvent donc pas être pris à la légère, puisqu’ils ne viennent jamais sans d’importants challenges associés [122]. Dans le cas idéal, ils ne devraient pas débuter en raison de modes passagères mais plutôt car fortement motivés par de réels limitations technologiques ou en anticipation de problè- mes à venir. Cependant, en pratique, les décideurs et ingénieurs ont seulement une vision limitée et partielle de la complexité et des potentielles conséquences de leurs projets lo- giciel [80]. Ainsi, améliorer la compréhension globale des systèmes logiciel concernés (e.g. en termes d’architecture, de fonctionnalités fournies, de règles métierimposées ou de données manipulées) est un point crucial [208]. L’Ingénierie Dirigée par les Modèles (IDM) [182], souvent plus généralement ap- pelée Modélisation, est un paradigme du Génie Logiciel reposant sur la création, la ma- nipulation et l’utilisation intensive de modèles de natures diverses et variées. Elle repose largement sur l’hypothèse de base que tout est un modèle [19]. Ces modèles peuvent décrire différents (et possiblement tous les) aspects complémentaires à la fois des systè- mes modélisés et des activités d’ingénierie associées. Par conséquent, dans les approches basées sur les modèles, ceux-ci sont considérés comme des entités de première classe au sein des processus de conception, développement, déploiement, maintenance et évo- lution. La communauté scientifique de l’IDM est soutenue par un écosystème solide et 5 6 riche en pratiques, outils et cas d’utilisation provenant à la fois des mondes académique et industriel [24]. Des études relativement récentes sur l’application concrète de l’IDM dans l’industrie [110, 210] ont montré que l’IDM a déjà engendré des bénéfices intéréssants dans le cadre de différents types de projets ou d’activités à forte composante logiciel. Description de la Problématique Un projet de migration et/ou modernisation est habituellement constitué de trois pha- ses consécutives distinctes : 1. Le processus complexe d’obtention de représentations utiles et de plus haut niveau d’un système (patrimonial) donné est appelé rétro-ingénierie [43]. Son objectif ultime est de fournir une meilleure compréhension du but et de l’état actuel du système concerné. 2. L’ingénierie avancée analyse ensuite ces modèles et les transforment (lorsque né- cessaire) en des spécifications de la nouvelle version du système [14]. 3. Les développeurs ou des techniques de génération automatique de code (ou une combinaison des deux) utilisent finalement ces modèles pour produire le code correspondant à la plateforme ciblée [107]. Des assemblages de différentes solutions et technologies peuvent aider à la réalisation de quelques unes des tâches nécessaires. Par exemple, c’est le cas d’outils qui produisent automatiquement différents types de modèles à partir de code source logiciel déjà exis- tant. C’est aussi le cas de générateurs de code ciblant divers langages de programmation et plateformes techniques. Cependant, à notre connaissance, il n’existe pas actuellement de méthodologie globale qui permette de guider les décideurs, les architectes logiciel et les ingénieurs tout au long d’un processus de migration/modernisation. Ceci est particulièrement vrai dans le contexte de la phase de rétro-ingénierie, qui constitue le focus du travail présenté dans cette thèse. Les challenges importants asso- ciés [38] incluent notamment : — Le support générique à des technologies logiciel hétérogènes (e.g. différents langa- ges de programmation). — L’aptitude à extraire des données utiles à partir du système (e.g. allant plus loin que l’arbre de syntaxe abstraite). — La couverture à la fois des dimensions statiques et dynamiques du système (e.g. in- cluant les données d’exécution). — La capacité à obtenir des vues pertinentes du système et à gérer des liens de tra- cabilité entre elles. Ce dernier point est même considéré comme une activité et un objectif fondamental de la rétro-ingénierie et compréhension du logiciel. Assez récemment (comparé à l’histoire de la rétro-ingénierie), la Rétro-Ingénierie Di- rigée par les Modèles (RIDM) [181] a été proposée afin d’améliorer les processus de rétro-ingénierie plus traditionnels. La RIDM peut être définie comme l’application des principes et techniques de l’IDM dans le contexte d’activités de rétro-ingénierie. Les approches RIDM dépendent notamment des techniques basées sur les modèles existan- tes pour obtenir des modèles représentant les systèmes étudiés en fonction de différents aspects et à différents niveaux d’abstraction. Les diagrammes de classe UML (Unified 7 Modeling Languages) [167], les machines à états ou les workflows sont des exemples bien-connus de tels modèles (pour en citer seulement quelques uns). En s’appuyant sur ces différents modèles obtenus, il est ensuite possible d’analyser plus en profondeur et de comprendre le système faisant l’objet d’un processus de rétro- ingénierie. Dans ce but, les résultats
Recommended publications
  • Java Programming Standards & Reference Guide
    Java Programming Standards & Reference Guide Version 3.2 Office of Information & Technology Department of Veterans Affairs Java Programming Standards & Reference Guide, Version 3.2 REVISION HISTORY DATE VER. DESCRIPTION AUTHOR CONTRIBUTORS 10-26-15 3.2 Added Logging Sid Everhart JSC Standards , updated Vic Pezzolla checkstyle installation instructions and package name rules. 11-14-14 3.1 Added ground rules for Vic Pezzolla JSC enforcement 9-26-14 3.0 Document is continually Raymond JSC and several being edited for Steele OI&T noteworthy technical accuracy and / PD Subject Matter compliance to JSC Experts (SMEs) standards. 12-1-09 2.0 Document Updated Michael Huneycutt Sr 4-7-05 1.2 Document Updated Sachin Mai L Vo Sharma Lyn D Teague Rajesh Somannair Katherine Stark Niharika Goyal Ron Ruzbacki 3-4-05 1.0 Document Created Sachin Sharma i Java Programming Standards & Reference Guide, Version 3.2 ABSTRACT The VA Java Development Community has been establishing standards, capturing industry best practices, and applying the insight of experienced (and seasoned) VA developers to develop this “Java Programming Standards & Reference Guide”. The Java Standards Committee (JSC) team is encouraging the use of CheckStyle (in the Eclipse IDE environment) to quickly scan Java code, to locate Java programming standard errors, find inconsistencies, and generally help build program conformance. The benefits of writing quality Java code infused with consistent coding and documentation standards is critical to the efforts of the Department of Veterans Affairs (VA). This document stands for the quality, readability, consistency and maintainability of code development and it applies to all VA Java programmers (including contractors).
    [Show full text]
  • Command Line Interface
    Command Line Interface Squore 21.0.2 Last updated 2021-08-19 Table of Contents Preface. 1 Foreword. 1 Licence. 1 Warranty . 1 Responsabilities . 2 Contacting Vector Informatik GmbH Product Support. 2 Getting the Latest Version of this Manual . 2 1. Introduction . 3 2. Installing Squore Agent . 4 Prerequisites . 4 Download . 4 Upgrade . 4 Uninstall . 5 3. Using Squore Agent . 6 Command Line Structure . 6 Command Line Reference . 6 Squore Agent Options. 6 Project Build Parameters . 7 Exit Codes. 13 4. Managing Credentials . 14 Saving Credentials . 14 Encrypting Credentials . 15 Migrating Old Credentials Format . 16 5. Advanced Configuration . 17 Defining Server Dependencies . 17 Adding config.xml File . 17 Using Java System Properties. 18 Setting up HTTPS . 18 Appendix A: Repository Connectors . 19 ClearCase . 19 CVS . 19 Folder Path . 20 Folder (use GNATHub). 21 Git. 21 Perforce . 23 PTC Integrity . 25 SVN . 26 Synergy. 28 TFS . 30 Zip Upload . 32 Using Multiple Nodes . 32 Appendix B: Data Providers . 34 AntiC . 34 Automotive Coverage Import . 34 Automotive Tag Import. 35 Axivion. 35 BullseyeCoverage Code Coverage Analyzer. 36 CANoe. 36 Cantata . 38 CheckStyle. ..
    [Show full text]
  • Squore Acceptance Provides a Fast and High Return on Investment by Efficiently
    Acceptance SQUORE Squoring Technologies delivers an innovative decision-making dashboard dedicated to managing outsourced software development projects. Acceptance represents a key phase of every software development project, whatever the process: Acquisition or Third Party Application Maintenance. Beyond functional suitability, Acceptance must consider all software product dimensions, from quality characteristics such as Reliability, Maintainability and Performance, to work products like source code, requirements and test cases. TREND As required by the CMMI®, Supplier Management INDICATOR implies an objective and impartial assessment of these components, based on quantified measurement criteria adapted to the context and objectives of each project. Squore Acceptance provides a fast and high return on investment by efficiently: Contractualizing non- Increasing confidence Securing deployment functional, technical between customer and and operation. requirements. supplier. Defining common and Demonstrating compliance Reducing acceptance shared acceptance of deliverables with costs and efforts. criteria. quality requirements. Visit www.squore-acceptance.com Innovative features dedicated to the management of outsourced software projects. “Out-of-the-box” standardized control points, metrics and rules using best industry standards, and still customizable to fit in-house practices. Predefined software product quality models based on international standards: ISO SQuaRE 25010, ISO/IEC 9126, ECSS Quality Handbook, SQUALE . Standardized evaluation process in accordance with ISO/IEC 14598 and ISO/IEC 15939 standards. Squore covers all software product quality characteristics under a standard breakdown Quantified acceptance criteria for every type of deliverable, from requirements to documentation, via source code and test cases. Comprehensive overview of software product compliance through Key Performance Indicators and trend analysis. Unrivaled in-depth analysis where at-risk components are immediately identified, down to the most elementary function or method.
    [Show full text]
  • Write Your Own Rules and Enforce Them Continuously
    Ultimate Architecture Enforcement Write Your Own Rules and Enforce Them Continuously SATURN May 2017 Paulo Merson Brazilian Federal Court of Accounts Agenda Architecture conformance Custom checks lab Sonarqube Custom checks at TCU Lessons learned 2 Exercise 0 – setup Open www.dontpad.com/saturn17 Follow the steps for “Exercise 0” Pre-requisites for all exercises: • JDK 1.7+ • Java IDE of your choice • maven 3 Consequences of lack of conformance Lower maintainability, mainly because of undesired dependencies • Code becomes brittle, hard to understand and change Possible negative effect • on reliability, portability, performance, interoperability, security, and other qualities • caused by deviation from design decisions that addressed these quality requirements 4 Factors that influence architecture conformance How effective the architecture documentation is Turnover among developers Haste to fix bugs or implement features Size of the system Distributed teams (outsourcing, offshoring) Accountability for violating design constraints 5 How to avoid code and architecture disparity? 1) Communicate the architecture to developers • Create multiple views • Structural diagrams + behavior diagrams • Capture rationale Not the focus of this tutorial 6 How to avoid code and architecture disparity? 2) Automate architecture conformance analysis • Often done with static analysis tools 7 Built-in checks and custom checks Static analysis tools come with many built-in checks • They are useful to spot bugs and improve your overall code quality • But they’re
    [Show full text]
  • Open Source Tools for Measuring the Internal Quality of Java Software Products
    Open source tools for measuring the Internal Quality of Java software products. Asurvey P. Tomas, M.J. Escalona , M. Mejias Department of Computer and Systems, ETS Ingenieria Informatica, University of Seville, Av. Reina Mercedes S/N, 41012 Seville,Spain abstract Keywords: Collecting metrics and indicators to assess objectively the different products resulting during the lifecycle Software product of a software project is a research area that encompasses many different aspects, apart from being highly Tools demanded by companies and software development teams. Open source Focusing on software products, one of the most used methods by development teams for measuring Internal Metrics Quality is the static analysis of the source code. This paper works in this line and presents a study of the state- Internal Quality of-the-art open source software tools that automate the collection of these metrics, particularly for Automation fi Static analysis developments in Java. These tools have been compared according to certain criteria de ned in this study. Source code Java Contents 1. Introduction.............................................................. 245 2. Relatedwork............................................................. 246 3. Planningandconductingthereview................................................... 246 3.1. Acharacterizationschema.................................................... 247 3.1.1. Metricsimplemented.................................................. 248 3.1.2. Functionalfeaturescovered..............................................
    [Show full text]
  • Adhering to Coding Standards and Finding Bugs in Code Automatically
    Adhering to Coding Standards and Finding Bugs in Code Automatically Presenters: Muhammad Wasim Hammad Ali Butt Al-khawarzimi Institute of Computer Science Agenda Introduction Software Quality Assurance Code: The base for Quality Code: Writing it Code: Reviewing it How Review tools help? Selecting a Code Review Tools How they compare to each other? Conclusion Al-khawarizimi Institute of Computer Science Introduction Software Quality Quality Attributes • Maintainability • Flexibility • Testability • Portability • Reusability • Interoperability • Correctness • Reliability • Efficiency • Integrity • Usability Code: The Base for Quality Software Quality comes with a lot of benefits Al-khawarizimi Institute of Computer Science SQA and Benefits Development/Technical: Increase Readability Easy to locate problem area Performance Enhancements Compliance between Specs & Code Criteria for software acceptance Management: Better Progress visibility Better decision criteria Reduced Maintenance cost Al-khawarizimi Institute of Computer Science Code: The Base for Quality Better Coding Styles (Structured to OOP) Commenting of Code Coding Conventions Design Patterns Low Coupling High Cohesiveness Resource Management Remove Repetition of Code Al-khawarizimi Institute of Computer Science Code: Writing it Well Managed Code Well Written Code Standardized Code Defensive Coding An ideal programmer won’t leave any bugs for compiler or QA team. Al-khawarizimi Institute of Computer Science Code: Reviewing It Review Meetings Peer Review Benefits: Code Optimization Reduced Cost Programmer Improvement Static Code Analysis is used for Code Review. Al-khawarizimi Institute of Computer Science Code Review on a Typical Project http://smartbear.com/docs/articles/before-code-review.jpg Al-khawarizimi Institute of Computer Science Code Review on a Typical Project http://smartbear.com/docs/articles/after-code-review.jpg Al-khawarizimi Institute of Computer Science Code Review & Issues Human is error prone.
    [Show full text]
  • Defining and Assessing Software Quality by Quality Models
    Defining and Assessing Software Quality by Quality Models Klaus Lochmann Institut für Informatik der Technischen Universität München Defining and Assessing Software Quality by Quality Models Klaus Lochmann Vollständiger Abdruck der von der Fakultät für Informatik der Technischen Universität München zur Erlangung des akademischen Grades eines Doktors der Naturwissenschaften (Dr. rer. nat.) genehmigten Dissertation. Vorsitzender: Univ.-Prof. Bernd Brügge, Ph. D. Prüfer der Dissertation: 1. Univ.-Prof. Dr. Dr. h.c. Manfred Broy 2. o. Univ.-Prof. Dr. Gustav Pomberger Johannes Kepler Universität Linz / Österreich Die Dissertation wurde am 31.07.2013 bei der Technischen Universität München eingereicht und durch die Fakultät für Informatik am 11.12.2013 angenommen. Abstract Software quality plays an important role for companies today, as it is in a direct relation to the costs arising in the lifecycle of software. However, the notion of quality is diverse. A software mainte- nance organization, for instance, defines high quality of software as enabling effective maintenance of it. For operators of computing centers, high quality means that the available computing and memory resources are efficiently used. An end user experiences software as high quality when it supports his tasks in an effective and efficient manner and thus reduces effort for him. In software engineering research, a lot of work has already been dedicated to the topic of software quality and quality assurance. However, we claim that there is no generally accepted definition of quality. The quality models providing taxonomical definitions face several problems, such as being ambiguous, overlapping, and incomplete. This prevents the quality models from supporting the definition of useful quality requirements.
    [Show full text]
  • Software Qualimetry at Schneider Electric: a Field Background Hervé Dondey, Christophe Peron
    Software Qualimetry at Schneider Electric: a field background Hervé Dondey, Christophe Peron To cite this version: Hervé Dondey, Christophe Peron. Software Qualimetry at Schneider Electric: a field background. Embedded Real Time Software and Systems (ERTS2012), Feb 2012, Toulouse, France. hal-02263431 HAL Id: hal-02263431 https://hal.archives-ouvertes.fr/hal-02263431 Submitted on 4 Aug 2019 HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. Software Qualimetry at Schneider Electric: a field background By Hervé Dondey - Strategy & Innovation - Software Efficiency Team – Schneider Electric and Christophe Peron – SQuORING Technologies Abstract: This paper presents the Source Code Quality Indicators (SCQI) project led by the Strategy & Innovation corporate team to deploy Software Qualimetry within a large-scale multi-national organization such as Schneider Electric (SE) 1. The related method (SCQI) was designed from a list of relevant use cases and relies on the main concepts of the SQALE [1] evaluation method. To support this method, SE has selected the SQuORE [2] platform thanks to its capability to allow large-scale deployment together with high versatility and adaptability to local needs. Feedback and lessons learned from initial deployments are now used to speed up the qualimetry process institutionalization within the whole company.
    [Show full text]
  • Working Document 5.5.4, V6.0 -. | Davide Taibi
    QualiPSo Quality Platform for Open Source Software IST-FP6-IP-034763 Working document 5.5.4, V6.0 User guides for the WP5.5 toolset Anja Hentschel (SIE) Klaus P. Berg (SIE) Vieri del Bianco (INS) Davide Taibi (INS) Davide Tosi (INS) Tomasz Krysztofiak (PNSC) Davide dalle Carbonare (ENG) Hongbo Xu (GMRC) Jonathan Pares (GMRC) Auri Vincenzi (USP) Paulo Meirelles (USP) Due date of deliverable: 31/10/2010 Actual submission date: 31/01/2011 This work is licensed under the Creative Commons Attribution-Share Alike 3.0 License. To view a copy of this license, visit http://creativecommons.org/licenses/by-sa/3.0/ or send a letter to Creative Commons, 171 Second Street, Suite 300, San Francisco, California, 94105, USA QualiPSo • 034763 • WD5.5.4_V6.0 • Page 1 of 138 Change History Version Date Status Author (Partner) Description 0.1 16/08/07 Draft Anja Hentschel Document structure and (SIE) initial content 0.2 22/10/07 Draft Anja Hentschel Input from Max. Almost (SIE) everything completely restructured. 0.3 31/10/07 Draft Anja Hentschel Input from Marion and (SIE) Abbas. 0.4 13/06/08 Draft Anja Hentschel New chapters: Testing (SIE), Klaus Berg (KB), User stories (VdB), (SIE), Vieri del Implementation concept Bianco (INS) (AH) Removed: description of evaluation methods 1.0 30/07/08 Release Anja Hentschel (SIE) 1.1 03/11/08 Draft All New chapters: Tool descriptions, Integration, Experiences and related appendices 1.2 07/11/08 Draft Anja Hentschel Some remaining gaps (SIE) filled 1.3 28/11/08 Draft Anja Hentschel Input from reviews (SIE) included;
    [Show full text]
  • Securing Devops — Detection of Vulnerabilities in CD Pipelines
    Institute of Software Technology Reliable Software Systems University of Stuttgart Universitätsstraße 38 D–70569 Stuttgart Masterarbeit Securing DevOps — Detection of vulnerabilities in CD pipelines Christina Paule Course of Study: Softwaretechnik Examiner: Dr.-Ing. André van Hoorn Supervisors: Thomas Düllmann, M.Sc., University of Stuttgart Andreas Falk, Managing Consultant, NovaTec Consulting GmbH Andreas Reinhardt, Senior Consultant, NovaTec Consulting GmbH Commenced: October 19, 2017 Completed: April 19, 2018 Abstract Nowadays more and more companies implement the DevOps approach. DevOps was developed to enable more efficient collaboration between development (dev) and opera- tion (ops) teams. An important reason why companies use the DevOps approach is that they aspire to continuously deliver applications using agile methods. The continuous delivery (CD) process can be achieved with the aid of the DevOps approach, of which the CD pipeline is an elementary component. Because of the fact, that a new General Data Protection Regulation (GDPR) will enter into force in the European Union in May 2018, many companies are looking at how they can increase the security level of their applications. The regulation requires that companies which process personal data have to secure their applications. An attacker can gain access to personal data if there are vulnerabilities in applications. This problem can be applied to CD pipelines. If CD pipelines have vulnerabilities then an exploitation of vulnerabilities can lead to a damage of the CD pipeline and the delivery process. One example is that the network can be scanned by running injected malicious unit tests. This can have a negative effect on the image of the company which operates and uses CD pipelines.
    [Show full text]
  • How BMW Improved Software Quality and Agility of a Mission Critical Software System
    How BMW Improved Software Quality and Agility of a Mission Critical Software System About BMW: With the brands, BMW, MINI and Rolls-Royce Motor Cars, the BMW Group has its sights set =irmly on the premium sector of the international automobile market. To achieve its aims, the company deploys its strengths with an ef=iciency that is unmatched in the automotive industry. From research and development, to sales and marketing, BMW Group is committed to the very highest in quality for all its products and services. The company's success to date is proof that this strategy is the correct one. About hello2morrow Hello2morrow is a leading provider of comprehensive static analysis tools for the validation and enforcement of rules related to architecture, structure and technical quality of software systems. Our products support Java, C#, C/C++ and other languages, and are used by more than 300 clients all over the world. The Challenges: In 2012 BMW decided to redevelop their “Integrated Aftersales Platform” (IAP). Integrating required new features and changes into the old version of the system was not considered to be feasible. IAP-1 already had a signi=icant defect backlog and it was very dif=icult to change the system without introducing new defects. The system was suffering from severe structural erosion and high levels of technical debt. The new system has a staff of about 75 developers, 30 of them working with Java. A key goal for the new system was to avoid running into the same problems that crippled its predecessor. In particular, the following challenges had to be met: • New releases every 4 months • Strict rules for architecture and code quality standards that would be enforced in an automated fashion • Contracts with 3rd party development service providers now had to include architecture rules and quality standards.
    [Show full text]
  • Towards a Structured Specification of Coding Conventions
    1 Towards a Structured Specification of Coding Conventions Elder Rodrigues Jr. and Leonardo Montecchi Instituto de Computac¸ao˜ Universidade Estadual de Campinas Campinas, SP, Brazil [email protected], [email protected] Abstract—Coding conventions are a means to improve the check similarity between rules, ii) identify conflicting rules, reliability of software systems. They can be established for iii) understand if a tool is able to check a certain rule, iv) many reasons, ranging from improving the readability of code configure a tool to check a certain rule, etc. to avoiding the introduction of security flaws. However, coding conventions often come in the form of textual documents in Following the principles behind Model-Driven Engineering natural language, which makes them hard to manage and to (MDE) [20], all the artifacts in the software development pro- enforce. Following model-driven engineering principles, in this cess, thus including coding conventions, should be represented paper we propose an approach and language for specifying as structured models, to increase the degree of automation, coding conventions using structured models. We ran a feasibility improve integration, and reduce the possibility of human study, in which we applied our language for specifying 215 coding rules from two popular rulesets. The obtained results mistakes. However, to the best of our knowledge, there is little are promising and suggest that the proposed approach is feasible. work on this topic in the literature. However, they also highlight that many challenges still need to be In this paper we investigate the possibility of specifying cod- overcome. We conclude with an overview on the ongoing work for ing conventions through structured, machine-readable, models.
    [Show full text]