Code Review Research Articles

Theory and practice in secure software development lifecycle: A comprehensive survey

Software development security refers to the practice of integrating security measures and considerations throughout the software development lifecycle to ensure the confidentiality, integrity, and availability of software systems. It involves identifying, mitigating, and eliminating security vulnerabilities and threats that could be exploited by attackers. The goal of this paper is to survey the various concepts and methodologies directed towards software security, and the identification of any missing gaps. Based on the findings, it is noted that the development of secure software requires a proactive and comprehensive approach. It begins with establishing secure design principles and incorporating security requirements from the initial stages of development. Here, secure coding practices, such as input validation, output encoding, and secure authentication and authorization mechanisms, are employed to prevent common security vulnerabilities. In addition, regular security testing, including penetration testing and vulnerability scanning, helps identify and address potential weaknesses in the software. Normally, code reviews and security audits are conducted to ensure adherence to secure coding practices and identify any security flaws. It is important that security training and awareness programs be provided to developers and other stakeholders to foster a security-conscious culture. To minimize potential vulnerabilities, secure configuration management, which involves properly configuring servers, networks, and dependencies may be utilized. On the other hand, regular updates and patching are essential to address known security vulnerabilities in software components. To guide their software development security practices, organizations may follow established security standards and frameworks such as ISO 27001 or NIST Cybersecurity Framework. By prioritizing software development security, organizations can protect sensitive data, prevent unauthorized access, and mitigate the risk of security breaches and incidents. In the long run, this helps build trust with users and stakeholders, enhances the reputation of the software, and reduces the potential impact of security incidents on the organization.

Quality of chest compressions performed by anaesthetic trainees with and without audiovisual feedback

Introduction: The use of audiovisual feedback devices on chest compression (CC) metrics such as the rate and depth has been proven to improve resuscitation quality. This study compared the quality of CC performed by anaesthetic trainees on manikins with audiovisual feedback and subsequent skill retention without the feedback. Methods: CC metrics measured were the compression rate and depth recorded and reviewed by RescueNet® Code Review software, which recorded compressions in target. Fifty participants performed 2 minutes of CC without audiovisual feedback (CC1), followed by another 2 minutes of CC with audiovisual feedback (CC2), separated by 5 minutes of rest. Those who achieved at least 70% of compressions in target during CC2 performed another 2 minutes of CC without audiovisual feedback at 30 minutes (CC3) and 5–7 days (CC4) later. Results: The baseline compressions in target during CC1 was 14.43 ± 20.18%, improving significantly to 81.80 ± 7.61% (p < 0.001) with audiovisual feedback (CC2). Forty-five (90%) participants achieved compressions in target of at least 70% during CC2. However, without the feedback, compressions in target decreased significantly to 56.33 ± 27.02% (p < 0.001) and 49.32 ± 33.86% (p < 0.001) at 30 minutes (CC3) and 5–7 days (CC4) later, respectively. The overall effect size for the compressions in target was 0.625. Conclusion: Audiovisual feedback device usage significantly improves CC performance, but improved skills were not fully retained when CC was performed without the device afterwards. Therefore, real-time audiovisual feedback may ensure better CC, a component of cardiopulmonary resuscitation.

Healthcare utilisation in the United Arab Emirates for children with attention-deficit hyperactivity disorder and comorbidities.

The prevalence of attention-deficit hyperactivity disorder is consistent worldwide. Psychiatric comorbidities are common, although less is known about how those comorbidities affect utilisation of healthcare services. Access to paediatric mental healthcare is a challenge in many regions. However, access to care in the United Arab Emirates (UAE) is supported by a well-established healthcare infrastructure with widely available primary care physicians. A review of diagnosis codes suggests that a clear correlation exists between the number of comorbidities and increased utilisation of available mental health services. Infrastructure in the UAE may represent a successful model for paediatric mental healthcare.

Design code review on seismic demand and base detailing criteria: an application to wine tanks in Marlborough

Marlborough is the largest wine-growing region in New Zealand. The seismic events of Lake Grassmere 2013 and Kaikōura 2016 caused severe business disruption to the wineries due to the poor performance of wine storage tanks and connected non-structural components. The damage recorded raised two main discussions concerning the NZSEE 2009 guidelines for seismic design of liquid storage tanks. The first is related to the appropriateness of the determination of the importance level to adopt for the design of tanks. In fact, importance level 1 (IL1) (structures presenting a low degree of hazard to life and other property) was adopted for most wine tanks, and therefore, the horizontal forces designed were extremely low. Adopting importance level 2 (IL2) (normal structures) would have increased the overall seismic demand to design them for and therefore limited their structural damage but potentially increased the structural cost. The second concerns the design detailing of the critical connections. In fact, the current guidelines/standards lack provisions. The authors compare the NZSEE 2009 guideline with Eurocode 8 (EC8) and API 650 through the design of six tanks with typical dimensions used in the New Zealand wine industry. Results show that assigning importance level 1 results in seismic design demand similar to EC8 and API 650, thereby showing that other countries have a similar approach to New Zealand. A further comparative analysis also highlighted that connection detailing design including the hierarchy of strength is totally missing in all three standards/guidelines, which lacks information.

Code reviews in open source projects : how do gender biases affect participation and outcomes?

Code reviews in open source projects : how do gender biases affect participation and outcomes?

Modern Code Reviews—Survey of Literature and Practice

Background: Modern Code Review (MCR) is a lightweight alternative to traditional code inspections. While secondary studies on MCR exist, it is u a nknown whether the research community has targeted themes that practitioners consider important. Objectives: The objectives are to provide an overview of MCR research, analyze the practitioners’ opinions on the importance of MCR research, investigate the alignment between research and practice, and propose future MCR research avenues. Method: We conducted a systematic mapping study to survey state of the art until and including 2021, employed the Q-Methodology to analyze the practitioners’ perception of the relevance of MCR research, and analyzed the primary studies’ research impact. Results: We analyzed 244 primary studies, resulting in five themes. As a result of the 1,300 survey data points, we found that the respondents are positive about research investigating the impact of MCR on product quality and MCR process properties. In contrast, they are negative about human factor– and support systems–related research. Conclusion: These results indicate a misalignment between the state of the art and the themes deemed important by most survey respondents. Researchers should focus on solutions that can improve the state of MCR practice. We provide an MCR research agenda that can potentially increase the impact of MCR research.

Security Misconfigurations in Open Source Kubernetes Manifests: An Empirical Study

Context: Kubernetes has emerged as the de-facto tool for automated container orchestration. Business and government organizations are increasingly adopting Kubernetes for automated software deployments. Kubernetes is being used to provision applications in a wide range of domains, such as time series forecasting, edge computing, and high-performance computing. Due to such a pervasive presence, Kubernetes-related security misconfigurations can cause large-scale security breaches. Thus, a systematic analysis of security misconfigurations in Kubernetes manifests, i.e., configuration files used for Kubernetes, can help practitioners secure their Kubernetes clusters. Objective: The goal of this paper is to help practitioners secure their Kubernetes clusters by identifying security misconfigurations that occur in Kubernetes manifests . Methodology: We conduct an empirical study with 2,039 Kubernetes manifests mined from 92 open-source software repositories to systematically characterize security misconfigurations in Kubernetes manifests. We also construct a static analysis tool called Security Linter for Kubernetes Manifests ( SLI-KUBE ) to quantify the frequency of the identified security misconfigurations. Results: In all, we identify 11 categories of security misconfigurations, such as absent resource limit, absent securityContext , and activation of hostIPC . Specifically, we identify 1,051 security misconfigurations in 2,039 manifests. We also observe the identified security misconfigurations affect entities that perform mesh-related load balancing, as well as provision pods and stateful applications. Furthermore, practitioners agreed to fix 60% of 10 misconfigurations reported by us. Conclusion: Our empirical study shows Kubernetes manifests to include security misconfigurations, which necessitates security-focused code reviews and application of static analysis when Kubernetes manifests are developed.

Learning to Predict Code Review Completion Time In Modern Code Review

Learning to Predict Code Review Completion Time In Modern Code Review

Empirical analysis of security-related code reviews in npm packages

Security issues are a major concern in software packages and their impact can be detrimental if exploited. Modern code review is a widely-used practice that project maintainers adopt to improve the quality of contributed code. Prior work has shown that code review has an important role in improving software quality, however, in-depth analyses on code review in relation to security issues are limited.Therefore, in this paper, we aim to explore the role of code review in finding and mitigating security issues. In particular, we investigate active and popular npm packages to understand what types of security issues are raised during code review, and what kind of mitigation strategies are employed by package maintainers to address them. With pull requests (PRs) being the medium of code review under study, we analyze 171 PRs with raised security issues. We find that such issues are discussed at length by package maintainers. Moreover, we find that code review is effective at identifying certain types of security concerns, e.g., Race Condition, Access Control, and ReDOS, as dealing with such issues requires in-depth knowledge of the project domain and implementation specifics. Interestingly, we also observe that some projects have automated tools integrated in the project development cycle, which enhances the identification of frequent cases of certain security issues. When analyzing how maintainers respond to the raised security issues, we find that most of the issues (55%) are frequently addressed and mitigated. In other cases, security concerns ended up not being fixed or are ignored by project maintainers. Leveraging our findings, we offer several implications for project maintainers to support the role of reviewing code in finding and fixing security concerns.

A Flexible Code Review Framework for Combining Defect Detection and Review Comments

Defects and errors in code are different in that they are not detected by editors or compilers but pose a potential risk to software operation. For safety-critical software such as airborne software, the code review process is necessary to ensure the proper operation of software applications and even an aircraft. The traditional manual review method can no longer meet the current needs with the dramatic increase in code sizes and variety. To this end, we propose Deep Reviewer, a general and flexible code review framework that automatically detects code defects and correlates the review comments of the defects. The framework first preprocesses the data using several methods, including the proposed D2U flow. Then, features are extracted and matched by the detector, which contains a pair of twin LSTM models, one for code defect type detection and the other for review comment retrieval. Finally, the review comment output function is implemented based on the masks generated by the code defect types. The method is validated using a large public dataset, SARD. For the binary-classification task, the test results of the proposed are 98.68% and 98.67% in terms of precision and F1 score, respectively. For the multi-classification task, the proposed framework shows a significant advantage over other methods.

How social interactions can affect Modern Code Review

IntroductionModern Code Review (MCR) is a multistage process where developers evaluate source code written by others to enhance the software quality. Despite the numerous studies conducted on the effects of MCR on software quality, the non-technical issues in the MCR process have not been extensively studied. This study aims to investigate the social problems in the MCR process and to find possible ways to prevent them and improve the overall quality of the MCR process.MethodologyTo achieve the research objectives, we applied the grounded theory research shaped by GQM approach to collect data on the attitudes of developers from different teams toward MCR. We conducted interviews with 25 software developers from 13 companies to obtain the information necessary to investigate how social interactions affect the code reviewing process.ResultsOur findings show that interpersonal relationships within the team can have significant consequences on the MCR process. We also received a list of possible strategies to overcome these problems.DiscussionOur study provides a new perspective on the non-technical issues in the MCR process, which has not been extensively studied before. The findings of this study can help software development teams to address the social problems in the MCR process and improve the overall quality of their software products.ConclusionThis study provides valuable insights into the non-technical issues in the MCR process and the possible ways to prevent them. The findings of this study can help software development teams to improve the MCR process and the quality of their software products. Future research could explore the effectiveness of the identified strategies in addressing the social problems in the MCR process.

A Code Reviewer Recommendation Approach Based on Attentive Neighbor Embedding Propagation

Code review as an effective software quality assurance practice has been widely applied in many open-source software communities. However, finding a suitable reviewer for certain codes can be very challenging in open-source communities due to the difficulty of learning the characteristics of reviewers and the code-reviewer interaction sparsity in open-source software communities. To tackle this problem, most previous approaches focus on learning developers’ capabilities and experiences and recommending suitable developers based on their historical interactions. However, such approaches usually suffer from data-sparsity and noise problems, which may reduce the recommendation accuracy. In this paper, we propose an attentive neighbor embedding propagation enhanced code reviewer recommendation framework (termed ANEP). In ANEP, we first construct the reviewer–code interaction graph and learn the semantic representations of the reviewer and code based on the transformer model. Then, we explicitly explore the attentive high-order embedding propagation of reviewers and code and refine the representations along their neighbors. Finally, to evaluate the effectiveness of ANEP, we conduct extensive experiments on four real-world datasets. The experimental results show that ANEP outperforms other state-of-the-art approaches significantly.

Reducing the Risk of Fire Outbreak in Compliance with Fire Safety Regulations in Ghana

Fire outbreak is a disturbing phenomenon that has over the years destroyed market centers. There is growing knowledge that the persistence of these fire disasters is as a result of people’s noncompliance with fire safety regulations. This study therefore contributes to the search for solutions by assessing stakeholders’ capacity to manage fires, While creating the individual trader’s awareness and knowledge on what they need to do against fire risk and disasters. The study is cross-sectional and involved 140 traders and three institutions: National Disaster Management Organization, Kumasi Metropolitan Assembly and Ghana National Fire Service. A systematic sampling technique was used in selecting 140 respondents from a total of 386 with the help of the Sloving technique. The study revealed that traders in the Kumasi Central Market were unaware of what they need to do in case of fire outbreak. It was also shown that, both traders and firefighting institutions do not comply with the safety measures to preventing fire outbreaks. Again it was revealed that haphazard development within the city center serves as a major hindrance for effective fire prevention and control. Based on findings, the study recommends intensive education of traders on how to prevent fire and how to use firefighting tools in case of fire disasters. The study further recommends the review and enforcement of fire prevention codes and regulations to ensure compliance by traders. Keywords: Fire, Safety, Safety measures Risk, Firefighting, Fire training DOI: 10.7176/JEP/14-13-07 Publication date: May 31 st 2023

A review of Python-based code for landslide modeling and inversion using Electrical Resistivity Tomography method

A review of Python-based code for landslide modeling and inversion using Electrical Resistivity Tomography method

Automated code compliance checking research based on BIM and knowledge graph

Automated code compliance checking plays an important role in moving the construction industry forward. While traditional drawing review relies on the identification of industry experts, the purpose of this study is to realize automatic code review by using BIM technology and knowledge graph technology. The method is based on knowledge graph to transform the specification provisions involved in the review of drawings into a computer-recognizable structured language using natural language processing technology to form a human–machine-readable knowledge graph pattern. For the review of BIM models, the BIM model information is exported and the global resource description framework of the building model is obtained in protégé, and the review report is finally obtained after mapping rules and review rules. Finally, the feasibility of the method is verified by an example. This study can effectively solve the problems of “manual dependency” and “inefficiency” in the process of review.

Review of The Narnia Code (film)

Review of The Narnia Code (film)

Review of The Narnia Code: C.S. Lewis and the Secret of the Seven Heavens

Sørina Higgins: Review of Michael Ward, The Narnia Code: C. S. Lewis and the Secret of the Seven Heavens (Carol Stream, Illinois, 2010). 193 pages, including “For Further Reading” and Discussion Guide. $13.99. ISBN 9781414339658.

Distal Radius Fracture Outcomes After Dorsal Spanning Plate Fixation.

Dorsal spanning plate fixation can be used to treat comminuted distal radius fractures not amenable to volar plating. However, there is a relative paucity of outcomes data; so, the aim of this retrospective study was to investigate outcomes and complications after dorsal spanning plate fixation for distal radius fractures. Distal radius fractures treated with dorsal spanning plate fixation at a level-1 trauma center were retrospectively identified via Current Procedural Terminology coding and chart review from 2014 to 2019. Patient demographics, fracture pattern characteristics, fixation techniques, and clinical outcomes were all obtained via chart review using the electronic medical record. In all, 43 dorsal plates were identified out of 369 operatively treated distal radius fractures (12%). Of these, 84% were AO type C, 28% were open fractures, and 86% resulted from falls. At the time of dorsal plating, 28% had an additional procedure. One patient had a major complication after surgery, requiring unplanned surgery for a radius nonunion. Average final follow-up occurred 9 weeks after dorsal plate removal, with mean range of motion at the wrist measuring: 36° flexion, 48° extension, 75° pronation, and 63° supination. Finger flexion was also measured, using either tip of finger to palm distance or total active motion, depending on the available data. These were measured at an average of 1.2 cm and 194°, respectively. Dorsal spanning plate fixation provides a safe and effective method for treating complex distal radius fractures. In our series, patients had good functional outcomes with few complications.

Studying the Impact of Risk Assessment Analytics on Risk Awareness and Code Review Performance

Studying the Impact of Risk Assessment Analytics on Risk Awareness and Code Review Performance

Competencies for Code Review

Peer code review is a widely practiced software engineering process in which software developers collaboratively evaluate and improve source code quality. Whether developers can perform good reviews depends on whether they have sufficient competence and experience. However, the knowledge of what competencies developers need to execute code review is currently limited, thus hindering, for example, the creation of effective support tools and training strategies. To address this gap, we firstly identified 27 competencies relevant to performing code review through expert validation. Later, we conducted an online survey with 105 reviewers to rank these competencies along four dimensions: frequency of usage, importance, proficiency, and desire of reviewers to improve in that competency. The survey shows that technical competencies are considered essential to performing reviews and that respondents feel generally confident in their technical proficiency. Moreover, reviewers feel less confident in how to communicate clearly and give constructive feedback - competencies they consider like-wise an essential part of reviewing. Therefore, research and education should focus in more detail on how to support and develop reviewers' potential to communicate effectively during reviews. In the paper, we also discuss further implications for training, code review performance assessment, and reviewers of different experience level. Data and materials: https://doi.org/10.5281/zenodo.7401313