Past research suggests that Computer Science (CS) undergraduate students are not equipped to manage quality characteristics such as security, reliability, and maintainability. Filling such a gap should allow CS undergraduates an easier integration into the labor market after graduation. To make students more ready for such a market, we introduced a training intervention in our Software Technologies for the Web (STW ) course in the academic year (a.y.) 2022–23. Our intervention focused on security, i.e., students were trained on secure development and were asked to use SonarCloud. To assess this intervention, we compared the web apps developed in a.y. 2021–22 and a.y. 2022–23 and observed that the security significantly improved in the a.y. 2022–23 web apps. To understand whether and to what extent our training intervention triggered autonomous motivation in the students (a.y. 2022–23) on reliability and maintainability, we also compared the web apps of a.y. 2021–22 and a.y. 2022–23 on these issues. To that end, we did not ask students to deal with reliability and maintainability. This part of our research is presented in this paper for the first time and revealed that the web apps of a.y. 2022–23 are more reliable and maintainable than those of a.y. 2021–22.
@article{Nocera:Jss:2025, title = {Software engineering education: Results from a training intervention based on SonarCloud when developing web apps}, author = {Sabato Nocera and Simone Romano and Rita Francese and Giuseppe Scanniello}, journal = {Journal of Systems and Software}, volume = {222}, pages = {112308}, year = {2025}, doi = {10.1016/j.jss.2024.112308}, url = {https://doi.org/10.1016/j.jss.2024.112308}, publisher={Elsevier} }
A software supply chain consists of anything needed to develop and deliver a software project, including (third-party) components. Software Composition Analysis (SCA) allows for managing the security of software supply chains by identifying such components and their (security) vulnerabilities. The main goal of the empirical study presented in this paper is to investigate the effects of adopting/using over time an SCA tool like OWASP Dependency-Check (OWASP DC) in the context of the security of the software supply chain. To this end, following a cohort design, we analyzed the vulnerabilities affecting the components of the open-source (OS) Java Maven projects owned by the Apache Software Foundation (ASF) and publicly hosted on GitHub. These projects could adopt (or not) OWASP DC. The results indicate that the adoption of OWASP DC appears to be causing a significant reduction in the overall number/score of vulnerabilities, including those with a high Common Vulnerability Scoring System (CVSS) severity level. The use of OWASP DC also increased the vulnerabilities with a low severity level. Our results seem to encourage practitioners to adopt SCA to improve the security of their software supply chains.
@inproceedings{Nocera:Msr:2025, title={Software Composition Analysis and Supply Chain Security in Apache Projects: an Empirical Study}, author={Sabato Nocera and Sira Vegas and Giuseppe Scanniello and Natalia Juristo}, booktitle={2025 IEEE/ACM 22nd International Conference on Mining Software Repositories (MSR)}, pages={}, year={2025}, publisher={IEEE} }
[C10] Scanniello, G., Di Penta, M., Romano, S., Francese, R., Nocera, S., Cassieri, P., Bifolco, D., & Zampetti, F. (2024, October). MSR4SBOM: Mining software repositories for enhanced software bills of materials. In Proceedings of the 18th ACM/IEEE International Symposium on Empirical Software Engineering and Measurement (ESEM) (pp. 589-593). ACM.
MSR4SBOM (Mining Software Repositories for enhanced Software Bills of Materials) is a project whose main goal is to deliver a framework that analyzes the content of software repositories and SBOMs to provide context-sensitive recommendations. The expected outputs are (i) a set of approaches and tools released as open-source projects, making them exploitable in industrial, academic, and open-source contexts; and (ii) replication packages of our empirical studies and repositories of datasets collected while developing, calibrating, and validating the MSR4SBOM approaches and tools.
@inproceedings{Scanniello:Esem:2024, author = {Scanniello, Giuseppe and Di Penta, Massimiliano and Romano, Simone and Francese, Rita and Nocera, Sabato and Cassieri, Pietro and Bifolco, Daniele and Zampetti, Fiorella}, title = {MSR4SBOM: Mining Software Repositories for enhanced Software Bills of Materials}, year = {2024}, publisher = {Association for Computing Machinery}, address = {New York, NY, USA}, url = {https://doi.org/10.1145/3674805.3695390}, doi = {10.1145/3674805.3695390}, booktitle = {Proceedings of the 18th ACM/IEEE International Symposium on Empirical Software Engineering and Measurement}, pages = {589–593}, location = {Barcelona, Spain}, series = {ESEM '24} }
A Software Bill of Materials (SBOM) describes, in a structured, machine-readable format, the open-source and proprietary components that constitute a software product, including their licenses, versions, vendors, vulnerabilities, and dependency relationships. SBOMs enable practitioners to gain visibility into the software supply chain and monitor any risks associated with software security, licensing, and more. In this industry paper, we present the findings of 10 semi-structured interviews with practitioners with different roles in six different software companies operating in Italy, some of which being very large multinationals. The gathered information indicates that the adoption of SBOMs is low, yet the attention of the software industry to software supply chain-related challenges is high. A possible reason behind this outcome is that the software industry has limited knowledge of SBOMs and software supply chain regulations. Although some participants showed a growing interest in SBOMs, the Italian software industry seems to respond less promptly to this technology. We plan to use these results and those from past research to design a survey with practitioners to have a complete picture of SBOM usage in the software industry.
@inproceedings{Nocera:Icsme:2024, author={Nocera, Sabato and Di Penta, Massimiliano and Francese, Rita and Romano, Simone and Scanniello, Giuseppe}, booktitle={2024 IEEE International Conference on Software Maintenance and Evolution (ICSME)}, title={If it's not SBOM, then what? How Italian Practitioners Manage the Software Supply Chain}, year={2024}, pages={730-740}, publisher={IEEE}, url = {https://doi.org/10.1109/ICSME58944.2024.00077}, doi={10.1109/ICSME58944.2024.00077}}
We conducted a preliminary qualitative investigation into the Bachelor’s students’ perception of the usefulness of a Static Analysis Tool (i.e., SonarCloud) in assessing software security. The results revealed that the students considered SonarCloud user-friendly, simple to set up, and easy to learn. Additionally, the students recognized an improvement in their awareness and attitude toward secure software development, as well as with the use of a tool widely adopted in both open-source communities and the software industry. The results suggest that the use of SonarCloud improves students’ software security skills, which are demanded by the labor market.
@inproceedings{Nocera:Quatic:2024, author={Nocera, Sabato and Romano, Simone and Di Nucci, Dario and Francese, Rita and Palomba, Fabio and Scanniello, Giuseppe}, title={Do Static Analysis Tools Improve Awareness and Attitude Toward Secure Software Development?}, booktitle={International Conference on the Quality of Information and Communications Technology}, year={2024}, publisher={Springer Nature Switzerland}, address={Cham}, pages={399-407}, url = {https://doi.org/10.1007/978-3-031-70245-7_28}, doi = {10.1007/978-3-031-70245-7_28} }
[C7] Bifolco, D., Nocera, S., Romano, S., Di Penta, M., Francese, R., & Scanniello, G. (2024, June). On the Accuracy of GitHub’s Dependency Graph. In Proceedings of the 28th International Conference on Evaluation and Assessment in Software Engineering (EASE) (pp. 242-251). ACM.
GitHub’s dependency graph shows dependency relationships between repositories. This feature is leveraged by tools such as Dependabot, or GitHub’s feature to export SBOM (Software Bill of Materials) files. Also, it has been used in empirical studies. Inaccuracies in the dependency graph might negatively affect both the effectiveness of tools and the results of the conducted studies. In this paper, we present the results of a mining study to assess the accuracy of GitHub’s dependency graph in Java and Python open-source software projects. In particular, on April 16th, 2023, we randomly sampled 297 software projects developed in Java and 338 developed in Python (all hosted on GitHub), each using GitHub’s dependency graph. Then, we performed three analyses to assess how accurate GitHub’s dependency graph is: (i) backward analysis, focusing on the accuracy of the dependencies of a given repository, as reported in GitHub’s dependency graph; (ii) forward analysis, focusing on the accuracy of the dependents of a given repository, as reported in GitHub’s dependency graph; and (iii) manifest/lock file analysis, focusing on the correspondence between the dependencies reported in the dependency graph of a given repository and what was reported in the corresponding manifest/lock files. The obtained results highlight several inaccuracies in GitHub’s dependency graph, which might affect the output of tools based on GitHub’s dependency graph (e.g., Dependabot and SBOM generators) as well as the outcomes of past empirical studies. We also provide qualitative insights into these inaccuracies and implications for practitioners and researchers.
@inproceedings{Bifolco:Ease:2024, author = {Bifolco, Daniele and Nocera, Sabato and Romano, Simone and Di Penta, Massimiliano and Francese, Rita and Scanniello, Giuseppe}, title = {On the Accuracy of GitHub's Dependency Graph}, year = {2024}, publisher = {Association for Computing Machinery}, address = {New York, NY, USA}, url = {https://doi.org/10.1145/3661167.3661175}, doi = {10.1145/3661167.3661175}, pages = {242–251}, location = {Salerno, Italy}, series = {EASE '24} }
In a previous publication, we presented the results of an assessment aimed at understanding whether bachelor students in Computer Science (CS) enrolled in a Software Technologies for the Web (STW) course were equipped to manage security concerns in the development of (e-commerce) web apps. The gathered evidence highlighted that students enrolled in this course in a.y. (academic year) 2021-22 were not equipped to develop secure web apps, although they devised security as a relevant development aspect. We then delineated a training plan to fill this gap. In this paper, we present the results from the enactment of this plan and the gained experience. In particular, our training plan involved (CS) bachelor students enrolled in the STW course in the a.y. 2022-23, and one of the implemented actions consisted of asking these students (who were different from those enrolled in the a.y. 2021-22) to use in their development pipeline a Static Analysis Tool (SAT), namely Sonar-Cloud, to detect security concerns. The students were asked to use SonarCloud, but not forced to remove detected security concerns. One of the most important results, deriving from the enactment of our intervention, was that the number of security concerns in the web apps developed in a.y. 2022-23 was significantly less than those developed in a.y. 2021-22. Since software security is nowadays of primary relevance, we must train the next generation of developers to develop secure web apps and let them experience, in university courses, the use of tools to support the development of secure software.
@inproceedings{Nocera:IcseSet:2024, author = {Nocera, Sabato and Romano, Simone and Francese, Rita and Scanniello, Giuseppe}, title = {Training for Security: Results from Using a Static Analysis Tool in the Development Pipeline of Web Apps}, year = {2024}, publisher = {Association for Computing Machinery}, address = {New York, NY, USA}, url = {https://doi.org/10.1145/3639474.3640073}, doi = {10.1145/3639474.3640073}, booktitle = {Proceedings of the 46th International Conference on Software Engineering: Software Engineering Education and Training}, pages = {253–263}, location = {Lisbon, Portugal}, series = {ICSE-SEET '24} }
[C5] Nocera, S., Romano, S., Di Penta, M., Francese, R., & Scanniello, G. (2023, October). Software bill of materials adoption: a mining study from GitHub. In 2023 IEEE International Conference on Software Maintenance and Evolution (ICSME) (pp. 39-49). IEEE.
A Software Bill of Materials (SBOM) is a complete, formally structured list of all the open-source and proprietary software components present in a software product, including their licenses, versions, and vendors. SBOMs enable software creators and consumers to gain visibility into the software supply chain and monitor any risks associated with security or licensing. Thereby, the United States Government and the European Union have brought SBOMs to the forefront of digital policy. In this paper, we present the results of an exploratory mining study that aims to investigate the adoption of SBOMs by open-source software projects. To that end, we mined GitHub to identify repositories that use SBOM generation tools developed by SPDX and CycloneDX, identifying a total of 186 public repositories adopting SBOMs. We found that the adoption of SBOMs is low, yet it has an increasing trend. Moreover, SBOM files are available in the repository or published release versions in 46% of the software projects analyzed. SBOMs are getting an increasing attention from software creators and consumers. There is a pressing need for organizations to update their software to meet the new standards required for the software supply chain.
@inproceedings{Nocera:Icsme:2023, author={Nocera, Sabato and Romano, Simone and Penta, Massimiliano Di and Francese, Rita and Scanniello, Giuseppe}, booktitle={2023 IEEE International Conference on Software Maintenance and Evolution (ICSME)}, title={Software Bill of Materials Adoption: A Mining Study from GitHub}, year={2023}, publisher={IEEE}, pages={39-49}, url = {https://doi.org/10.1109/ICSME58846.2023.00016}, doi={10.1109/ICSME58846.2023.00016}}
We conducted a large-scale fine-grained empirical study in which we quantitatively analyzed the commit histories of 200 Open-Source (OS) Python software systems, whose software repositories were publicly available on GitHub, for a total of 164,980 commits analyzed. We focused on commits—this is why our study is considered fine-grained—to investigate the spread and evolution of security concerns. To detect security concerns at a commit level, we used SonarQube, a popular Static Application Security Testing (SAST) tool. We found, among other things, that: security concerns are spread in OS Python software systems (on average, about 11 security concerns per commit) and tend to survive more than a couple of weeks and a dozen commits; and critical security concerns, despite their high severity level, are the most spread and tend to survive the most. Also, we found that 47 different kinds of security concerns were introduced into the source code of the studied software systems, and the top eight (per number of introductions) are severe and account for 87% of all introduced security concerns. Python developers should pay more attention to security concerns, especially those critical, and use secure coding practices, automated tools, or even DevSecOps to avoid the introduction of security concerns into their source code or fix them as soon as possible.
@inproceedings{Nocera:SeaaStream:2023, author={Nocera, Sabato and Romano, Simone and Francese, Rita and Scanniello, Giuseppe}, booktitle={2023 49th Euromicro Conference on Software Engineering and Advanced Applications (SEAA)}, title={A Large-scale Fine-grained Empirical Study on Security Concerns in Open-source Software}, year={2023}, pages={418-425}, publisher={IEEE}, url = {https://doi.org/10.1109/SEAA60479.2023.00069}, doi={10.1109/SEAA60479.2023.00069}}
[C3] Nocera, S., Romano, S., Francese, R., Burlon, R., & Scanniello, G. (2023, September). Managing Vulnerabilities in Software Projects: the Case of NTT Data. In 2023 49th Euromicro Conference on Software Engineering and Advanced Applications (SEAA) (pp. 247-253). IEEE.
Background: Software vulnerabilities are flaws in application source code that can be exploited to cause harm, hence companies must devise strategies to manage them.Aim: We want to understand how software vulnerabilities are managed in a big IT (Information Technology) service and consulting company like NTT Data.Method: We conducted a focus group involving six software professionals working at NTT Data and analyzed the gathered data through a thematic analysis approach.Results: We found that application security standards are defined based on the needs of the clients (i.e., companies that commissioned NTT Data the software to be developed) and the projects’ nature (i.e., the development of greenfield projects vs. maintenance of existing ones). Also, to detect software vulnerabilities, SAST (Static Application Security Testing) tools are mainly used; among these, SonarLint and SonarQube appear to be the de-facto standards for NTT Data. Finally, not all software vulnerabilities are fixed; for example, the presence of some software vulnerabilities is tolerated by the clients, who take on the responsibility of not removing these vulnerabilities.Conclusions: It seems that developers and NTT Data clients are not averse to securing their code. NTT Data follows the application security standards established with their clients. To detect software vulnerabilities, SonarLint and SonarQube appear to be the de-facto standards, so explaining to some extent the increasing attention on these tools by the software engineering research community.
@inproceedings{Nocera:SeaaSm:2023, author={Nocera, Sabato and Romano, Simone and Francese, Rita and Burlon, Riccardo and Scanniello, Giuseppe}, booktitle={2023 49th Euromicro Conference on Software Engineering and Advanced Applications (SEAA)}, title={Managing Vulnerabilities in Software Projects: the Case of NTT Data}, year={2023}, pages={247-253}, publisher={IEEE}, url = {https://doi.org/10.1109/SEAA60479.2023.00046}, doi={10.1109/SEAA60479.2023.00046}}
Background: There are a number of academic courses in the Bachelor Program in Computer Science (CS) on the design of Web apps. Often the internal and external quality of the developed Web apps is not adequately taken into account. Aim: We aimed to (i) estimate the quality of Web apps developed by bachelor CS students in a Software Technologies for the Web (STW) course (a.y. 2021-22) and (ii) define a training plan (on the base of the results of the first step) for the students enrolled to this course for the a.y. 2022-23 to let them design and implement better Web apps, and (iii) experimenting the training plan by comparing the quality of Web apps developed in a.y. 2021-22 and a.y. 2022-23. Method: We designed a prospective empirical investigation to study STW with respect to the training of bachelor students with respect to the quality (internal and external) of the developed Web apps. Results: We observed that quality concerns are widespread in the code of the Web apps the STW students developed in the a.y. 2021-22. Therefore, we plan to ask the students of the a.y. 2022-23 to use in their development pipeline a Static Analysis Tool (SAT) to detect quality concerns in the developed Web apps and deal with them. This second step represents an ongoing stage of our research. Conclusions: Our preliminary outcomes suggest that students must be aware that quality is of primary relevance for the development of Web apps and prepared to use SAT in the development pipeline.
@inproceedings{Nocera:Ease:2023, author = {Nocera, Sabato and Francese, Rita and Scanniello, Giuseppe}, title = {Training Bachelor Students to Design Better Quality Web Apps: Preliminary Results from a Prospective Empirical Investigation}, year = {2023}, publisher = {Association for Computing Machinery}, address = {New York, NY, USA}, url = {https://doi.org/10.1145/3593434.3593957}, doi = {10.1145/3593434.3593957}, booktitle = {Proceedings of the 27th International Conference on Evaluation and Assessment in Software Engineering}, pages = {465–469}, location = {Oulu, Finland}, series = {EASE '23}}
We designed a prospective empirical investigation to study our STW (Software Technologies for the Web) course with respect to the training of bachelor students in the context of software security when developing e-commerce Web apps. To that end, we devised the following steps: (i) studying the state of the students enrolled in the STW course in the a.y. (academic year) 2021-22; (ii) defining a training plan for the a.y. 2022-23; and (iii) acting the plan and measuring the differences (if any) between the students of the a.y. 2021-22 and 2022-23. In this idea paper, we present the results of the former two steps, as well as the evaluation strategy of the proposed training plan. We observed that security concerns are widespread in the code of the Web apps the students of the STW course (a.y. 2021-22) developed. Therefore, we plan (second step) to ask the students of the STW course (a.y. 2022-23) to use in their development pipeline a Static Analysis Tool (SAT) to detect security concerns.
@inproceedings{Nocera:IcseSeet:2023, author={Nocera, Sabato and Romano, Simone and Francese, Rita and Scanniello, Giuseppe}, booktitle={2023 IEEE/ACM 45th International Conference on Software Engineering: Software Engineering Education and Training (ICSE-SEET)}, title={Training for Security: Planning the Use of a SAT in the Development Pipeline of Web Apps}, year={2023}, pages={40-45}, publisher={IEEE}, url = {https://doi.org/10.1109/ICSE-SEET58685.2023.00010}, doi={10.1109/ICSE-SEET58685.2023.00010}}