Publications

You can also find my articles on Google Scholar or DBLP profiles.

MSR4SBOM: Mining Software Repositories for enhanced Software Bills of Materials

Published in Proceedings of the 18th International Symposium on Empirical Software Engineering and Measurement (ESEM), 2024

Abstract: MSR4SBOM (Mining Software Repositories for enhanced Software Bills of Materials) is a project whose main goal is to deliver a framework that analyzes the content of software repositories and SBOMs to provide context-sensitive recommendations. The expected outputs are (i) a set of approaches and tools released as open-source projects, making them exploitable in industrial, academic, and open-source contexts; and (ii) replication packages of our empirical studies and repositories of datasets collected while developing, calibrating, and validating the MSR4SBOM approaches and tools.

Recommended citation: Giuseppe Scanniello, Massimiliano Di Penta, Simone Romano, Rita Francese, Sabato Nocera, Pietro Cassieri, Daniele Bifolco, and Fiorella Zampetti. 2024. MSR4SBOM: Mining Software Repositories for enhanced Software Bills of Materials. In Proceedings of the 18th International Symposium on Empirical Software Engineering and Measurement (ESEM '24). Association for Computing Machinery, New York, NY, USA.

If it’s not SBOM, then what? How Italian Practitioners Manage the Software Supply Chain

Published in Proceedings of the 40th International Conference on Software Maintenance and Evolution (ICSME), 2024

Abstract: A Software Bill of Materials (SBOM) describes, in a structured, machine-readable format, the open-source and proprietary components that constitute a software product, including their licenses, versions, vendors, vulnerabilities, and dependency relationships. SBOMs enable practitioners to gain visibility into the software supply chain and monitor any risks associated with software security, licensing, and more. In this industry paper, we present the findings of 10 semi-structured interviews with practitioners with different roles in six different software companies operating in Italy, some of which being very large multinationals. The gathered information indicates that the adoption of SBOMs is low, yet the attention of the software industry to software supply chain-related challenges is high. A possible reason behind this outcome is that the software industry has limited knowledge of SBOMs and software supply chain regulations. Although some participants showed a growing interest in SBOMs, the Italian software industry seems to respond less promptly to this technology. We plan to use these results and those from past research to design a survey with practitioners to have a complete picture of SBOM usage in the software industry.

Recommended citation: S. Nocera, M. D. Penta, R. Francese, S. Romano and G. Scanniello, "If it’s not SBOM, then what? How Italian Practitioners Manage the Software Supply Chain," 2024 IEEE International Conference on Software Maintenance and Evolution (ICSME), Flagstaff, Arizona, 2024.

Do Static Analysis Tools Improve Awareness and Attitude Toward Secure Software Development?

Published in Proceedings of 17th International Conference on the Quality of Information and Communications Technology (QUATIC), 2024

Abstract: We conducted a preliminary qualitative investigation into the Bachelor’s students’ perception of the usefulness of a Static Analysis Tool (i.e., SonarCloud) in assessing software security. The results revealed that the students considered SonarCloud user-friendly, simple to set up, and easy to learn. Additionally, the students recognized an improvement in their awareness and attitude toward secure software development, as well as with the use of a tool widely adopted in both open-source communities and the software industry. The results suggest that the use of SonarCloud improves students’ software security skills, which are demanded by the labor market.

Recommended citation: Nocera, S., Romano, S., Di Nucci, D., Francese, R., Palomba, F., Scanniello, G. (2024). Do Static Analysis Tools Improve Awareness and Attitude Toward Secure Software Development?. In: Bertolino, A., Pascoal Faria, J., Lago, P., Semini, L. (eds) Quality of Information and Communications Technology. QUATIC 2024. Communications in Computer and Information Science, vol 2178. Springer, Cham. p. 399–407. https://doi.org/10.1007/978-3-031-70245-7_28
Download Paper

On the Accuracy of GitHub’s Dependency Graph

Published in Proceedings of the 28th International Conference on Evaluation and Assessment in Software Engineering (EASE), 2024

Abstract: GitHub’s dependency graph shows dependency relationships between repositories. This feature is leveraged by tools such as Dependabot, or GitHub’s feature to export SBOM (Software Bill of Materials) files. Also, it has been used in empirical studies. Inaccuracies in the dependency graph might negatively affect both the effectiveness of tools and the results of the conducted studies. In this paper, we present the results of a mining study to assess the accuracy of GitHub’s dependency graph in Java and Python open-source software projects. In particular, on April 16th, 2023, we randomly sampled 297 software projects developed in Java and 338 developed in Python (all hosted on GitHub), each using GitHub’s dependency graph. Then, we performed three analyses to assess how accurate GitHub’s dependency graph is: (i) backward analysis, focusing on the accuracy of the dependencies of a given repository, as reported in GitHub’s dependency graph; (ii) forward analysis, focusing on the accuracy of the dependents of a given repository, as reported in GitHub’s dependency graph; and (iii) manifest/lock file analysis, focusing on the correspondence between the dependencies reported in the dependency graph of a given repository and what was reported in the corresponding manifest/lock files. The obtained results highlight several inaccuracies in GitHub’s dependency graph, which might affect the output of tools based on GitHub’s dependency graph (e.g., Dependabot and SBOM generators) as well as the outcomes of past empirical studies. We also provide qualitative insights into these inaccuracies and implications for practitioners and researchers.

Recommended citation: Daniele Bifolco, Sabato Nocera, Simone Romano, Massimiliano Di Penta, Rita Francese, and Giuseppe Scanniello. 2024. On the Accuracy of GitHub's Dependency Graph. In Proceedings of the 28th International Conference on Evaluation and Assessment in Software Engineering (EASE '24). Association for Computing Machinery, New York, NY, USA, 242–251. https://doi.org/10.1145/3661167.3661175
Download Paper

Training for Security: Results from Using a Static Analysis Tool in the Development Pipeline of Web Apps

Published in Proceedings of the 46th International Conference on Software Engineering: Software Engineering Education and Training (ICSE-SEET), 2024

Abstract: In a previous publication, we presented the results of an assessment aimed at understanding whether bachelor students in Computer Science (CS) enrolled in a Software Technologies for the Web (STW) course were equipped to manage security concerns in the development of (e-commerce) web apps. The gathered evidence highlighted that students enrolled in this course in a.y. (academic year) 2021-22 were not equipped to develop secure web apps, although they devised security as a relevant development aspect. We then delineated a training plan to fill this gap. In this paper, we present the results from the enactment of this plan and the gained experience. In particular, our training plan involved (CS) bachelor students enrolled in the STW course in the a.y. 2022-23, and one of the implemented actions consisted of asking these students (who were different from those enrolled in the a.y. 2021-22) to use in their development pipeline a Static Analysis Tool (SAT), namely Sonar-Cloud, to detect security concerns. The students were asked to use SonarCloud, but not forced to remove detected security concerns. One of the most important results, deriving from the enactment of our intervention, was that the number of security concerns in the web apps developed in a.y. 2022-23 was significantly less than those developed in a.y. 2021-22. Since software security is nowadays of primary relevance, we must train the next generation of developers to develop secure web apps and let them experience, in university courses, the use of tools to support the development of secure software.

Recommended citation: Sabato Nocera, Simone Romano, Rita Francese, and Giuseppe Scanniello. 2024. Training for Security: Results from Using a Static Analysis Tool in the Development Pipeline of Web Apps. In Proceedings of the 46th International Conference on Software Engineering: Software Engineering Education and Training (ICSE-SEET '24). Association for Computing Machinery, New York, NY, USA, 253–263. https://doi.org/10.1145/3639474.3640073
Download Paper

Software Bill of Materials Adoption: A Mining Study from GitHub

Published in Proceedings of the 39th International Conference on Software Maintenance and Evolution (ICSME), 2023

Abstract: A Software Bill of Materials (SBOM) is a complete, formally structured list of all the open-source and proprietary software components present in a software product, including their licenses, versions, and vendors. SBOMs enable software creators and consumers to gain visibility into the software supply chain and monitor any risks associated with security or licensing. Thereby, the United States Government and the European Union have brought SBOMs to the forefront of digital policy. In this paper, we present the results of an exploratory mining study that aims to investigate the adoption of SBOMs by open-source software projects. To that end, we mined GitHub to identify repositories that use SBOM generation tools developed by SPDX and CycloneDX, identifying a total of 186 public repositories adopting SBOMs. We found that the adoption of SBOMs is low, yet it has an increasing trend. Moreover, SBOM files are available in the repository or published release versions in 46% of the software projects analyzed. SBOMs are getting an increasing attention from software creators and consumers. There is a pressing need for organizations to update their software to meet the new standards required for the software supply chain.

Recommended citation: S. Nocera, S. Romano, M. D. Penta, R. Francese and G. Scanniello, "Software Bill of Materials Adoption: A Mining Study from GitHub," 2023 IEEE International Conference on Software Maintenance and Evolution (ICSME), Bogotá, Colombia, 2023, pp. 39-49, doi: 10.1109/ICSME58846.2023.00016.
Download Paper

A Large-scale Fine-grained Empirical Study on Security Concerns in Open-source Software

Published in Proceedings of the 49th Euromicro Conference on Software Engineering and Advanced Applications (SEAA), 2023

Abstract: We conducted a large-scale fine-grained empirical study in which we quantitatively analyzed the commit histories of 200 Open-Source (OS) Python software systems, whose software repositories were publicly available on GitHub, for a total of 164,980 commits analyzed. We focused on commits—this is why our study is considered fine-grained—to investigate the spread and evolution of security concerns. To detect security concerns at a commit level, we used SonarQube, a popular Static Application Security Testing (SAST) tool. We found, among other things, that: security concerns are spread in OS Python software systems (on average, about 11 security concerns per commit) and tend to survive more than a couple of weeks and a dozen commits; and critical security concerns, despite their high severity level, are the most spread and tend to survive the most. Also, we found that 47 different kinds of security concerns were introduced into the source code of the studied software systems, and the top eight (per number of introductions) are severe and account for 87% of all introduced security concerns. Python developers should pay more attention to security concerns, especially those critical, and use secure coding practices, automated tools, or even DevSecOps to avoid the introduction of security concerns into their source code or fix them as soon as possible.

Recommended citation: S. Nocera, S. Romano, R. Francese and G. Scanniello, "A Large-scale Fine-grained Empirical Study on Security Concerns in Open-source Software," 2023 49th Euromicro Conference on Software Engineering and Advanced Applications (SEAA), Durres, Albania, 2023, pp. 418-425, doi: 10.1109/SEAA60479.2023.00069.
Download Paper

Managing Vulnerabilities in Software Projects: the Case of NTT Data

Published in Proceedings of the 49th Euromicro Conference on Software Engineering and Advanced Applications (SEAA), 2023

Abstract: Background: Software vulnerabilities are flaws in application source code that can be exploited to cause harm, hence companies must devise strategies to manage them.
Aim: We want to understand how software vulnerabilities are managed in a big IT (Information Technology) service and consulting company like NTT Data.
Method: We conducted a focus group involving six software professionals working at NTT Data and analyzed the gathered data through a thematic analysis approach.
Results: We found that application security standards are defined based on the needs of the clients (i.e., companies that commissioned NTT Data the software to be developed) and the projects’ nature (i.e., the development of greenfield projects vs. maintenance of existing ones). Also, to detect software vulnerabilities, SAST (Static Application Security Testing) tools are mainly used; among these, SonarLint and SonarQube appear to be the de-facto standards for NTT Data. Finally, not all software vulnerabilities are fixed; for example, the presence of some software vulnerabilities is tolerated by the clients, who take on the responsibility of not removing these vulnerabilities.
Conclusions: It seems that developers and NTT Data clients are not averse to securing their code. NTT Data follows the application security standards established with their clients. To detect software vulnerabilities, SonarLint and SonarQube appear to be the de-facto standards, so explaining to some extent the increasing attention on these tools by the software engineering research community.

Recommended citation: S. Nocera, S. Romano, R. Francese, R. Burlon and G. Scanniello, "Managing Vulnerabilities in Software Projects: the Case of NTT Data," 2023 49th Euromicro Conference on Software Engineering and Advanced Applications (SEAA), Durres, Albania, 2023, pp. 247-253, doi: 10.1109/SEAA60479.2023.00046.
Download Paper

Training Bachelor Students to Design Better Quality Web Apps: Preliminary Results from a Prospective Empirical Investigation

Published in Proceedings of the 27th International Conference on Evaluation and Assessment in Software Engineering (EASE), 2023

Abstract: Background: There are a number of academic courses in the Bachelor Program in Computer Science (CS) on the design of Web apps. Often the internal and external quality of the developed Web apps is not adequately taken into account.
Aim: We aimed to (i) estimate the quality of Web apps developed by bachelor CS students in a Software Technologies for the Web (STW) course (a.y. 2021-22) and (ii) define a training plan (on the base of the results of the first step) for the students enrolled to this course for the a.y. 2022-23 to let them design and implement better Web apps, and (iii) experimenting the training plan by comparing the quality of Web apps developed in a.y. 2021-22 and a.y. 2022-23.
Method: We designed a prospective empirical investigation to study STW with respect to the training of bachelor students with respect to the quality (internal and external) of the developed Web apps.
Results: We observed that quality concerns are widespread in the code of the Web apps the STW students developed in the a.y. 2021-22. Therefore, we plan to ask the students of the a.y. 2022-23 to use in their development pipeline a Static Analysis Tool (SAT) to detect quality concerns in the developed Web apps and deal with them. This second step represents an ongoing stage of our research.
Conclusions: Our preliminary outcomes suggest that students must be aware that quality is of primary relevance for the development of Web apps and prepared to use SAT in the development pipeline.

Recommended citation: Sabato Nocera, Rita Francese, and Giuseppe Scanniello. 2023. Training Bachelor Students to Design Better Quality Web Apps: Preliminary Results from a Prospective Empirical Investigation. In Proceedings of the 27th International Conference on Evaluation and Assessment in Software Engineering (EASE '23). Association for Computing Machinery, New York, NY, USA, 465–469. https://doi.org/10.1145/3593434.3593957
Download Paper

Training for Security: Planning the Use of a SAT in the Development Pipeline of Web Apps

Published in Proceedings of the 45th International Conference on Software Engineering: Software Engineering Education and Training (ICSE-SEET), 2023

Abstract: We designed a prospective empirical investigation to study our STW (Software Technologies for the Web) course with respect to the training of bachelor students in the context of software security when developing e-commerce Web apps. To that end, we devised the following steps: (i) studying the state of the students enrolled in the STW course in the a.y. (academic year) 2021-22; (ii) defining a training plan for the a.y. 2022-23; and (iii) acting the plan and measuring the differences (if any) between the students of the a.y. 2021-22 and 2022-23. In this idea paper, we present the results of the former two steps, as well as the evaluation strategy of the proposed training plan. We observed that security concerns are widespread in the code of the Web apps the students of the STW course (a.y. 2021-22) developed. Therefore, we plan (second step) to ask the students of the STW course (a.y. 2022-23) to use in their development pipeline a Static Analysis Tool (SAT) to detect security concerns.

Recommended citation: S. Nocera, S. Romano, R. Francese and G. Scanniello, "Training for Security: Planning the Use of a SAT in the Development Pipeline of Web Apps," 2023 IEEE/ACM 45th International Conference on Software Engineering: Software Engineering Education and Training (ICSE-SEET), Melbourne, Australia, 2023, pp. 40-45, doi: 10.1109/ICSE-SEET58685.2023.00010.
Download Paper