Systematic Literature Review Sample

ASystematicLiteratureReviewonAction AlertIdenticationStrategiesforthe AnalysisofAutomatedStaticCode 1.Introduction Staticanalysisreferstotheprocesswhichinvolvesevaluationofacomponentorsystem basedonitsstructure,form,documentationorcontent(Myers,2009).AutomatedStaticAnalysis(ASA)candeterminecommonproblemsincodingearlyon in the developmentprocess,using a toolwhich automates source codeinspection.ASAthenreportspossibleanomaliesinthesourcecode,oftencalledalerts,whichcomeintheform ofbufferoverflows,nullpointerdereferences,aswellasstyleinconsistencies.Developerswillthenworktowardsinspectingeveryalertinordertoidentifywhetherornotanalertisindeedanindicationofaviableanomalywhichrequirestobefixed(Stan&Fowler,2011).Ifadeveloperindeeddeterminesthatthealertisvalidandfixable,itbecomesan‘actionablealert’.Whenthealertdoesnotprovetobeananomaly,orifitisviewedasunimportanttothedeveloper,asourcecodeanomalywhichisinconsequentialtothefunctionalityoftheprogram asperceivedbythedeveloper,thenthealertistermedasan‘unactionablealert’(Harris,2012). 2.Overviewofthesystematicliteraturereviewmethod WeusedthedescribedSLRguidelinesbyKichel(2008)inordertodevelopourprotocol.Thisprotocolisusedinaddressingthedifferentresearchobjectivesasproposedinthestudy.Itdescribesthequestion,researchstrategyforsearchingforrelevantstudies,selectedstudiesanalysis,aswellasdatasynthesis.

2.1ResearchQuestions Wehavederivedourquestionsusedintheresearchdirectlyfrom thelistofSLRobjectives.Wewanttoanswerthefollowingcriteria: •WhatarethedifferentcategoriesofartifactsthatareusedforAAITinput? •WhataretheapproachesusedfortheAAIT? •WhatconclusionscanwegetregardingtheefficacyofAAITsfrom theresultsgatheredinthechosenstudies? •Whatarethechallengesencounteredduringresearch? SinceAAITsaredoneafterASA,weareinterestedinfirstunderstandingtheinformationsourcesusedingeneratingtheprioritizationorclassificationofanalert.Afterwards,wewanttodeterminetheunderlyingalgorithmsinvolvedinprioritizingorclassifyingalerts(Simmon,2010). 2.2Searchstrategy Thissectioncoverstheprocessinvolvedingeneratingsearchstrategy,terms,searcheddatabases,andthedocumentationusedinthesearch. 2.3Searchstrategyandterms Wehaveidentifiedsomekeytermswhichwereusedforthesearchfrom previousexperienceinthesubjectarea.Themainterm usedforthesearchis‘staticanalysis’infocusingonsolutionswhichdetermineactionablealertswhenperformingASA(Roldenson & Waltz,2003).The othersearch terms are classified into two:techniques foridentification and descriptive alertnames generated by staticanalysis.

3.OverviewofStudies Wehaveidentified23studiesintheliteraturewhichfocusonprioritizingorclassifyingalertsthataregeneratedbytheASA.Aquicklookatthestudiesshowthat,allworkperformedonAAITsweredoneduringoraftertheyear2003,exceptone,andmostofthem werepublishedin2007to2008.(Walter,2010).Ontopofthat,wehavealsoconsideredthepublicationvenuesforthepapersselected. 4.SoftwareCharacteristics OnecommoncharacteristicamongAAITsisthattheyuseadditionalinformationregardingsoftwareartifactswiththepurposeofprioritizingorclassifyingalertsaseitheractionableorunactionable.Thisadditionalinformationiscalledthesoftwareartifactcharacteristics,serving asan independentvariablewhen itcomestopredictingtheso-calledactionablealerts(Mosley,Beuby,&Walter,2008). 5.ClassificationAAITs TheseclassificationAAITsdividethealertsintotwobatches:thealertswhicharelikely to be actionable,as wellas alerts which are mostlikely to becomeunactionable.(Gosby,2010).ForeveryAAIT,wereportedinthepapershowingthedescriptionoftheAAIT,theinputintheform ofusedartifactcharacteristics,theASAused,AAITtype,programminglanguageused,aswellastheresearchmethodology.Ifthereisnonameusedintheselectedstudy,wemakeanameaccordingtothefirstletterofthelastnamesofthefirstthreeauthors,aswellasthelasttwonumbersofthepublicationyear.(Moffat,2010). References Gosby,H.A.(2010).Integratingdynamicandstaticanalysisforthedetectionofvulnerabilities.In:The30thAnnualGlobalComputerApplicationSoftware,Chicago,Illinois,USA.August16–20,2010,pp.34-56. Harris,J.(2012).Applyingstaticanalysisinmulti-threaded,large-scalejavaprograms.BusinessInsider,32(2),23-25. Kichel,Y.U.(2008).Rankingsoftwareinspectionoutputusingstaticprofiling.ComputerApplicationsAnalysis,34(3),34-45. Moffat,P.W.(2010).Useofdataflowanalysisinstaticprofiling.SoftwareBusinessPublication,34(2),23-34. Mosley,T.,Beuby,W.,&Walter,U.(2008).Correlationexploitation-StatisticalAnalysis.AnalysisSymposium Workbook,12(1),234-245. Myers,E.R.(2009).IEEEStandardforSoftwareAnalysisReviews.SoftwareEngineeringVocabulary,23(1),34-36. Roldenson,P.O.,&Waltz,E.(2003).Rankingsoftwareinspectionsandprioritizinganalysis.StandardSoftwareConference,23(4),23-36. Stan,Y.J.,&Fowler,T.(2011).Dynamicallydiscoveringprogram invariantsinsupportingprogram evaluation.TheBusinessJournal,34(2),123-145. Simmon,T.(2010).Ameta-analysisforeffectivelyprioritizingerrorsinprogramming.ComputerScienceJournal,23(3),45-67. Walter,Y.(2010).Writingdependablecomputerengineeringresearch.ComputerEngineeringJournal,34(4),23-35.