乐胖代购免代理版

{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2023,11,29]],"date-time":"2023-11-29T00:58:53Z","timestamp":1701219533300},"reference-count":36,"publisher":"MDPI AG","issue":"12","license":[{"start":{"date-parts":[[2023,11,28]],"date-time":"2023-11-28T00:00:00Z","timestamp":1701129600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"name":"Ministry of Innovation and Technology of Hungary from the National Research, Development, and Innovation Fund","award":["TKP2021-NVA-29"]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Computers"],"abstract":"Static analysis is a software testing technique that analyzes the code without executing it. It is widely used to detect vulnerabilities, errors, and other issues during software development. Many tools are available for static analysis of Java code, including SpotBugs. Methods that perform a security check must be declared private or final; otherwise, they can be compromised when a malicious subclass overrides the methods and omits the checks. In Java, security checks can be performed using the SecurityManager class. This paper addresses the aforementioned problem by building a new automated checker that raises an issue when this rule is violated. The checker is built under the SpotBugs static analysis tool. We evaluated our approach on both custom test cases and real-world software, and the results revealed that the checker successfully detected related bugs in both with optimal metrics values.<\/jats:p>","DOI":"10.3390\/computers12120247","type":"journal-article","created":{"date-parts":[[2023,11,28]],"date-time":"2023-11-28T12:40:01Z","timestamp":1701175201000},"page":"247","source":"Crossref","is-referenced-by-count":0,"title":["Design and Implement an Accurate Automated Static Analysis Checker to Detect Insecure Use of SecurityManager"],"prefix":"10.3390","volume":"12","author":[{"ORCID":"http:\/\/orcid.org\/0000-0001-9881-5854","authenticated-orcid":false,"given":"Midya","family":"Alqaradaghi","sequence":"first","affiliation":[{"name":"Department of Programming Languages and Compilers, ELTE E\u00f6tv\u00f6s Lor\u00e1nd University, P\u00e1zm\u00e1ny P\u00e9ter stny. 1\/C, H-1117 Budapest, Hungary"},{"name":"Technical Engineering College of Kirkuk, Northern Technical University, Kirkuk 36001, Iraq"}]},{"ORCID":"http:\/\/orcid.org\/0009-0005-7236-5759","authenticated-orcid":false,"given":"Muhammad Zafar Iqbal","family":"Nazir","sequence":"additional","affiliation":[{"name":"Department of Programming Languages and Compilers, ELTE E\u00f6tv\u00f6s Lor\u00e1nd University, P\u00e1zm\u00e1ny P\u00e9ter stny. 1\/C, H-1117 Budapest, Hungary"}]},{"ORCID":"http:\/\/orcid.org\/0000-0003-4484-9172","authenticated-orcid":false,"given":"Tam\u00e1s","family":"Kozsik","sequence":"additional","affiliation":[{"name":"Department of Programming Languages and Compilers, ELTE E\u00f6tv\u00f6s Lor\u00e1nd University, P\u00e1zm\u00e1ny P\u00e9ter stny. 1\/C, H-1117 Budapest, Hungary"}]}],"member":"1968","published-online":{"date-parts":[[2023,11,28]]},"reference":[{"key":"ref_1","doi-asserted-by":"crossref","unstructured":"Algarni, A.M. (2022). The Historical Relationship between the Software Vulnerability Life cycle and Vulnerability Markets: Security and Economic Risks. Computers, 11.","DOI":"10.3390\/computers11090137"},{"key":"ref_2","doi-asserted-by":"crossref","first-page":"1125","DOI":"10.1002\/spe.3181","article-title":"Bug detection in Java code: An extensive evaluation of static analysis tools using Juliet Test Suites","volume":"53","author":"Amankwah","year":"2023","journal-title":"Softw.-Pract. Exp."},{"key":"ref_3","doi-asserted-by":"crossref","unstructured":"Sun, P., Kim, D.K., Ming, H., and Lu, L. (2022). Measuring Impact of Dependency Injection on Software Maintainability. Computers, 11.","DOI":"10.3390\/computers11090141"},{"key":"ref_4","first-page":"1","article-title":"Inferring the Best Static Analysis Tool for Null Pointer Dereference in Java Source Code","volume":"3237","author":"Alqaradaghi","year":"2022","journal-title":"CEUR Workshop Proc."},{"key":"ref_5","unstructured":"Chess, B., and West, J. (2007). Secure Programming with Static Analysis, Addison-Wesley."},{"key":"ref_6","unstructured":"(2023, September 30). Java Documentation, Class SecurityManager. Available online: https:\/\/docs.oracle.com\/javase\/8\/docs\/api\/java\/lang\/SecurityManager.html."},{"key":"ref_7","unstructured":"(2023, September 30). SEI CERT Oracle Coding Standard for Java, MET03-J: Methods that Perform a Security Check Must Be Declared Private or Final. Available online: https:\/\/wiki.sei.cmu.edu\/confluence\/display\/java\/MET03-J.+Methods+that+perform+a+security+check+must+be+declared+private+or+final."},{"key":"ref_8","unstructured":"(2023, September 20). SpotBugs, Find Bugs in Java Programs. Available online: https:\/\/spotbugs.github.io\/."},{"key":"ref_9","unstructured":"(2023, November 02). TIOBE Index for October 2023. Available online: https:\/\/www.tiobe.com\/tiobe-index."},{"key":"ref_10","unstructured":"(2023, September 30). Java Documentation, JEP 411: Deprecate the Security Manager for Removal. Available online: https:\/\/openjdk.org\/jeps\/411."},{"key":"ref_11","unstructured":"(2023, November 02). Searching for SecurityManager in GitHub. Available online: https:\/\/github.com\/search?q=SecurityManager+language%3AJava&type=code."},{"key":"ref_12","unstructured":"(2023, November 01). SEI CERT Oracle Coding Standard for Java, MET04-J. Do Not Increase the Accessibility of Overriden or Hidden Methods. Available online: https:\/\/wiki.sei.cmu.edu\/confluence\/display\/java\/MET04-J.+Do+not+increase+the+accessibility+of+overridden+or+hidden+methods."},{"key":"ref_13","unstructured":"(2023, November 01). Parasoft Jtest, Automated Java Software Testing and Static Analysis. Available online: https:\/\/www.parasoft.com\/."},{"key":"ref_14","unstructured":"(2023, November 01). PVS-Studio, Static Analyzer on Guard of Code Quality, Security (SAST), and Code Safety. Available online: https:\/\/pvs-studio.com\/en\/."},{"key":"ref_15","unstructured":"(2023, November 01). SonarQube, A Self-Managed, Automatic Code Review Tool that Systematically Helps You Deliver Clean Code. Available online: https:\/\/docs.sonarsource.com\/sonarqube\/latest\/."},{"key":"ref_16","unstructured":"(2023, November 01). SEI CERT Oracle Coding Standard for Java, MET05-J. Ensure that Constructors Do Not Call Overridable Methods. Available online: https:\/\/wiki.sei.cmu.edu\/confluence\/display\/java\/MET05-J.+Ensure+that+constructors+do+not+call+overridable+methods."},{"key":"ref_17","unstructured":"(2023, November 01). SEI CERT Oracle Coding Standard for Java, MET05-J. Don Not Invoke Overridable Methods in Clone(). Available online: https:\/\/wiki.sei.cmu.edu\/confluence\/pages\/viewpage.action?pageId=88487921."},{"key":"ref_18","doi-asserted-by":"crossref","first-page":"192","DOI":"10.1016\/j.cose.2004.08.006","article-title":"Performance of the Java security manager","volume":"24","author":"Herzog","year":"2005","journal-title":"Comput. Secur."},{"key":"ref_19","unstructured":"Joseph, A.B. (2023, November 01). Java Security, Computer Based Learning Unit. University of Leeds, Leeds, UK, 8 December 1995. Available online: https:\/\/groups.csail.mit.edu\/mac\/users\/jbank\/javapaper\/javapaper.html."},{"key":"ref_20","unstructured":"Sterbenz, A. (1996, January 9\u201313). An evaluation of the java security model. Proceedings of the IEEE Proceedings 12th Annual Computer Security Applications Conference, San Diego, CA, USA."},{"key":"ref_21","doi-asserted-by":"crossref","first-page":"338","DOI":"10.1016\/j.cose.2006.02.003","article-title":"Comparing Java and .NET security: Lessons learned and missed","volume":"25","author":"Paul","year":"2006","journal-title":"Comput. Secur."},{"key":"ref_22","doi-asserted-by":"crossref","first-page":"127","DOI":"10.1016\/j.scico.2005.07.008","article-title":"Applying security policies through agent roles: A JAAS based approach","volume":"59","author":"Cabri","year":"2006","journal-title":"Sci. Comput. Program."},{"key":"ref_23","doi-asserted-by":"crossref","first-page":"1032","DOI":"10.1016\/j.jss.2011.01.053","article-title":"Managing crosscutting concerns in component based systems using a model driven development approach","volume":"84","author":"Clemente","year":"2011","journal-title":"J. Syst. Softw."},{"key":"ref_24","doi-asserted-by":"crossref","first-page":"45","DOI":"10.1016\/j.entcs.2006.10.015","article-title":"Impact of Evolution of Concerns in the Model-Driven Architecture Design Approach","volume":"163","author":"Tekinerdogan","year":"2007","journal-title":"Electron. Notes Theor. Comput. Sci."},{"key":"ref_25","doi-asserted-by":"crossref","first-page":"791","DOI":"10.1016\/j.future.2004.12.004","article-title":"JoiN: The implementation of a Java-based massively parallel grid","volume":"21","author":"Yero","year":"2005","journal-title":"Futur. Gener. Comput. Syst."},{"key":"ref_26","first-page":"1281","article-title":"Constructing reliable Web applications using atomic actions","volume":"29","author":"Little","year":"1997","journal-title":"Comput. Networks"},{"key":"ref_27","unstructured":"(2023, October 15). MET03-J Checker. Available online: https:\/\/github.com\/NazirMuhammadZafarIqbal\/spotbugs\/tree\/MET03."},{"key":"ref_28","unstructured":"(2023, September 25). Public Review of MET03-J Checker. Available online: https:\/\/github.com\/spotbugs\/spotbugs\/pull\/2447."},{"key":"ref_29","unstructured":"(2023, October 20). Elasticsearch: Free and Open, and Distributed, RESTful Search and Analytics Engine at the Heart of the Elastic Stack. Available online: https:\/\/github.com\/elastic\/elasticsearch."},{"key":"ref_30","unstructured":"(2023, October 20). Alphaloop Selective Security Manager: Demonstrates How to Create a Java SecurityManager that Can Be Enabled and Disabled Programmatically on Specific Threads. Available online: https:\/\/github.com\/alphaloop\/selective-security-manager."},{"key":"ref_31","unstructured":"(2023, October 20). Lottie Android, Render After Effects Animations Natively on Android and iOS, Web, and React Native. Available online: https:\/\/github.com\/airbnb\/lottie-android."},{"key":"ref_32","unstructured":"(2023, October 15). Mybatis\u20143, MyBatis SQL Mapper Framework for Java. Available online: https:\/\/github.com\/mybatis\/mybatis-3."},{"key":"ref_33","unstructured":"(2023, October 15). Tomcat, Apache Tomcat Fork that Allows Tomcat Web Applications to Be Written and Run as Jigsaw Modules. Available online: https:\/\/github.com\/pjBooms\/tomcat."},{"key":"ref_34","unstructured":"(2023, October 15). Intellij\u2014Community, IntelliJ IDEA Community Edition. Available online: https:\/\/github.com\/Randgalt\/intellij-community."},{"key":"ref_35","unstructured":"(2023, October 15). Tutorials, Just Announced\u2014\u201cLearn Spring Security Oauth\u201d. Available online: https:\/\/github.com\/virtuoushub\/tutorials."},{"key":"ref_36","unstructured":"(2023, October 10). Netty, Netty Project\u2014An Event-Driven Asynchronous Network Application Framework. Available online: https:\/\/github.com\/derklaro\/netty."}],"container-title":["Computers"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/2073-431X\/12\/12\/247\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2023,11,28]],"date-time":"2023-11-28T17:37:00Z","timestamp":1701193020000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/2073-431X\/12\/12\/247"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023,11,28]]},"references-count":36,"journal-issue":{"issue":"12","published-online":{"date-parts":[[2023,12]]}},"alternative-id":["computers12120247"],"URL":"https:\/\/doi.org\/10.3390\/computers12120247","relation":{},"ISSN":["2073-431X"],"issn-type":[{"value":"2073-431X","type":"electronic"}],"subject":[],"published":{"date-parts":[[2023,11,28]]}}}