Volker Riediger

An Overview of the GXL Graph Exchange Language

GXL (Graph eXchange Language) is designed to be a standard exchange format for graph-based tools. GXL is defined as an XML sublanguage, which offers support for exchanging instance graphs together with their appropriate schema information in a uniform format. Formally, GXL is based on typed, attributed, ordered directed graphs, which are extended by concepts to support representing hypergraphs and hierarchical graphs. Using this general graph model, GXL offers a versatile support for exchanging nearly all kinds of graphs.This report intends to give a short overview on the main features of GXL.

GUPRO - Generic Understanding of Programs An Overview

Abstract GUPRO is an integrated workbench to support program understanding of heterogenous software systems on arbitrary levels of granularity. GUPRO can be adapted to specific needs by an appropriate conceptual model of the target software. GUPRO is based on graph-technology. It heavily relies on graph querying and graph algorithms. Source code is extracted into a graph repository which can be viewed by an integrated querying and browsing facility. For C-like languages GUPRO browsing includesa complete treatment of preprocessor facilities. This paper summarizes the work done on GUPRO during the last seven years.

Model-driven software migration into service-oriented architectures

This paper proposes model-driven techniques to extend IBM’s SOMA method towards migrating legacy systems into Service-Oriented Architectures (SOA). The proposal explores how graph-based querying and transformation techniques enable the integration of legacy assets into a new SOA and how these techniques can be integrated into the overall migration process. The presented approach is applied to the identification and migration of services in an open source Java software system.

The SOAMIG Process Model in Industrial Applications

The SOAMIG Project aims at a general migration process model with an emphasis on transformation-based conversion. The SOAMIG Process Model is divided into several phases and disciplines, which describe and organize general migration activities. The process is applied in two industrial software migration projects addressing architecture and code migration.

Model-Based Privacy Analysis in Industrial Ecosystems

Article 25 of Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing and the free movement of personal data, refers to data protection by design and by default. Privacy and data protection by design implies that IT systems need to be adapted or focused to technically support privacy and data protection. To this end, we need to verify whether security and privacy are supported by a system, or any change in the design of the system is required. In this paper, we provide a model-based privacy analysis approach to analyze IT systems that provide IT services to service customers. An IT service may rely on different enterprises to process the data that is provided by service customers. Therefore, our approach is modular in the sense that it analyzes the system design of each enterprise individually. The approach is based on the four privacy fundamental elements, namely purpose, visibility, granularity, and retention. We present an implementation of the approach based on the CARiSMA tool. To evaluate our approach, we apply it to an industrial case study.

Using Dynamic Analysis and Clustering for Implementing Services by Reusing Legacy Code

Migrating legacy systems towards Service-Oriented Architectures requires the identification of legacy code that is able to implement the new services. This paper proposes an approach combining dynamic analysis and data mining techniques to map legacy code to business processes and to identify code for service implementations based on this mapping. Validating the clustering solution in a first case study resulted in values of 70,6% in precision and 83,5% in recall.

Supporting privacy impact assessment by model-based privacy analysis

According to Article 35 of the General Data Protection Regulation (GDPR), data controllers are obligated to conduct a privacy impact assessment (PIA) to ensure the protection of sensitive data. Failure to properly protect sensitive data may affect data subjects negatively, and damage the reputation of data processors. Existing PIA approaches cannot be easily conducted, since they are mainly abstract or imprecise. Moreover, they lack a methodology to conduct the assessment concerning the design of IT systems. We propose a novel methodology to support PIA by performing model-based privacy and security analyses in the early phases of the system development. In our methodology, the design of a system is analyzed and, where necessary, appropriate security and privacy controls are suggested to improve the design. Hence, this methodology facilitates privacy by design as prescribed in Article 25 of the GDPR. We evaluated our methodology based on three industrial case studies and a quality-based comparison to the state of the art.

Analyzing XFIG with GUPRO

GUPRO (Generic Unit for Program Understanding, http://www.gupro.de) provides an adaptable and extensible workbench for program understanding and software reengineering. GUPRO is strongly based on graph technology, i.e. source code is parsed into graph structures which are accessible by graph algorithms and a general graph query language GReQL. In GUPRO, these base technologies are combined into reengineering tools like source code browsers, cross referencers or slicers. This paper describes the application of GUPRO on the XFIG Bake-Off, a reverse engineering problem for a tool demonstration at the Working Conference on Reverse Engineering WCRE 2000.

Detecting Conflicts Between Data-Minimization and Security Requirements in Business Process Models.

Detecting conflicts between security and data-minimization requirements is a challenging task. Since such conflicts arise in the specific context of how the technical and organizational components of the target system interact with each other, their detection requires a thorough understanding of the underlying business processes. For example, a process may require anonymous execution for a task that writes data to a secure data storage, where the identity of the writer is needed for the purpose of accountability. To address this challenge, we propose an extension of the BPMN 2.0 business process modeling language to enable: (i) the specification of process-oriented data-minimization and security requirements, (ii) the detection of conflicts between these requirements based on a catalog of domain-independent anti-patterns. The considered security requirements were reused from SecBPMN2, a security-oriented extension of BPMN 2.0, while the data-minimization part is new. SecBPMN2 also provides a graphical query language called SecBPMN2-Q, which we extended to formulate our anti-patterns. We report on feasibility and usability of our approach based on a case study featuring a healthcare management system, and an experimental user study.

Einführung von COBOL-Wartbarkeits-Metriken bei der Debeka

Software-Metriken spielen bei der Beurteilung und Kontrolle von Softwarequalitat eine grose Rolle. Ohne Maszahlen, mit der die Software beschrieben werden kann, bleiben Bewertungen der Systeme subjektiv und wenig aussagekraftig. Gleichwohl ist die Beschreibung von Softwarequalitat durch harte Zahlen nicht fur alle Systeme generisch anwendbar. Im Rahmen des COBUS-Projekts (COBOLBestandsanalyse und -Sanierung) wurden bei der Debeka firmenspezifische Metriken entwickelt, validiert und eingefuhrt. Die Debeka-Gruppe gehort mit ihrem vielfaltigen Versicherungsund Finanzdienstleistungsangebot zu den Top Ten der Versicherungsund Bausparbranche. Der Programmbestand des in COBOL geschriebenen Kernsystems umfasst ca. 15 Mio. Zeilen Code. Mit Hilfe der Maszahlen wurde das COBOL-Kernsystem hinsichtlich seiner Wartbarkeit und Zukunftsfahigkeit vermessen. Basierend darauf soll in Zukunft ein moglicher Sanierungsbedarf ermittelt und die Wirksamkeit von Sanierungsmasnahmen uberpruft werden.