The missing link – A semantic web based approach for integrating screencasts with security advisories

Context Collaborative tools and repositories have been introduced to facilitate open source software development, allowing projects, developers, and users to share their knowledge and expertise through formal and informal channels such as repositories, Q&A websites, blogs and screencasts. While significant progress has been made in mining and cross-linking traditional software repositories, limited work exists in making multimedia content in the form of screencasts or audio recordings an integrated part of software engineering processes. Objective The objective of this research is to provide a standardized ontological representation that allows for a seamless knowledge integration of screencasts with other software artifacts across knowledge resource boundaries. Method In this paper, we propose a modeling approach that takes advantage of the Semantic Web and its inference services to capture and establish traceability links between knowledge extracted from different resources such as vulnerability information in NVD, project dependency information from Maven Central, and YouTube screencasts. Results We performed a case study on 48 videos that illustrate attacks on vulnerable systems and show that our approach can successfully link relevant vulnerabilities and screencasts with an average precision of 98% and an average recall of 54% when vulnerability identifiers (CVE ID) are explicitly mentioned in the metadata (title and description) of videos. When no CVE ID is present, our initial results show that for a reduced search space (for one vulnerability), using only the textual content of the image frames, our approach is still able to link video-vulnerability pairs and rank the correct result within the top two positions of the result set. Conclusion Our approach not only establishes bi-directional, direct, and indirect traceability links from screencasts to these other software artifacts; these links can also be used to guide practitioners in comprehending the potential security impact of vulnerable components in their projects.