Detecting Metadata-Related Bugs in Enterprise Applications

TL;DR

This paper introduces RSL, a domain-specific language for specifying metadata correctness rules, and MeCheck, a tool that uses these rules to detect metadata-related bugs in Java enterprise applications, improving correctness and security.

Contribution

It presents RSL and MeCheck, enabling domain experts to specify and automatically check complex metadata rules, addressing limitations of existing tools.

Findings

MeCheck achieved 100% precision and 96% recall in bug detection.

It identified 156 bugs in open-source datasets, with many already fixed.

RSL allows precise, cross-file static analysis for metadata correctness.

Abstract

When building enterprise applications (EAs) on Java frameworks (e.g., Spring), developers often configure application components via metadata (i.e., Java annotations and XML files). It is challenging for developers to correctly use metadata, because the usage rules can be complex and existing tools provide limited assistance. When developers misuse metadata, EAs become misconfigured, which defects can trigger erroneous runtime behaviors or introduce security vulnerabilities. To help developers correctly use metadata, this paper presents (1) RSL -- a domain-specific language that domain experts can adopt to prescribe metadata checking rules, and (2) MeCheck -- a tool that takes in RSL rules and EAs to check for rule violations. With RSL, domain experts (e.g., developers of a Java framework) can specify metadata checking rules by defining content consistency among XML files, annotations, and Java code. Given such RSL rules and a program to scan, MeCheck interprets rules as cross-file static analyzers, which analyzers scan Java and/or XML files to gather information and look for consistency violations. For evaluation, we studied the Spring and JUnit documentation to manually define 15 rules, and created 2 datasets with 115 open-source EAs. The first dataset includes 45 EAs, and the ground truth of 45 manually injected bugs. The second dataset includes multiple versions of 70 EAs. We observed that MeCheck identified bugs in the first dataset with 100% precision, 96% recall, and 98% F-score. It reported 156 bugs in the second dataset, 53 of which bugs were already fixed by developers. Our evaluation shows that MeCheck helps ensure the correct usage of metadata.