Modeling Java Web Systems Architectures for Call Graph Construction

Master thesis


Web applications are the most vulnerable software to security threats. Static code analysis can be used for automatic detection of security vulnerabilities. To analyze these applications, we need complete call graphs (the precision is a plus). In the Java-based web frameworks (e.g. Spring) the use of dynamic constructs and reflection makes the construction of the call graphs incomplete. This missing information is relevant for the detection of security vulnerabilities. In practice, we append the missing information after the construction using a model of the framework. The goal of the thesis is to design a general model of Java web frameworks that can be used for the construction of call graphs. The approach should demonstrate the applicability on the Java Spring framework.



  • Model the lifecycle of the Spring framework [2]
  • Propose an approach for call graph construction
  • Define security test cases for evaluation
  • Apply the approach on an existing web applications
  • Optional: Generalize the approach for other frameworks


  • Programing experience (preferably in Java)
  • Prior knowledge in static analysis methods (e.g. data flow analysis)
  • Experience with Soot framework [1] (optional) 

Learning outcomes: 

  • Work on your own research project (design, management, analysis, implementation, documentation)
  • Learn research methods in static code analysis
  • Contribute to an open-source project
  • Learn how to apply your research results into industrial context 



Goran Piskachev (