CATMA: Conformance Analysis Tool For Microservice Applications

The microservice architecture allows developers to divide the core functionality of their software system into multiple smaller services. However, this architectural style also makes it harder for them to debug and assess whether the system’s deployment conforms to its implementation. We present CATMA, an automated tool that detects non-conformances between the system’s deployment and implementation. It automatically visualizes and generates potential interpretations for the detected discrepancies. Our evaluation of CATMA shows promising results in terms of performance and providing useful insights. CATMA is available at https://cyber-analytics.nl/catma.github.io/, and a demonstration video is available at https://youtu.be/WKP1hG-TDKc.


INTRODUCTION
Software systems following the microservice architectural paradigm have their core functionality split into multiple smaller components.These microservices (or just services) of a microservice application (MSA) communicate via lightweight communication protocols such as REST APIs or message brokers.The services of an MSA can be developed, maintained, and deployed independently, paving the way for an increasing trend in the adoption of this architectural style.Despite these benefits, MSAs pose a challenge in gaining a comprehensive overview due to their inherently decoupled and distributed nature.Consequently, debugging faults is a time-consuming process because the localization of the root cause is challenging.According to studies, developers usually take several days to debug and find the cause of a fault [9,20].Many approaches for the automatic extraction of architectural representations of MSA have been proposed [1,5,10,15], thus addressing the challenge of gaining an overview of the applications' architecture.Some approaches combine static and dynamic analysis to build the architectural models.Also, multiple fault localization techniques for MSAs have been proposed [7,21], which use dynamic analysis to identify faults and pinpoint the root cause in code.However, to the best of our knowledge, no work compares the results from static and dynamic analysis rather than merging them.Moreover, none of the existing fault localization approaches offer explainability in the form of possible interpretations for the faults.
In this paper, we present CATMA, a novel tool designed to analyze and compare statically and dynamically obtained architectural models.CATMA autonomously identifies potential nonconformances between these models, generating easily accessible visualizations for users and providing concise interpretations.These interpretations reduce the number of lines in source code that users need to scrutinize when investigating a non-conformance.We tested CATMA on four open-source MSAs and conducted a preliminary usability study with two participants.The results indicate that the tool effectively supports developers during the localization and debugging of non-conformances, demonstrating its usefulness and potential in the debugging landscape for microservices.

RUNNING EXAMPLE
The software engineering team of ZYX Inc. is working on their new web application for selling tech products.They embrace the microservice architectural style as this allows them to split up into smaller groups and work independently on the core functionalities of their application.Each member follows the best practices of software engineering; using static analysis to detect faults and testing each functionality before its deployment.After finishing the development, they deploy the application to test it out.To their surprise, they notice that the monitoring service does not receive any metrics data.They are unsure of the cause of this discrepancy since a static analysis tool correctly detects the line of code that implements the transmission of metrics data and does not raise any  warnings.They spend several days analyzing different log files, but have no luck in finding the underlying cause.They scratch their heads and start wondering whether there is a tool that provides: • the detection of discrepancies between the implementation and deployment of MSAs, • a high-level overview of such discrepancies, and • descriptions of the potential root causes.

CATMA
Worfklow.Figure 1 depicts CATMA's workflow.First, the Model Processor 1 reads the input models (static and dynamic) to extract architectural components.The obtained data is passed on to the Non-conformance Detector 2 , which checks whether there are any non-conformances (discrepancies) between static and dynamic models.If a non-conformance is detected, it is forwarded to both the Interpretation Generator 3 and the Non-conformance Visualizer 4 .The latter ( 4 ) collects all detected non-conformances and generates a visualization of the system's architecture that shows the non-conformances.The former ( 3 ) generates a set of possible interpretations for each detected non-conformance, which describe potential causes.These interpretations are forwarded to the Interpretation Visualizer 5 , which generates HTML pages that visualize the interpretations.CATMA is designed to be modular.Each component can be replaced or expanded to fit the user's needs.The tool is invoked via the command line (see Listing 1).Detecting Non-conformances.As static models, CATMA accepts dataflow diagrams (DFDs) like the ones introduced by Schneider and Scandariato [13].These DFDs are automatically extracted from source code and configuration files by searching for relevant keywords and using them as evidence to build relationships between services.As dynamic models, state machines inferred from HTTP events logs are expected.They are created using a similar model-inference approach as presented by Cao et al. [3].The approach first extracts logs from a Kubernetes cluster using Packetbeat.It then utilizes Flexfringe [16] to generate behavioral traces and learns a state machine from these traces.The Model Processor extracts services and connections between them from both input models.They represent the application's architecture and are used to detect non-conformances.In the DFD, nodes and edges depict the services and information flows between them, respectively.We can, therefore, directly extract the nodes and edges.In a state machine, services and their corresponding relations are represented differently; each transition in a state machine indicates which services in the system have communicated with each other.Thus, nodes and edges are extracted from the transitions of the state machines.The Model Processor creates a set of nodes and edges for both input models, where edges are represented as "service X → service Y" and denote the communication relationship between the two services.
Non-conformances are detected by identifying differences between the sets of nodes and edges.The Non-conformance Detector iterates through the sets and checks for each item whether it exists in both corresponding sets.We define static non-conformances as nodes or edges missing from the static model (compared to the dynamic model) and dynamic non-conformances as those missing from the dynamic model.Each item is tagged according to this comparison, i.e., indicating whether it is present in both, only the static, or only the dynamic model.The tagged sets of nodes and edges are passed to components 3 and 4 .
The Non-conformance Visualizer is responsible for creating a graphical representation of any detected non-conformances.It generates a PlantUML file (see plantuml.com)which presents the nodes and edges as a graph and where a coloring scheme highlights any found non-conformances.Model items observed in both models are colored black, items only observed in the static model (dynamic non-conformances) are colored blue, and items only observed in the dynamic model (static non-conformances) are colored orange.In addition, dynamic and static non-conformances are visually distinguished by means of dotted and dashed lines, respectively.
Interpreting Non-conformances.CATMA generates a set of possible interpretations for each detected non-conformance.These interpretations are visualized in an HTML page by the Interpretation Visualizer.The HTML page helps users analyze the potential causes of non-conformances.CATMA presents a specific set of interpretations for both types of non-conformance.The generated HTML pages contain (1) the type, definition, and involved services of the non-conformance, (2) the set of possible interpretations, and (3) additional details that support the understanding of the nonconformance.In the following, (2) and ( 3) are described further.
Providing Interpretations of Non-Conformances.A set of highlevel textual interpretations is provided, which describe possible underlying causes of the detected non-conformances.The interpretations are meant to serve as possible starting points to debug found non-conformances.Currently, the generation is based solely on the type of non-conformance, i.e., whether it is static or dynamic.We formulated a text describing possible interpretations for both types of non-conformances, and the corresponding one is presented to the user.As the basis for these interpretations, we collected known causes of non-conformances from the literature (e.g., [8,18]).These causes range from standard programming errors made in software development to common causes for issues encountered by developers of MSAs.As an example, misconfiguration of services is a common cause of dynamic non-conformances in MSAs.When services are not properly configured, they become undiscoverable by other services, leading to missing expected runtime behaviors.CATMA uses this information as a basis for the generation of one interpretation for a dynamic non-conformance.For the collection, we disregarded non-conformances rooted in hardware-related issues, e.g., due to non-deterministic behavior because of multi-threading or similar effects.Figure 2 presents the set of textual interpretations that are provided for a static non-conformance.
Our future work will predominantly focus on this part of the tool, specifically on implementing a more intelligent generation of applicable interpretations.In this regard, we will analyze indicators for each cause of non-conformances.These indicators will then be used to decide whether a cause is plausible or not for a given non-conformance.This will lead to the generation of a tailored set of possible interpretations for each found non-conformance.The already carried-out analysis of the related literature provides the basis for this future work.
Additional details.The generated HTML page also presents additional details that could aid the user with the understanding of the detected non-conformance.In the case of static non-conformances, a state machine is visualized that depicts the unexpected sequential communication behavior detected between the involved services.The most frequently occurring calls between the involved services are presented in a human-readable format right after the state machine model.This insight can be used to understand why such calls were made between the involved services.Figures 3 and 4 show an example of a state machine and the most frequent calls, respectively.In case of a dynamic non-conformance, we instead leverage the traceability information contained in the static model to point to the code that shows the expected behavior.Specifically, the page presents (1) the line of code responsible for triggering the missing runtime event (i.e., the line of code that should have been executed), (2) the sequence of events that should trigger the missing runtime event, and (3) human-readable call details extracted for the previous point.Figure 5 provides a snapshot of this set of details.Furthermore, the state machines learned for each involved service are presented on the HTML page.

TOOL EVALUATION
Performance Analysis.We evaluated CATMA's performance in terms of time to detect non-conformances in MSA.For this, we     [14], deployed these MSAs, and created state machine models for them.Then, we ran CATMA on the obtained models and measured the time of the analysis.Table 1 presents the time for analyzing the 4 selected MSAs (averaged over 10 executions per MSA).This evaluation allows us to quantify the benefits of utilizing CATMA compared to manual analysis.The data clearly demonstrates that CATMA substantially accelerates the analysis process.While developers often invest days in resolving issues (as reported in the study conducted by Zhou et al. [20]), our tool accomplishes the same task in a matter of minutes.Thus, CATMA can substantially reduce the time spent on debugging issues, offering a valuable resource for developers.
Pilot Study.We conducted a small-scale pilot study to investigate CATMA's usefulness.We report an initial assessment of this pilot study based on a think-aloud interview setup with two participants.The participants were recruited from the lab of one of the authors (both with a computer science background) and have no relation to the work done for CATMA.The participants got an introduction to MSAs and were allowed to interact with CATMA before the start of the interview.During the interview, we asked several questions that would provide us insights on what are the most useful elements presented in the output generated by CATMA.A complete transcript of the interview can be found on our Figshare page [4].The following points summarize the most useful elements from CATMA's output: (1) the model-based visualization that shows where non-conformances are detected, (2) the set of possible interpretations providing the potential causes for the corresponding non-conformance, (3) the ability to jump from the dynamic model (state machine) back to the source code, (4) static non-conformances provide insights on the security implication of the system, and (5) the type of the non-conformances: static non-conformances provide insights on the security implication.
Correctness of Dynamic Models.As the state machines approximate the provided log data, it is helpful to understand the trade-off between the correctness and the size of the model as it could influence the detection of non-conformances; a small state machine generalizes too much and introduces inaccuracies, a large state machine captures all possible behavior but might be hard to understand and process.To evaluate this aspect, we use a technique similar to the one proposed by Walkinshaw et al. [17].Table 2 presents the average results computed from a 10-fold crossvalidation experiment.As expected, smaller state machines introduce more inaccuracies, leading to lower balanced accuracy scores.This suggests that smaller state machines do lead to more inaccuracies in the detection of non-conformances.Furthermore, the accuracy scores appear to plateau as the state machine grows in size.This suggests that considerably larger state machines do not perform significantly better in the detection of non-conformances and selecting the largest possible model for the detection is redundant.Learning a moderate-sized state machine from input data should provide reliable performance for detecting non-conformances.

RELATED WORK
Several studies have demonstrated that architectural software representations can assist developers during manual system analysis activities [2,6,12].To automate such processes, several approaches in the related literature combine static and dynamic analysis for architecture reconstruction of MSAs.MicroArt presented by Granchelli et al. [5], MiSAR presented by Alshuqayran et al. [1], and TOSCA presented by Soldani et al. [15] all extract the list of microservices statically by parsing deployment files.Connections between them are detected dynamically by leveraging service discovery services that exist in the analyzed applications or by injecting different monitoring tools.VMAWV presented by Ma et al. [10] instead queries existing service discovery services to retrieve the list of services and uses static analysis to detect connections.While these approaches combine static and dynamic analysis, none of them compare complete architectural models obtained via the two techniques.Since our approach performs this comparison to identify non-conformances, we believe it to be novel in this regard.
The approach DOMICO by Zhong et al. [19] also detects nonconformances between system representations of different stages in the development process, however, they compare the intended design (UML) against the actual implementation (static model).This approach is partly based on the approach introduced by Murphy et al. [11].The proposed approach by Murphy et al. computes a reflexion model by finding differences between the architectural model extracted from the source code and the mental (architectural) model constructed by a system developer.Both approaches detect non-conformances between design and implementation, whereas CATMA detects non-conformances between the system's implementation and deployment.

CONCLUSION & FUTURE WORK
We present CATMA, a tool for automatically conducting conformance analysis of MSAs.It detects possible non-conformances by computing differences between a statically and a dynamically obtained architectural model of the MSA.Found non-conformances are visualized in an easily accessible way.Further, a set of possible interpretations is generated, showing the non-conformances' potential causes.In a preliminary evaluation, CATMA showed promising results in terms of performance as well as usability.In our evaluation, CATMA identified a non-conformance in an open-source MSA on GitHub.A misconfiguration in the Hystrix5 monitoring dashboard prevented stream data from being visualized as intended in the implementation.This is a good example of a non-conformance between the intended and observed behaviors of the MSA.We notified the developers and our fix was accepted 6 .Hence, CATMA has already shown its first -albeit small-impact on MSA.
As future work, we will extend CATMA with a more intelligent technique for selecting suitable interpretations for found nonconformances.Further, the approach would benefit from additional validation activities concerning its usefulness and possible enhancements.We plan a user study with developers in which they identify non-conformances with the help of CATMA.Finally, we will investigate the feasibility of using other types of models as input and the detection capabilities of other non-conformances.

Figure 2 :
Figure 2: Example set of textual interpretations.

Figure 3 :
Figure 3: Part of state machine showing unexpected behavior.

Figure 4 :
Figure 4: Most frequent calls for unexpected behavior.

Figure 5 :
Figure 5: Example details for dynamic non-conformance.

Table 1 :
CATMA's performance statistics on multiple MSAs

Table 2 :
Trade-off between the size and correctness.