- The paper’s main contribution is a training-free fusion methodology that combines semantic similarity and structural propagation to achieve perfect recall in toy scenarios.
- The methodology builds a heterogeneous artifact graph to integrate diverse software artifacts and recover blind spots using a weighted fusion of semantic and structural cues.
- The approach ensures interpretability with deterministic impact paths, which is crucial for auditability, safety-critical applications, and regulatory compliance.
Semantically-Seeded, Graph-Propagated Impact Analysis Across Heterogeneous Software Artifacts
Impact analysis, the task of determining what software artifacts are affected when a single artifact changes, is fundamental to software evolution and maintenance. Historically, impact analysis approaches are divided into semantic (textual similarity) and structural (dependency edge traversal) categories. Semantic-based methods using IR or embeddings (e.g., CodeBERT, SBERT) capture cross-artifact relationships but miss cases with no lexical overlap. Structural dependency analysis (e.g., program slicing, call graphs) is precise where explicit links exist, yet fails to capture semantically related, but structurally disconnected, artifacts or non-code dependencies. Critically, these blind spots lead to real failures in production systems, where operational artifacts like container images, metrics, alerts, and shared data schemas are left unexamined by code-centric tools.
The paper advocates for an interpretable, training-free fusion of semantic and structural signals over heterogeneous artifact graphs, extending coverage to artifacts and edges invisible to prior approaches. The goal is to strike an optimal balance: maximal recall, explicit propagation traces, and applicability across requirements, configs, services, tests, and operational artifacts.
Approach: Artifact Graph Fusion
The methodology centers on constructing a typed heterogeneous artifact graph, with artifacts such as requirements, configurations, services/functions, tests, container images, metrics, dashboards/alerts, and data schemas as nodes. Edges are extracted via static analysis, container manifests, telemetry, and version histories, encompassing relationships such as R→C, C→S, S↔S, T→S, I→S, S→M, M→A, S→D, and D↔D.
Impact estimation proceeds in three stages:
- Semantic Prior: Artifacts and changes are embedded (TF-IDF or SBERT); similarity scores provide initial candidates.
- Structural Propagation: Typed edges are used to construct a row-normalized propagation matrix M, impact spreads multi-hop with geometric decay (γ), akin to Katz centrality and personalized PageRank computations.
- Fusion: The impact vector is obtained via a weighted sum λs+(1−λ)p, where λ tunes semantic vs structural influence. Each flagged artifact is accompanied by its scores and explicit propagation path.
Notably, the configuration recovers both types of blind spots: structural propagation traces semantic gaps, while the semantic prior reaches artifacts not structurally connected to the change. The architecture offers deterministic output and interpretability, crucial in safety-critical, audit, and traceability contexts.
Operational Scenarios and Extraction
The framework is evaluated in real-world inspired scenarios—including Kubernetes outages (base-image update), database engine migrations, metric renames breaking alerts, and legacy data coupling—all cases where purely structural, code-scoped CIA fails. Extraction is defined for operational edges: images to services, services to metrics, metrics to dashboards/alerts, and data shared among services. Where static parsing is infeasible (e.g., runtime metric names, absent foreign keys), semantic similarity and version-history coupling are used.
Incremental extraction (re-parsing only changed artifacts) and sparse graph representations make the method scalable to large systems. Approximate nearest-neighbor search (e.g., FAISS, pgvector) and efficient propagation algorithms (iterative sparse matrix–vector multiplication) further extend practical deployment.
Proof-of-Concept Evaluation and Findings
A small-scale prototype spanning requirements, configs, services, and tests validates the mechanism. Semantic-only baselines provide high recall but low precision; structural-only analysis yields high precision but capped recall. The fusion (λ=0.5) achieves perfect recall (1.000), recovering all impacted artifacts in every scenario, including those with zero lexical overlap or unreachable by structure alone. Importantly, the fusion is the only configuration achieving full blind spot coverage. Helper functions with no structural path but contextually related to the change are recovered via semantic similarity, confirming the necessity of the fused approach.
The numerical results are illustrative, not generalizable: they demonstrate coverage of mechanism-level blind spots, not predictive accuracy for large-scale systems, due to synthetic evaluation limits.
Positioning and Implications
Relative to contemporary fusion architectures, the proposed analyzer occupies the interpretable, training-free niche. Unlike GNNs or LLM-driven GRAFs, it ensures explicit impact paths, determinism, and zero dependence on training data. These properties are indispensable for real-world auditability, regulatory compliance, and safety analysis, and suggest the method's utility in heterogeneous infrastructure beyond source artifacts.
The explicit λ and τ parameters allow precise tuning of precision/recall; adaptive learning of these values per artifact/change type is a proposed extension.
Research Agenda and Future Directions
Future work prioritizes:
- Learned propagation via co-change histories or GNNs with interpretability constraints
- LLM-based verification seeded by explicit propagation traces
- Integration of dynamic runtime traces and historic signals
- Polyglot extraction across languages, manifests, message buses, and telemetry pipelines
- Adaptive fusion parameter selection
- Large-scale benchmarking with developer-validated labels, precision/recall curve reporting
The vision targets reconstructing artifact chains from documented failure incidents, testing whether the fusion methodology would retrospectively surface the missed impacts.
Threats to Validity
Current evaluation is limited by synthetic benchmarks, small artifact sets, and modelling choices (impact directionality). Ground truth is author-labeled, possibly embedding selection bias. Semantic prior backend selection may influence results. Generalization to real systems remains an explicit agenda point.
Conclusion
The proposed method fuses semantic similarity and typed dependency propagation over a heterogeneous artifact graph, yielding interpretable, training-free impact analysis applicable across operational and code artifacts. The mechanism achieves perfect recall in all toy scenarios and surfaces artifacts unreachable by semantic or structural signals alone. The distribution of the prototype and replication package enables further validation. The principal contribution is the identification and substantiation of an under-explored, practical, and rigorous design point for cross-artifact impact analysis, with an agenda for scalable, real-world deployment and extension (2606.18855).