How can tools support practices of 'Modern Code Reviews'

Today morning I read work of Bacchelli and Bird from ICSE 2013 (file attached). Please see my main take aways below in the context of our Johnny discussions. Bacchelli, A., & Bird, C. (2013, May). Expectations, outcomes, and challenges of modern code review. In 2013 35th International Conference on Software Engineering (ICSE) (pp. 712-721). IEEE. This study was conducted at Microsoft that aims to explore tool-based code reviews in the context of development teams. While the context is ‘development teams’, it provides good insight on the outcomes of code review activities, motivation behind them and needs to improve them. My interest in this paper is particularly in terms of understanding role and capabilities modern security intervention tool. Tools should aim to address ‘some' of the responsibilities of a ‘reviewer’ for developoers working outside the formal settings by getting to know the developer and her code better through a series of interventions and intervene in a more context-aware manner. 1. The work suggests three types of outcomes from code reviews: defect finding, code improvements and knowledge transfer. Examples of defect finding are comments about logical issues in code, security issues, wrong exception handling.’Code-improvement’ includes comments about removing unnecessary code, better code practices, improving code readability. Example of ‘knowledge transfer’ includes directing authors to external resources for learning how to tackle an issue. In this context, the outcome of 'intervention ‘tool’ should not be only to fix defects in code. Researchers should aim to provide knowledge transfer by adding to developers’ knowledge base and point him to right resource outside IDE. In security domain, code improvement is usuablly looked at from usability persopective but it is not only about usability related issues: it also covers compliance with standards, removing unnecessary code etc. which are often addressed in the context of security too. 2. Their empirical investigation shows that while managers and developers primarily seek ‘defect finding’ from code reviews, actual code reviews predominantly provide ‘code-improvement’ suggestions. The primary reason for this is that ‘defect finding’ requires deeper understanding of the code and its context, hence most of the reviewers provide feedback on code-improvement without highlighting ‘very much present’ "security and data model issues” in code. They also highlighted ‘understanding’ as an important determinant of improving quality of code reviews, i.e. provide feedback on defects in code. In order to improve understanding, reviewers often needed to interact with developers : either by synchronously engaging with them in comments of code review tool or by meeting them in person to understand their code better and provide feedback on defects in code. With that in mind, toola need to ask ‘right’ questions at the ’right’ point in time to know developer’s context better. Program comprehension practices is one of the area that can be looked at on how to improve this further. Hint: That being said, one of the way forward is to look at ‘diffs’ . Version controls provide diffs of two changed files (like many other code review tools provide). As researchers, we need to brainstorm what questions we seek to get answer for from these ‘diffs' to leverage the information in them?