nach oben

Empirical Software Engineering

Erschienen in:

01.07.2022

Characterizing usages, updates and risks of third-party libraries in Java projects

verfasst von: Kaifeng Huang, Bihuan Chen, Congying Xu, Ying Wang, Bowen Shi, Xin Peng, Yijian Wu, Yang Liu

Erschienen in: Empirical Software Engineering | Ausgabe 4/2022

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

Third-party libraries are a key building block in software development as they allow developers to reuse common functionalities instead of reinventing the wheel. However, third-party libraries and client projects are developed and continuously evolving in an asynchronous way. As a result, outdated third-party libraries might be commonly used in client projects, while developers are unaware of the potential risk (e.g., security bugs) in usages. Outdated third-party libraries might be updated in client projects in a delayed way, while developers are less aware of the potential risk (e.g., API incompatibilities) in updates. Developers of third-party libraries may be unaware of how their third-party libraries are used or updated in client projects. Therefore, a quantitative and holistic study on usages, updates and risks of third-party libraries in open-source projects can provide concrete evidence on these problems, and practical insights to improve the ecosystem sustainably. In this paper, we make the first contribution towards such a study in the Java ecosystem. First, using 806 open-source projects and 13,565 third-party libraries, we conduct a library usage analysis (e.g., usage intensity and usage outdatedness), followed by a library update analysis (e.g., update intensity and update delay). The two analyses aim to quantify usage and update practices from the two holistic perspectives of open-source projects and third-party libraries. Then, we carry out a library risk analysis (e.g., usage risk and update risk) on 806 open-source projects and 544 security bugs. This analysis aims to quantify the potential risk of using and updating outdated third-party libraries with respect to security bugs. Our findings suggest practical implications to developers and researchers on problems and potential solutions in maintaining third-party libraries (e.g., smart alerting and automated updating of outdated third-party libraries). To demonstrate the usefulness of our findings, we propose a security bug-driven alerting system, named LibSecurify, for assisting developers to make confident decisions by quantifying risks and effort when updating outdated third-party libraries. 33 open-source projects have confirmed the presence of security bugs after receiving our alerts, and 24 of those 33 have updated their third-party libraries. We have released our dataset to foster valuable applications and improve the Java third-party library ecosystem.

Vorheriger Artikel What happens in my code reviews? An investigation on automatically classifying review changes

Nächster Artikel A unified multi-task learning model for AST-level and token-level code completion

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

https://owasp.org/www-project-dependency-check/

https://snyk.io

https://dependabot.com

https://github.com/AlDanial/cloc

https://www.surveysystem.com/sscalc.htm

a.k.a. changing versions whose features are under active development but are allowed for developers to integrate before stable versions are released.

The usage count can be obtained from the “Used by” field in the Maven central repository.

https://www.blackducksoftware.com

https://www.veracode.com

Abdalkareem R, Nourry O, Wehaibi S, Mujahid S, Shihab E (2017) Why do developers use trivial packages? An empirical case study on npm. In: FSE, pp 385–395

Backes M, Bugiel S, Derr E (2016) Reliable third-party library detection in android and its security applications. In: CCS, pp 356–367

Balaban I, Tip F, Fuhrer R (2005) Refactoring support for class library migration. In: OOPSLA, pp 265–279

Bauer V, Heinemann L (2012) Understanding api usage to support informed decision making in software maintenance. In: CSMR, pp 435–440

Bauer V, Heinemann L, Deissenboeck F (2012) A structured approach to assess third-party library usage. In: ICSM, pp 483–492

Bavota G, Canfora G, Di Penta M, Oliveto R, Panichella S (2013) The evolution of project inter-dependencies in a software ecosystem: the case of apache. In: ICSM, pp 280–289

Bavota G, Canfora G, Di Penta M, Oliveto R, Panichella S (2015) How the apache community upgrades dependencies: an evolutionary study. Empir Softw Eng 20(5):1275–1317CrossRef

Bogart C, Kästner C, Herbsleb J, Thung F (2016) How to break an api: cost negotiation and community values in three software ecosystems. In: FSE, pp 109–120

Cadariu M, Bouwers E, Visser J, van Deursen A (2015) Tracking known security vulnerabilities in proprietary software systems. In: SANER, pp 516–519

Chan W K, Cheng H, Lo D (2012) Searching connected api subgraph via text phrases. In: FSE, pp 10:1–10:11

Chen C, Xing Z (2016) Similartech: automatically recommend analogical libraries across different programming languages. In: ASE, pp 834–839

Chow K, Notkin D (1996) Semi-automatic update of applications in response to library changes. In: ICSM, pp 359–368

Cossette B E, Walker R J (2012) Seeking the ground truth: a retroactive study on the evolution and migration of software libraries. In: FSE, p 55

Cox J, Bouwers E, van Eekelen M, Visser J (2015) Measuring dependency freshness in software systems. In: ICSE, vol 2, pp 109–118

Dagenais B, Robillard M P (2009) Semdiff: Analysis and recommendation support for api evolution. In: ICSE, pp 599–602

Dagenais B, Robillard M P (2011) Recommending adaptive changes for framework evolution. ACM Trans Softw Eng Methodol 20(4):19CrossRef

De Roover C, Lammel R, Pek E (2013) Multi-dimensional exploration of api usage. In: ICPC, pp 152–161

Decan A, Mens T, Claes M (2017) An empirical comparison of dependency issues in oss packaging ecosystems. In: SANER, pp 2–12

Decan A, Mens T, Constantinou E (2018a) On the evolution of technical lag in the npm package dependency network. In: ICSME, pp 404–414

Decan A, Mens T, Constantinou E (2018b) On the impact of security vulnerabilities in the npm package dependency network. In: MSR, pp 181–191

Derr E, Bugiel S, Fahl S, Acar Y, Backes M (2017) Keep me updated: an empirical study of third-party library updatability on android. In: CCS, pp 2187–2200

Dietrich J, Jezek K, Brada P (2014) Broken promises: an empirical study into evolution problems in java programs caused by library upgrades. In: CSMR-WCRE, pp 64–73

Dig D, Johnson R (2006) How do apis evolve? A story of refactoring: research articles. J Softw Maint Evol 18(2):83–107CrossRef

Fujibayashi D, Ihara A, Suwa H, Kula R G, Matsumoto K (2017) Does the release cycle of a library project influence when it is adopted by a client project?. In: SANER, pp 569–570

Hejderup J, van Deursen A, Gousios G (2018) Software ecosystem call graph for dependency management. In: ICSE-NIER, pp 101–104

Henkel J, Diwan A (2005) Catchup! Capturing and replaying refactorings to support api evolution. In: ICSE, pp 274–283

Hora A, Valente MT (2015) Apiwave: keeping track of api popularity and migration. In: ICSME, pp 321–323

Hora A, Robbes R, Anquetil N, Etien A, Ducasse S, Valente M T (2015) How do developers react to api evolution? The pharo ecosystem case. In: ICSME, pp 251–260

Howell DC (2012) Statistical methods for psychology, 8th edn. Cengage Learning

Huang K, Chen B, Shi B, Wang Y, Xu C, Peng X (2020) Interactive, effort-aware library version harmonization. In: ESEC/FSE, pp 518–529

Huang K, Chen B, Pan L, Wu S, Peng X (2021) Repfinder: finding replacements for missing apis in library update. In: ASE

Kabinna S, Bezemer C P, Shang W, Hassan A E (2016) Logging library migrations: a case study for the apache software foundation projects. In: MSR, pp 154–164

Khandkar S H (2009) Open coding. Tech. rep. University of Calgary

Kim M, Cai D, Kim S (2011) An empirical investigation into the role of api-level refactorings during software evolution. In: ICSE, pp 151–160

Kula R G, Roover C D, German D, Ishio T, Inoue K (2014) Visualizing the evolution of systems and their library dependencies. In: VISSOFT, pp 127–136

Kula R G, German D M, Ishio T, Inoue K (2015) Trusting a library: a study of the latency to adopt the latest maven release. In: SANER, pp 520–524

Kula R G, German D M, Ishio T, Ouni A, Inoue K (2017) An exploratory study on library aging by monitoring client usage in a software ecosystem. In: SANER, pp 407–411

Kula R G, De Roover C, German D M, Ishio T, Inoue K (2018a) A generalized model for visualizing library popularity, adoption, and diffusion within a software ecosystem. In: SANER, pp 288–299

Kula R G, German D M, Ouni A, Ishio T, Inoue K (2018b) Do developers update their library dependencies? Empir Softw Eng 23(1):384–417CrossRef

Kula R G, Ouni A, German D M, Inoue K (2018c) An empirical study on the impact of refactoring activities on evolving client-used apis. Inf Softw Technol 93(C):186–199CrossRef

Lämmel R, Pek E, Starek J (2011) Large-scale, ast-based api-usage analysis of open-source java projects. In: SAC, pp 1317–1324

Lauinger T, Chaabane A, Arshad S, Robertson W, Wilson C, Kirda E (2017) Thou shalt not depend on me: analysing the use of outdated javascript libraries on the web. In: NDSS

Li L, Bissyandé T F, Klein J, Le Traon Y (2016) An investigation into the use of common libraries in android apps. In: SANER, pp 403–414

Li M, Wang W, Wang P, Wang S, Wu D, Liu J, Xue R, Huo W (2017) Libd: Scalable and precise third-party library detection in android markets. In: ICSE, pp 335–346

Linares-Vásquez M, Bavota G, Bernal-Cárdenas C, Di Penta M, Oliveto R, Poshyvanyk D (2013) Api change and fault proneness: a threat to the success of android apps. In: ESEC/FSE, pp 477–487

Liu C, Chen S, Fan L, Chen B, Liu Y, Peng X (2021) Demystifying the vulnerability propagation and its evolution via dependency trees in the npm ecosystem. In: ICSE

Ma Z, Wang H, Guo Y, Chen X (2016) Libradar: fast and accurate detection of third-party libraries in android apps. In: ICSE, pp 653–656

Matos A S, Filho J B F, Rocha L S (2019) Splitting apis: an exploratory study of software unbundling. In: MSR, pp 360–370

McDonnell T, Ray B, Kim M (2013) An empirical study of api stability and adoption in the android ecosystem. In: ICSM, pp 70–79

Mileva Y M, Dallmeier V, Burger M, Zeller A (2009) Mining trends of library usage. In: IWPSE-Evol, pp 57–62

Mileva Y M, Dallmeier V, Zeller A (2010) Mining api popularity. In: Testing—practice and research techniques, pp 173–180

Mirhosseini S, Parnin C (2017) Can automated pull requests encourage software developers to upgrade out-of-date dependencies?. In: ASE, pp 84–94

Nguyen H A, Nguyen T T, Wilson JrG, Nguyen A T, Kim M, Nguyen T N (2010) A graph-based approach to api usage adaptation. In: OOPSLA, pp 302–321

Nguyen D C, Derr E, Backes M, Bugiel S (2020) Up2dep: android tool support to fix insecure code dependencies. In: ACSAC, pp 263–276

Ouni A, Kula R G, Kessentini M, Ishio T, German D M, Inoue K (2017) Search-based software library recommendation using multi-objective optimization. Inf Softw Technol 83(C):55–75CrossRef

Patra J, Dixit P N, Pradel M (2018) Conflictjs: finding and understanding conflicts between javascript libraries. In: ICSE, pp 741–751

Plate H, Ponta S E, Sabetta A (2015) Impact assessment for vulnerabilities in open-source software libraries. In: ICSME, pp 411–420

Ponta S E, Plate H, Sabetta A (2018) Beyond metadata: code-centric and usage-based analysis of known vulnerabilities in open-source software. In: ICSME, pp 449–460

Preston-Werner T (2013) Semantic versioning 2.0.0. http://semver.org

Qiu D, Li B, Leung H (2016) Understanding the api usage in java. Inf Softw Technol 73:81–100CrossRef

Quach A, Prakash A, Yan L K (2018) Debloating software through piece-wise compilation and loading. In: USENIX Security

Raemaekers S, van Deursen A, Visser J (2012) Measuring software library stability through historical version analysis. In: ICSM, pp 378–387

Raemaekers S, Van Deursen A, Visser J (2014) Semantic versioning versus breaking changes: a study of the maven repository. In: SCAM, pp 215–224

Robbes R, Lungu M, Röthlisberger D (2012) How do developers react to api deprecation?: the case of a smalltalk ecosystem. In: FSE, pp 56:1–56:11

Salza P, Palomba F, Di Nucci D, D’Uva C, De Lucia A, Ferrucci F (2018) Do developers update third-party libraries in mobile apps?. In: ICPC, pp 255–265

Sawant A A, Robbes R, Bacchelli A (2016) On the reaction to deprecation of 25,357 clients of 4 + 1 popular java apis. In: ICSME, pp 400–410

Schäfer T, Jonas J, Mezini M (2008) Mining framework usage changes from instantiation code. In: ICSE, pp 471–480

Sharif H, Abubakar M, Gehani A, Zaffar F (2018) Trimmer: application specialization for code debloating. In: ASE, pp 329–339

Smith N, van Bruggen D, Tomassetti F (2017) Javaparser: visited. Leanpub, oct de

Soto-Valero C, Harrand N, Monperrus M, Baudry B (2020) A comprehensive study of bloated dependencies in the maven ecosystem. CoRR arXiv:2001.07808

Teyton C, Falleri J R, Blanc X (2012) Mining library migration graphs. In: WCRE, pp 289–298

Teyton C, Falleri J R, Blanc X (2013) Automatic discovery of function mappings between similar libraries. In: WCRE, pp 192–201

Teyton C, Falleri J R, Palyart M, Blanc X (2014) A study of library migrations in java. J Softw: Evol Process 26(11):1030–1052

Thung F, Lo D, Lawall J (2013a) Automated library recommendation. In: WCRE, pp 182–191

Thung F, Wang S, Lo D, Lawall J (2013b) Automatic recommendation of api methods from feature requests. In: ASE, pp 290–300

Vallée-Rai R, Co P, Gagnon E, Hendren L, Lam P, Sundaresan V (1999) Soot: a java bytecode optimization framework. In: CASCON, p 13

Wang Y, Wen M, Liu Z, Wu R, Wang R, Yang B, Yu H, Zhu Z, Cheung S C (2018) Do the dependency conflicts in my project matter?. In: ESEC/FSE, pp 319–330

Wang C, Chen B, Liu Y, Wu H (2019a) Layered object-oriented programming: advanced vtable reuse attacks on binary-level defense. IEEE Trans Inf Forensics Secur 14(3):693–708CrossRef

Wang Y, Wen M, Wu R, Liu Z, Tan S H, Zhu Z, Yu H, Cheung S C (2019b) Could I have a stack trace to examine the dependency conflict issue. In: ICSE, pp 572–583

Wang Y, Chen B, Huang K, Shi B, Xu C, Peng X, Wu Y, Liu Y (2020) An empirical study of usages, updates and risks of third-party libraries in java projects. In: ICSME, pp 35–45

Wittern E, Suter P, Rajagopalan S (2016) A look at the dynamics of the javascript package ecosystem. In: MSR, pp 351–361

Wu W, Guéhéneuc Y G, Antoniol G, Kim M (2010) Aura: a hybrid approach to identify framework evolution. In: ICSE, pp 325–334

Wu W, Serveaux A, Guéhéneuc Y G, Antoniol G (2015) The impact of imperfect change rules on framework api evolution identification: an empirical study. Empir Softw Eng 20(4):1126–1158CrossRef

Wu W, Khomh F, Adams B, Guéhéneuc Y G, Antoniol G (2016) An exploratory study of api changes and usages based on apache and eclipse ecosystems. Empir Softw Eng 21(6):2366–2412CrossRef

Xing Z, Stroulia E (2007) Api-evolution support with diff-catchup. IEEE Trans Softw Eng 33(12):818–836CrossRef

Xu G, Mitchell N, Arnold M, Rountev A, Sevitsky G (2010) Software bloat analysis: finding, removing, and preventing performance problems in modern large-scale object-oriented applications. In: FoSER, pp 421–426

Zaimi A, Ampatzoglou A, Triantafyllidou N, Chatzigeorgiou A, Mavridis A, Chaikalis T, Deligiannis I, Sfetsos P, Stamelos I (2015) An empirical study on the reuse of third-party libraries in open-source software development. In: BCIC, pp 4:1–4:8

Zapata R E, Kula R G, Chinthanet B, Ishio T, Matsumoto K, Ihara A (2018) Towards smoother library migrations: a look at vulnerable dependency migrations at function level for npm javascript packages. In: ICSME, pp 559–563

Zerouali A, Constantinou E, Mens T, Robles G, González-Barahona J (2018) An empirical analysis of technical lag in npm package dependencies. In: ICSR, pp 95–110

Zhang Y, Dai J, Zhang X, Huang S, Yang Z, Yang M, Chen H (2018) Detecting third-party libraries in android applications with high precision and recall. In: SANER, pp 141–152

Zheng W, Zhang Q, Lyu M (2011) Cross-library api recommendation using web search engines. In: ESEC/FSE, pp 480–483

Zimmermann M, Staicu C A, Tenny C, Pradel M (2019) Small world with high risks: a study of security threats in the npm ecosystem. In: USENIX Security, pp 995–1010

Titel: Characterizing usages, updates and risks of third-party libraries in Java projects
verfasst von: Kaifeng Huang
Bihuan Chen
Congying Xu
Ying Wang
Bowen Shi
Xin Peng
Yijian Wu
Yang Liu
Publikationsdatum: 01.07.2022
Verlag: Springer US
Erschienen in: Empirical Software Engineering / Ausgabe 4/2022
Print ISSN: 1382-3256
Elektronische ISSN: 1573-7616
DOI: https://doi.org/10.1007/s10664-022-10131-8

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft"

Springer Professional "Technik"

Springer Professional "Wirtschaft+Technik"

Weitere Artikel der Ausgabe 4/2022

Correction to: Towards a recipe for language decomposition: quality assessment of language product lines

A comprehensive study of code-removal patches in automated program repair

Tracking bad updates in mobile apps: a search-based approach

Clones in deep learning code: what, where, and why?

Do explicit review strategies improve code review performance? Towards understanding the role of cognitive load

Sampling in software engineering research: a critical review and guidelines

Premium Partner