nach oben

Empirical Software Engineering

Erschienen in:

11.05.2017

Do developers update their library dependencies?

An empirical study on the impact of security advisories on library migration

verfasst von: Raula Gaikovina Kula, Daniel M. German, Ali Ouni, Takashi Ishio, Katsuro Inoue

Erschienen in: Empirical Software Engineering | Ausgabe 1/2018

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

Third-party library reuse has become common practice in contemporary software development, as it includes several benefits for developers. Library dependencies are constantly evolving, with newly added features and patches that fix bugs in older versions. To take full advantage of third-party reuse, developers should always keep up to date with the latest versions of their library dependencies. In this paper, we investigate the extent of which developers update their library dependencies. Specifically, we conducted an empirical study on library migration that covers over 4,600 GitHub software projects and 2,700 library dependencies. Results show that although many of these systems rely heavily on dependencies, 81.5% of the studied systems still keep their outdated dependencies. In the case of updating a vulnerable dependency, the study reveals that affected developers are not likely to respond to a security advisory. Surveying these developers, we find that 69% of the interviewees claimed to be unaware of their vulnerable dependencies. Moreover, developers are not likely to prioritize a library update, as it is perceived to be extra workload and responsibility. This study concludes that even though third-party reuse is common practice, updating a dependency is not as common for many developers.

Vorheriger Artikel An empirical study of the integration time of fixed issues

Nächster Artikel Identifying self-admitted technical debt in open source projects using text mining

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

One of the largest library hosting repositories at http://search.maven.org/.

Link at http://goo.gl/SV9d68.

Statistics accessed Nov-26th-2016 at https://search.maven.org/#stats.

http://cve.mitre.org/cve/index.html.

http://semver.org/.

https://web.nvd.nist.gov/.

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3566.

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271.

Report published January 02, 2015 at http://goo.gl/i8J1Zq.

https://github.com/.

https://github.com/raux/PomWalker

https://code.google.com/p/guava-libraries/.

http://junit.org/.

http://logging.apache.org/log4j/1.2/.

An updated listing is available online at http://www.cvedetails.com/product-list/vendor_id-45/apache.html.

It is officially known as the CVSS v2 base score. The calculation is shown at https://www.first.org/cvss/v2/guide.

The complete form is available at http://sel.ist.osaka-u.ac.jp/people/raula-k/librarymigrations/questionaire.html.

Details at http://google.github.io/guava/releases/17.0/api/diffs/.

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-6153.

https://hc.apache.org/.

Balaban I, Tip F, Fuhrer R (2005) Refactoring support for class library migration Proceedings of the 20th Annual ACM SIGPLAN conference on object-oriented programming, systems, languages, and applications, OOPSLA ’05. ISBN 1-59593-031-0. ACM, New York, pp 265–279CrossRef

Bavota G, Canfora G, Di Penta M, Oliveto R, Panichella S (2015) How the apache community upgrades dependencies: an evolutionary study. Empirical Softw Eng 20(5):1275–1317. ISSN 1382–3256CrossRef

Bogart C, Kästner C, Herbsleb J (2015) When it breaks, it breaks: how ecosystem developers reason about the stability of dependencies. In: Proceedings of the ASE workshop on software support for collaborative and global software engineering (SCGSE), pp 11

Chow K, Notkin D (1996) Semi-automatic update of applications in response to library changes Proceedings of the 1996 international conference on software maintenance, ICSM ’96. IEEE Computer Society, Washington, DC

Cossette BE, Walker R J (2012) Seeking the ground truth. In: Proc. of the ACM SIGSOFT intrn. symp on the foundations of software engineering - FSE ’12

Cox J, Bouwers E, van Eekelen M, Visser J (2015) Measuring dependency freshness in software systems. In: 2015 IEEE/ACM 37th IEEE International conference on software engineering (ICSE), vol 2, pp 109–118

Dagenais B, Robillard MP (2009) Semdiff: analysis and recommendation support for api evolution Proceedings of the 31st international conference on software engineering, ICSE ’09. ISBN 978-1-4244-3453-4. IEEE Computer Society, Washington, DC, pp 599–602

De Roover C, Lammel R, Pek E (2013) Multi-dimensional exploration of API usage. In: IEEE International conference on program comprehension, pp 152–161

Edgell S, Noon S (1984) Effect of violation of normality on the t test of the correlation coefficient. In: Psychological bulletin, pp 576–583

Eisenberg D S, Stylos J, Faulring A, Myers B A (2010) Using association metrics to help users navigate API documentation. In: VL/HCC2010, pp 23–30

German D M, Adams B, Hassan AE (2013) The evolution of the r software ecosystem. In: Proc. of European conf. on soft. main. and reeng. (CSMR2013), pp 243–252

Godfrey M W, Zou L (2005) Using origin analysis to detect merging and splitting of source code entities. IEEE Trans Softw Eng 31(2):166–181CrossRef

Haenni N, Lungu M, Schwarz N, Nierstrasz O (2013) Categorizing developer information needs in software ecosystems. In: Proc. of int. work. on soft. eco. arch. (WEA13), pp 1–5

Hora A, Valente M T (2015) Apiwave: keeping track of api popularity and migration. In: International conference on software maintenance and evolution

Hora A, Robbes R, Anquetil N, Etien A, Ducasse S, Valente M T (2015) How do developers react to api evolution? The pharo ecosystem case Proceedings of the 2015 IEEE international conference on software maintenance and evolution (ICSME), ICSME ’15. ISBN 978-1-4673-7532-0. IEEE Computer Society, Washington, DC, pp 251–260, DOI 10.1109/ICSM.2015.7332471, (to appear in print)

Jezek K, Dietrich J, Brada P (2015) How Java APIs break - an empirical study. Inf Softw Technol, 129–146. ISSN 09505849. doi:10.1016/j.infsof.2015.02.014

Kabinna S, Bezemer C-P, Shang W, Hassan AE (2016) Logging library migrations: a case study for the apache software foundation projects. In: Proceedings of the 13th International workshop on mining software repositories, MSR ’16. New York, pp 154–164

Kamiya T, Kusumoto S, Inoue K (2002) CCFinder: a multilinguistic token-based code clone detection system for large scale source code. IEEE Trans Softw Eng 28 (7):654–670. doi:10.1109/TSE.2002.1019480. ISSN 0098-5589CrossRef

Kawamitsu N, Ishio T, Kanda T, Kula R G, De Roover C, Inoue K (2014) Identifying source code reuse across repositories using lcs-based source code similarity. In Proc. of SCAM

Kula RG, Roover CD, German DM, Ishio T, Inoue K (2014) Visualizing the evolution of systems and their library dependencies. In: Proc. of IEEE Work. conf. on soft. viz. (VISSOFT), ICSME ’15

Kula R G, German D M, Ishio T, Inoue K (2015) Trusting a library: a study of the latency to adopt the latest maven release. In: 22nd IEEE International conference on software analysis, evolution, and reengineering, SANER 2015. Montreal

Lehman MM (1996) Laws of software evolution revisited Proceedings of the 5th European workshop on software process technology, EWSPT ’96. ISBN 3-540-61771-X. Springer-Verlag, London, pp 108–124

Lungu M (2008) Towards reverse engineering software ecosystems. In: Intl. conf. on soft. maint. and evo. (ICSME)

McDonnell T, Ray B, Kim M (2013) An empirical study of API stability and adoption in the android ecosystem. In: IEEE International conference on software maintenance. ICSM, pp 70–79. ISSN 1063-6773. doi:10.1109/ICSM.2013.18

Mens T, Claes Mk, Ecos P G (2014) Ecological studies of open source software ecosystems. In: Soft. main. reeng. and rev. eng. (CSMR-WCRE), pp 403–406

Mileva Y M, Dallmeier V, Burger M, Zeller A (2009) Mining trends of library usage Proc. Intl and ERCIM principles of soft. evol. (IWPSE) and soft. evol. (Evol) workshops, IWPSE-Evol ’09. ACM, New York, pp 57–62CrossRef

Plate H, Ponta S A, Elisa S (2015) Impact assessment for vulnerabilities in open-source software libraries Proceedings of the 31st international conference on software maintenance and evolution, ICSME ’15. IEEE Computer Society, Breman

Raemaekers S, van Deursen A, Visser J (2012) Measuring software library stability through historical version analysis. In: Proc. of intl. comf. soft. main. (ICSM), pp 378–387

Raemaekers S, van Deursen A, Visser J (2014) Semantic versioning versus breaking changes: a study of the maven repository. In: 2014 IEEE 14th international working conference on source code analysis and manipulation (SCAM), pp 215–224

Robbes R, Lungu M, Röthlisberger D (2012) How do developers react to api deprecation? The case of a smalltalk ecosystem Proceedings of the ACM SIGSOFT 20th international symposium on the foundations of software engineering, FSE ’12. ISBN 978-1-4503-1614-9. ACM, New York, pp 56:1–56:11

Rogers EM (2003) Diffusion of innovations, 5, 08. Free Press, NY. ISBN 0-7432-2209-1, 978-0-7432-2209-9

Sawant AA, Robbes R, Bacchelli A (2016) On the reaction to deprecation of 25,357 clients of 4+1 popular java apis. In: Proceedings of the 32th IEEE international conference on software maintenance and evolution

Schäfer T, Jonas J, Mezini M (2008) Mining framework usage changes from instantiation code Proceedings of the 30th international conference on software engineering, ICSE ’08. ISBN 978-1-60558-079-1. ACM, New York, pp 471–480

Teyton C, Falleri J-R, Palyart M, Blanc X (2014) A study of library migrations in java. J Softw Evol Process, 26, 11

Wittern E, Suter P, Rajagopalan S (2016) A look at the dynamics of the javascript package ecosystem. In: Proc. of work. conf. on mining soft. repo. (MSR2016)

Wu W, Khomh F, Adams B, Guéhéneuc Y-G, Antoniol G (2015a) An exploratory study of api changes and usages based on apache and eclipse ecosystems. Empirical Softw Eng, p.1–47. ISSN 1573-7616

Wu W, Serveaux A, Guéhéneuc Y-G, Antoniol G (2015b) The impact of imperfect change rules on framework api evolution identification: an empirical study. Empirical Softw Engg 20(4):1126–1158. doi:10.1007/s10664-014-9317-9

Xia P, Matsushita M, Yoshida N, Inoue K (2013) Studying reuse of out-dated third-party code in open source projects. Jpn Soc Softw Sci Technol Comput Softw 30(4):98–104

Xing Z, Stroulia E (2007) API-evolution support with diff-catchup. IEEE Trans Softw Eng 33:818–836. doi:10.1109/TSE.2007.70747 CrossRef

Titel: Do developers update their library dependencies?
An empirical study on the impact of security advisories on library migration
verfasst von: Raula Gaikovina Kula
Daniel M. German
Ali Ouni
Takashi Ishio
Katsuro Inoue
Publikationsdatum: 11.05.2017
Verlag: Springer US
Erschienen in: Empirical Software Engineering / Ausgabe 1/2018
Print ISSN: 1382-3256
Elektronische ISSN: 1573-7616
DOI: https://doi.org/10.1007/s10664-017-9521-5

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft"

Springer Professional "Technik"

Springer Professional "Wirtschaft+Technik"

Weitere Artikel der Ausgabe 1/2018

Genetic Algorithm-based Test Generation for Software Product Line with the Integration of Fault Localization Techniques

Examining the stability of logging statements

Open innovation using open source tools: a case study at Sony Mobile

Search and similarity based selection of use case scenarios: An empirical study

Experiences and challenges in building a data intensive system for data migration

Impact of incorrect and new requirements on waterfall software project outcomes

Premium Partner