Abstract
Modern software development is increasingly dependent on components, libraries, and frameworks coming from third-party vendors or open-source suppliers and made available through a number of platforms (or forges). This way of writing software puts an emphasis on reuse and on composition, commoditizing the services that modern applications require. On the other hand, bugs and vulnerabilities in a single library living in one such ecosystem can affect, directly or by transitivity, a huge number of other libraries and applications. Currently, only product-level information on library dependencies is used to contain this kind of danger, but this knowledge often reveals itself too imprecise to lead to effective (and possibly automated) handling policies. We will discuss how fine-grained function-level dependencies can greatly improve reliability and reduce the impact of vulnerabilities on the whole software ecosystem.
- P. Abate, R. Di Cosmo, G. Gousios, and S. Zacchiroli. 2020. Dependency solving is still hard, but we are getting better at it. In Proceedings of the 27th IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER). 547--551. DOI:https://doi.org/10.1109/SANER48275.2020.9054837Google Scholar
- Christopher Bogart, Christian Kästner, James Herbsleb, and Ferdian Thung. 2016. How to break an API: Cost negotiation and community values in three software ecosystems. In Proceedings of the 2016 24th ACM SIGSOFT International Symposium on Foundations of Software Engineering. ACM, 109--120.Google ScholarDigital Library
- Paolo Boldi, Marco Rosa, Massimo Santini, and Sebastiano Vigna. 2011. Layered label propagation: A multiresolution coordinate-free ordering for compressing social networks. In Proceedings of the 20th International Conference on World Wide Web, WWW 2011, Hyderabad, India, March 28 - April 1, 2011, Sadagopan Srinivasan, Krithi Ramamritham, Arun Kumar, M. P. Ravindra, Elisa Bertino, and Ravi Kumar (Eds.). ACM, 587--596. DOI:https://doi.org/10.1145/1963405.1963488Google ScholarDigital Library
- Paolo Boldi and Sebastiano Vigna. 2014. Axioms for centrality. Internet Math. 10, 3--4 (2014), 222--262.Google ScholarCross Ref
- Paolo Boldi and Sebastiano Vigna. 2019. (Web/social) graph compression. In Encyclopedia of Big Data Technologies., Sherif Sakr and Albert Y. Zomaya (Eds.). Springer. DOI:https://doi.org/10.1007/978-3-319-63962-8_54-1Google Scholar
- Joseph Hejderup, Moritz Beller, and Georgios Gousios. 2018. Building a Unified Call Graph at Ecosystem Level. Technical Report TUD-SERG-2018-002. Delft University of Techology. 20 pages. Retrieved from http://gousios.org/pubs/ucg.pdf.Google Scholar
- Immanuel Kant. 2002 [1785]. Groundwork for the Metaphysics of Morals. Oxford University Press.Google Scholar
- Riivo Kikas, Georgios Gousios, Marlon Dumas, and Dietmar Pfahl. 2017. Structure and evolution of package dependency networks. In Proceedings of the 14th International Conference on Mining Software Repositories, MSR 2017, Buenos Aires, Argentina, May 20-28, 2017. 102--112. DOI:https://doi.org/10.1109/MSR.2017.55Google ScholarDigital Library
- Jens Knoop, Oliver Rüthing, and Bernhard Steffen. 1994. Partial dead code elimination. ACM SIGPLAN Notices 29, 6 (1994), 147--158.Google ScholarDigital Library
- Raula Gaikovina Kula, Daniel M. Germán, Ali Ouni, Takashi Ishio, and Katsuro Inoue. 2017. Do developers update their library dependencies? An empirical study on the impact of security advisories on library migration. CoRR abs/1709.04621 (2017). arxiv:1709.04621 http://arxiv.org/abs/1709.04621Google Scholar
- Benjamin Livshits, Manu Sridharan, Yannis Smaragdakis, Ondřej Lhoták, J. Nelson Amaral, Bor-Yuh Evan Chang, Samuel Z. Guyer, Uday P. Khedker, Anders Møller, and Dimitrios Vardoulakis. 2015. In defense of soundiness: A manifesto. Communications of the ACM 58, 2 (2015), 44--46.Google ScholarDigital Library
- Fabio Mancinelli, Jaap Boender, Roberto Di Cosmo, Jerome Vouillon, Berke Durak, Xavier Leroy, and Ralf Treinen. 2006. Managing the complexity of large free and open source package-based software distributions. In Proceedings of the 21st IEEE/ACM International Conference on Automated Software Engineering (ASE’06). IEEE, 199--208.Google ScholarDigital Library
- Cassandra Overney, Jens Meinicke, Christian Kästner, and Bogdan Vasilescu. 2020. How to not get rich: An empirical study of donations in open source. In Proceedings of the 2020 42th International Conference on Software Engineering.Google ScholarDigital Library
- David L. Parnas. 1972. On the criteria to be used in decomposing systems into modules. In Pioneers and Their Contributions to Software Engineering. Springer, 479--498.Google Scholar
- Tom Preston-Werner. [n.d.]. Semantic Versioning 2.0.0. Retrieved from https://semver.org.Google Scholar
- Steven Raemaekers, Arie van Deursen, and Joost Visser. 2017. Semantic versioning and impact of breaking changes in the Maven repository. Journal of Systems and Software 129 (2017), 140--158.Google ScholarDigital Library
- Xiaoxia Ren, Fenil Shah, Frank Tip, Barbara G. Ryder, and Ophelia Chesley. 2004. Chianti: A tool for change impact analysis of java programs. In Proceedings of the 19th Annual ACM SIGPLAN Conference on Object-Oriented Programming, Systems, Languages, and Applications. 432--448.Google ScholarDigital Library
- Anand Ashok Sawant, Romain Robbes, and Alberto Bacchelli. 2018. On the reaction to deprecation of clients of 4+ 1 popular Java APIs and the JDK. Empirical Software Engineering 23, 4 (2018), 2158--2197.Google ScholarDigital Library
- Jeffrey Xu Yu and Jiefeng Cheng. 2010. Graph Reachability Queries: A Survey. Springer US, Boston, MA, 181--215.Google Scholar
- Markus Zimmermann, Cristian-Alexandru Staicu, Cam Tenny, and Michael Pradel. 2019. Small world with high risks: A study of security threats in the npm ecosystem. In Proceedings of the 28th {USENIX} Security Symposium ({USENIX} Security 19). 995--1010.Google Scholar
- Maven Central Repository. https://search.maven.org/.Google Scholar
- Nacho Portion Monitor. https://www.npmjs.com/.Google Scholar
- GitHub.com platform. https://github.com/.Google Scholar
- The Complete Open-Source and Business Software Platform. https://sourceforge.net/.Google Scholar
- The State of Open-Source Security Report. https://bit.ly/SoOSS2019.Google Scholar
- The FASTEN project website. https://www.fasten-project.eu/.Google Scholar
Index Terms
- Fine-Grained Network Analysis for Modern Software Ecosystems
Recommendations
Software Ecosystems: Trends and Impacts on Software Engineering
SBES '12: Proceedings of the 2012 26th Brazilian Symposium on Software EngineeringEconomic and social issues are pointed out as Software Engineering (SE) challenges for the next years, since the field needs to treat issues beyond the technical side. These challenges require analyzing the field of SE from another perspective. In this ...
Treating business dimension in software ecosystems
MEDES '11: Proceedings of the International Conference on Management of Emergent Digital EcoSystemsSoftware Ecosystems (SECOs) have emerged as an approach to improve Software Engineering (SE) in industry considering relations among companies and stakeholders. Companies have opened up their platforms and artifacts to others, including partners and ...
ReuseSEEM: an approach to support the definition, modeling, and analysis of software ecosystems
ICSE Companion 2014: Companion Proceedings of the 36th International Conference on Software EngineeringSoftware Engineering (SE) community has discussed economic and social issues as a challenge for the next years. Companies and organizations have directly (or not) opened up their software platforms and assets to others, including partners and 3rd party ...
Comments