Fine-Grained Analysis of Software Ecosystems as Networks

Objective

A popular form of software reuse involves linking open source software (OSS) libraries hosted on centralized code repositories, such as Maven or PyPI. Developers only need to declare dependencies to external libraries, and automated tools make them available to the workspace of the project. As recent events such as the LeftPad incident, which led to hundreds of thousands of websites to stop working, and the Equifax data breach, which led to a leak of hundreds of thousands of credit card numbers, have demonstrated, dependencies on networks of external libraries can introduce to projects significant operational and compliance risks as well as difficult to assess security implications. Solving these problems would boost the efficiency and production quality of software development companies by allowing them to reuse OSS code with confidence, covering a large untapped potential. To address this situation, the FASTEN project introduces fine-grained, method-level, tracking of dependencies on top of existing dependency management networks. Specifically, the project will introduce a service that tracks dependencies at the method call-graph level and performs sophisticated analyses of i) security vulnerability propagation, ii) licensing compliance, and iii) dependency risk profiles. To facilitate adoption, FASTEN will bring those analyses to the hands of developers by integrating the analysis service to popular package managers, for the Java, C, and Python programming languages. The project consortium comprises world-leading experts on ecosystem analysis, graph processing, and software risk and compliance assessment, along with established OSS community integrators and managers.

Fields of science

• natural sciencescomputer and information sciencessoftwaresoftware development
• natural sciencesbiological sciencesecologyecosystems

Keywords

• Software Ecosystems
• Package Managers
• Graphs
• Program Analysis
• Call graphs

Coordinator

Participants (6)