Visible to the public Software Ecosystem Call Graph for Dependency Management

TitleSoftware Ecosystem Call Graph for Dependency Management
Publication TypeConference Paper
Year of Publication2018
AuthorsHejderup, J., Deursen, A. v, Gousios, G.
Conference Name2018 IEEE/ACM 40th International Conference on Software Engineering: New Ideas and Emerging Technologies Results (ICSE-NIER)
Date Publishedmay
KeywordsAutomated Secure Software Engineering, automated tools, call graphs, centralized code repositories, client-server systems, composability, Computer bugs, core package, counter measure, dependencies, dependency checkers, Dependency management, dependency networks, developers, ecosystem-level, Ecosystems, Equifax data breach, external libraries, fine-grained dependency network, impact, indicative information, leftpad package removal, Libraries, open source software libraries, packages, popular form, program analysis, pubcrawl, public domain software, Resiliency, security, security of data, Software, software development management, software ecosystem, software engineering, software libraries, software reusability, Software reuse, Tools, workspace
AbstractA popular form of software reuse is the use of open source software libraries hosted on centralized code repositories, such as Maven or npm. Developers only need to declare dependencies to external libraries, and automated tools make them available to the workspace of the project. Recent incidents, such as the Equifax data breach and the leftpad package removal, demonstrate the difficulty in assessing the severity, impact and spread of bugs in dependency networks. While dependency checkers are being adapted as a counter measure, they only provide indicative information. To remedy this situation, we propose a fine-grained dependency network that goes beyond packages and into call graphs. The result is a versioned ecosystem-level call graph. In this paper, we outline the process to construct the proposed graph and present a preliminary evaluation of a security issue from a core package to an affected client application.
Citation Keyhejderup_software_2018