Software Ecosystem Call Graph for Dependency Management
A popular form of software reuse is the use of open source software libraries hosted on centralized code repositories, such as Maven or npm. Developers only need to declare dependencies to external libraries, and automated tools make them available to the workspace of the project. Recent incidents, such as the Equifax data breach and the leftpad package removal, demonstrate the difficulty in assessing the severity, impact and spread of bugs in dependency networks. While dependency checkers are being adapted as a counter measure, they only provide indicative information. To remedy this situation, we propose a fine-grained dependency network that goes beyond packages and into call graphs. The result is a versioned ecosystem-level call graph. In this paper, we outline the process to construct the proposed graph and present a preliminary evaluation of a security issue from a core package to an affected client application.
Fri 1 JunDisplayed time zone: Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna change
14:00 - 15:00 | Software Engineering in Other DomainsNIER - New Ideas and Emerging Results at R2 Chair(s): Liliana Pasquale University College Dublin & Lero, Ireland | ||
14:00 15mTalk | Deep Customization of Multi-Tenant SaaS Using Intrusive Microservices NIER - New Ideas and Emerging Results | ||
14:15 15mTalk | Software Ecosystem Call Graph for Dependency Management NIER - New Ideas and Emerging Results Joseph Hejderup Delft University of Technology, Netherlands, Arie van Deursen Delft University of Technology, Georgios Gousios TU Delft DOI Pre-print | ||
14:30 15mTalk | An Immersive Future for Software Engineering - Avenues and Approaches NIER - New Ideas and Emerging Results | ||
14:45 15mTalk | Dronology: An Incubator for Cyber-Physical Systems Research NIER - New Ideas and Emerging Results Jane Cleland-Huang University of Notre Dame, Michael Vierhauser University of Notre Dame, Sean Bayley | ||