SlideShare una empresa de Scribd logo

Comparing dependency issues across software package distributions (FOSDEM 2020)

Descargar como PPTX, PDF
Tom Mens
Tom Mens

This talk reports on our findings based on multiple empirical studies that we have conducted to understand different aspects of dependency management and their practical implications. This includes: * the outdatedness of package dependencies, the transitive impact of such "technical lag", and its relation to the presence of bugs and security vulnerabilities. * the impact of using either more permissive or more restrictive version contraints on dependencies. * the virtues and limitations of being compliant to semantic versioning, a common policy to inform dependents whether new releases of software packages introduce possibly backward incompatible changes. * the impact of specific characteristics, policies and tools used by the packaging ecosystem and its supporting community on all of the above. The contents of the talk is primarily based on the following peer-reviewed scientific articles: * What do package dependencies tell us about semantic versioning? Alexandre Decan, Tom Mens. IEEE Transactions on Software Engineering, 2019. https://doi.org/10.1109/TSE.2019.2918315 * An empirical comparison of dependency network evolution in seven software packaging ecosystems. Alexandre Decan, Tom Mens, Philippe Grosjean. Empirical Software Engineering 24(1):381-416, 2019. https://doi.org/10.1007/s10664-017-9589-y * A formal framework for measuring technical lag in component repositories and its application to npm. Ahmed Zerouali, Tom Mens, Jesus Gonzalez‐Barahona, Alexandre Decan, Eleni Constantinou, Gregorio Robles. Journal of Software: Evolution and Process 31(8), 2019. https://doi.org/10.1002/smr.2157 * On the Impact of Security Vulnerabilities in the npm Package Dependency Network. Alexandre Decan, Tom Mens, Eleni Constantinou. International Conference on Mining Software Repositories, 2018. https://doi.org/10.1145/3196398.3196401 * On the Evolution of Technical Lag in the npm Package Dependency Network. Alexandre Decan, Tom Mens, Eleni Constantinou. International Conference on Software Maintenance and Evolution, 2018. https://doi.org/10.1109/ICSME.2018.00050

Software
1 de 29
Tom Mens Software Engineering Lab Faculty of Sciences tom.mens@umons.ac.be @tom_mens Comparing dependency issues across software package distributions
SECO-ASSIST "Excellence of Science” Research Project 2018-2021 secoassist.github.io@secoassist
Comparing dependency issues across software package distributions An Empirical Comparison of Dependency Network Evolution in Seven Software Packaging Ecosystems A Decan, T. Mens, Ph. Grosjean (2019) Empirical Software Engineering 24(1) What do package dependencies tell us about semantic versioning? A Decan, T Mens (2019) IEEE Transactions on Software Engineering A formal framework for measuring technical lag in component repositories – and its application to npm A Zerouali, T Mens, et al. (2019) J. Software Evolution and Process On the impact of security vulnerabilities in the npm package dependency network A Decan, T Mens, E Constantinou (2018) Int’l Conf. Mining Software Repositories On the evolution of technical lag in the npm package dependency network A Decan, T Mens, E Constantinou (2018) Int’l Conf. Software Maintenance and Evolution
Dependency issues
Dependency issues “Technical lag” due to outdated dependencies Missed opportunities to benefit from new functionality, or fixes of known bugs and security vulnerabilities “Dependency hell” • Too many direct and transitive dependencies • Broken dependencies due to backward incompatibilities • Co-installability problems Unmaintained packages due to departure of maintainers Nontransparent update policies Incompatible or prohibited licenses
Incompatible licenses https://tidelift.com
Fragility due to transitive dependencies March 2016 November 2010 Unexpected removal of left-pad caused > 2% of all packages to become uninstallable (> 5,400 packages) Release 0.5.0 of i18n broke dependent package ActiveRecord that was transitively required by >5% of all packages
Libraries.io monitors 6,901,989 open source packages across 37 different package managers https://libraries.io (7 January 2020)
Characterising the evolution of package dependency networks Decan & Mens (2019) An Empirical Comparison of Dependency Network Evolution in Seven Software Packaging Ecosystems. Empirical Software Engineering Journal 830K packages – 5.8M package versions – 20.5M dependencies (April 2017)
Continuing Growth Package dependency networks grow exponentially in terms of number of packages and/or dependencies Fastest growth for npm Slowest growth for CRAN
Continuing Change • Number of package updates grows over time • >50% of package releases are updated within 2 months • Required and young packages are updated more frequently Fastest growth for npm Slowest growth for CRAN
Increasing level of reuse • Highly connected network, containing 60% to 80% of all packages • Power law behavior: A stable minority (20%) of required packages collect over 80% of all reverse dependencies Reusability index: Maximal value n such that there exist n required packages having at least n dependent packages. Fastest growth for npm
High number of deep transitive dependencies • Fragile packages may have a very high transitive impact • Over 50% of top-level packages have a deep dependency graph Number of packages that are transitively required by at least 5% of all packages. Transitive dependency depth of top-level packages
Outdated Dependencies Should package maintainers upgrade their dependencies to more recent versions? �Upgrades benefit from bug and security fixes � Upgrading allows to use new features � Upgrading requires effort � Upgrading may introduce breaking changes
Outdated runtime dependencies in npm Outdated Dependencies Outdatedness is related to the type of dependency constraint being used Strict (i.e. pinned) constraints represent about 33% of all outdated dependencies
Technical Lag Technical lag measures how outdated a package or dependency is w.r.t. the “ideal” situation where “ideal” = “most recent”; “most secure”; ”least bugs”; “most compatible”; … A Zerouali et al (Feb. 2019) A formal framework for measuring technical lag in component repositories – and its application to npm. Wiley Journal on Software Evolution and Process
~ 2.7.0 - 22-09-2017 2.0.1 - 16-05-2017 Technical Lag Technical lag measures how outdated a package or dependency is w.r.t. the “ideal” situation where “ideal” = “most recent”; “most secure”; ”least bugs”; “most compatible”; …
Need for dependency monitoring tools Example: David Dependency Manager for npm projects https://david-dm.orgMy npm Project
Avoiding breaking changes through Semantic Versioning https://chaoss.community Is semantic versioning respected by software package distributions? What do package dependencies tell us about semantic versioning? A Decan, T Mens (May 2019) IEEE Transactions on Software Engineering major minor patch 3 9 2 Breaking changes Backwards compatible changes Bug fixes Most permissive Most Restrictive
Semantic versioning Different package managers interpret version constraints in different ways: More restrictive than semver More permissive than semver
Semantic versioning • Cargo, npm and Packagist are mostly semver-compliant. All three are more permissive than semver for 0.y.z versions • All considered ecosystems become more compliant over time. • >16% of restrictive constraints in npm, Packagist and Rubygems  prevents adoption of backward compatible upgrades
Security vulnerabilities OWASP Foundation Top 10 Application Security Risks You are likely vulnerable:  If you do not know the versions of all components you use … This includes components you directly use as well as nested dependencies.  If software is vulnerable, unsupported, or out of date. This includes the OS, web/application server, database management system (DBMS), applications, APIs and all components, runtime environments, and libraries.  If you do not scan for vulnerabilities regularly and subscribe to security bulletins related to the components you use.  If you do not fix or upgrade the underlying platform, frameworks, and dependencies in a risk-based, timely fashion. This commonly happens in environments when patching is a monthly or quarterly task under change control, which leaves organizations open to many days or months of unnecessary exposure to fixed vulnerabilities.  If software developers do not test the compatibility of updated, upgraded, or patched libraries. A9 - Using Components with Known Vulnerabilities
Security vulnerabilities in npm On the impact of security vulnerabilities in the npm package dependency network. A Decan, T Mens, E Constantinou (2018) Int’l Conf. Mining Software Repositories Vulnerable packages # vulnerabilities 399 # vulnerable packages 269 # releases of vulnerable packages 14,931 # vulnerable releases 6,752 (45%) # dependent packages 133,602 # dependent packages affected by the vulnerable packages 72,470 (54%)
Security vulnerabilities in npm When are vulnerabilities discovered? >40% of all vulnerabilities are not discovered even 2.5 years after their introduction, regardless of their severity.
Security vulnerabilities in npm When are vulnerabilities fixed? ~20% of vulnerabilities take more than 1 year to be fixed.
Security vulnerabilities in npm When are vulnerabilities fixed in dependent packages? Vulnerable packages # vulnerable packages 269 # releases of vulnerable packages 14,931 # vulnerable releases 6,752 # dependent packages 133,602 # dependent packages affected by the vulnerable packages 72,470 >33% of all affected dependents are not (yet) fixed!
Security vulnerabilities in npm Why do vulnerabilities remain unfixed in dependent packages? Improper or too restrictive use of dependency constraints Maintainers are unaware of the vulnerability or how to fix it Fixed version of the dependency contains incompatible changes Package is no longer actively maintained
Tool support: Monitor and update vulnerable dependencies GitHub Automated security alerts and updates https://help.github.com/en/github/managing-security-vulnerabilities Snyk Continuously find and fix known vulnerabilities in a package’s dependencies https://snyk.io Retire.js Scans for the use of JavaScript libraries with known vulnerabilities http://retirejs.github.io/retire.js/ OWASP Dependency-Check Detects publicly disclosed vulnerabilities contained within a project’s dependencies. https://github.com/jeremylong/DependencyCheck Eclipse Steady Detects known vulnerabilitis in dependencies to open source Java and Python components through combination of static and dynamic analysis techniques https://eclipse.github.io/steady/
Conclusion • Package dependency networks are affected my multiple dependency issues • Many and deep transitive dependencies • Outdated dependencies • Breaking changes • Vulnerable dependencies • Automated tools and policies can help mitigating these issues • Measuring, monitoring and updating outdated and vulnerable dependencies • Supporting semantic versioning • Supporting transitive dependencies • Detecting vulnerabilities that matter (avoid false positives/negatives)

Recomendados

FOSDEM 2020 Presentation: Comparing dependency management issues across packa...
FOSDEM 2020 Presentation: Comparing dependency management issues across packa...FOSDEM 2020 Presentation: Comparing dependency management issues across packa...
FOSDEM 2020 Presentation: Comparing dependency management issues across packa...
Fasten Project
 
Empirically Analysing the Socio-Technical Health of Software Package Managers
Empirically Analysing the Socio-Technical Health of Software Package ManagersEmpirically Analysing the Socio-Technical Health of Software Package Managers
Empirically Analysing the Socio-Technical Health of Software Package Managers
Tom Mens
 
Is my software ecosystem healthy? It depends!
Is my software ecosystem healthy? It depends!Is my software ecosystem healthy? It depends!
Is my software ecosystem healthy? It depends!
Tom Mens
 
On the evolution of technical lag in the npm package dependency network
On the evolution of technical lag in the npm package dependency networkOn the evolution of technical lag in the npm package dependency network
On the evolution of technical lag in the npm package dependency network
econst
 
On the evolution of technical lag in the npm package dependency network
On the evolution of technical lag in the npm package dependency networkOn the evolution of technical lag in the npm package dependency network
On the evolution of technical lag in the npm package dependency network
Tom Mens
 
On backporting practices in package dependency networks
On backporting practices in package dependency networksOn backporting practices in package dependency networks
On backporting practices in package dependency networks
Tom Mens
 
On the health of the npm packaging ecosystem
On the health of the npm packaging ecosystemOn the health of the npm packaging ecosystem
On the health of the npm packaging ecosystem
Tom Mens
 
Detroit case study
Detroit case studyDetroit case study
Detroit case study
Ilias Varsamis
 

Recomendados

FOSDEM 2020 Presentation: Comparing dependency management issues across packa...
FOSDEM 2020 Presentation: Comparing dependency management issues across packa...FOSDEM 2020 Presentation: Comparing dependency management issues across packa...
FOSDEM 2020 Presentation: Comparing dependency management issues across packa...
Fasten Project
 
Empirically Analysing the Socio-Technical Health of Software Package Managers
Empirically Analysing the Socio-Technical Health of Software Package ManagersEmpirically Analysing the Socio-Technical Health of Software Package Managers
Empirically Analysing the Socio-Technical Health of Software Package Managers
Tom Mens
 
Is my software ecosystem healthy? It depends!
Is my software ecosystem healthy? It depends!Is my software ecosystem healthy? It depends!
Is my software ecosystem healthy? It depends!
Tom Mens
 
On the evolution of technical lag in the npm package dependency network
On the evolution of technical lag in the npm package dependency networkOn the evolution of technical lag in the npm package dependency network
On the evolution of technical lag in the npm package dependency network
econst
 
On the evolution of technical lag in the npm package dependency network
On the evolution of technical lag in the npm package dependency networkOn the evolution of technical lag in the npm package dependency network
On the evolution of technical lag in the npm package dependency network
Tom Mens
 
On backporting practices in package dependency networks
On backporting practices in package dependency networksOn backporting practices in package dependency networks
On backporting practices in package dependency networks
Tom Mens
 
On the health of the npm packaging ecosystem
On the health of the npm packaging ecosystemOn the health of the npm packaging ecosystem
On the health of the npm packaging ecosystem
Tom Mens
 
Detroit case study
Detroit case studyDetroit case study
Detroit case study
Ilias Varsamis
 
ITFAS Fire Alarm Cert_kaftan
ITFAS Fire Alarm Cert_kaftanITFAS Fire Alarm Cert_kaftan
ITFAS Fire Alarm Cert_kaftan
Kenneth Kaftan
 
Measuring Private Cloud Resiliency
Measuring Private Cloud ResiliencyMeasuring Private Cloud Resiliency
Measuring Private Cloud Resiliency
Ixia
 
National Cyber Security Crypto Program
National Cyber Security Crypto ProgramNational Cyber Security Crypto Program
National Cyber Security Crypto Program
Jorge Sebastiao
 
WORMHOLE ATTACK DETECTION ALGORITHMS IN WIRELESS NETWORK CODING SYSTEMS
WORMHOLE ATTACK DETECTION ALGORITHMS IN WIRELESS NETWORK CODING SYSTEMSWORMHOLE ATTACK DETECTION ALGORITHMS IN WIRELESS NETWORK CODING SYSTEMS
WORMHOLE ATTACK DETECTION ALGORITHMS IN WIRELESS NETWORK CODING SYSTEMS
I3E Technologies
 
Ase2013
Ase2013Ase2013
Ase2013
CS, NcState
 
A wireless intrusion detection system and a new attack model (synopsis)
A wireless intrusion detection system and a new attack model (synopsis)A wireless intrusion detection system and a new attack model (synopsis)
A wireless intrusion detection system and a new attack model (synopsis)
Mumbai Academisc
 
Wireless Sensor Network
Wireless Sensor NetworkWireless Sensor Network
Wireless Sensor Network
Muhammad Farooq Hussain
 
B.tech Final year Cryptography Project
B.tech Final year Cryptography ProjectB.tech Final year Cryptography Project
B.tech Final year Cryptography Project
Shivam Vatshayan
 
IDS - Fact, Challenges and Future
IDS - Fact, Challenges and FutureIDS - Fact, Challenges and Future
IDS - Fact, Challenges and Future
amiable_indian
 
Preventing Known and Unknown Threats
Preventing Known and Unknown ThreatsPreventing Known and Unknown Threats
Preventing Known and Unknown Threats
OPSWAT
 
Wireless sensor network security issues
Wireless sensor network security issuesWireless sensor network security issues
Wireless sensor network security issues
Maha Saad
 
On the fragility of open source software packaging ecosystems
On the fragility of open source software packaging ecosystemsOn the fragility of open source software packaging ecosystems
On the fragility of open source software packaging ecosystems
Tom Mens
 
On the Relation between Outdated Docker Containers, Severity Vulnerabilities,...
On the Relation between Outdated Docker Containers, Severity Vulnerabilities,...On the Relation between Outdated Docker Containers, Severity Vulnerabilities,...
On the Relation between Outdated Docker Containers, Severity Vulnerabilities,...
Tom Mens
 
On the Impact of Security Vulnerabilities in the npm and RubyGems Dependency ...
On the Impact of Security Vulnerabilities in the npm and RubyGems Dependency ...On the Impact of Security Vulnerabilities in the npm and RubyGems Dependency ...
On the Impact of Security Vulnerabilities in the npm and RubyGems Dependency ...
Ahmed Zerouali
 
How to increase the technical health of your software?
How to increase the technical health of your software?How to increase the technical health of your software?
How to increase the technical health of your software?
Tom Mens
 
Evolving Software Ecosystems: Health and beyond
Evolving Software Ecosystems: Health and beyondEvolving Software Ecosystems: Health and beyond
Evolving Software Ecosystems: Health and beyond
econst
 
Towards Laws of Software Ecosystem Evolution: An Empirical Comparison of Seve...
Towards Laws of Software Ecosystem Evolution: An Empirical Comparison of Seve...Towards Laws of Software Ecosystem Evolution: An Empirical Comparison of Seve...
Towards Laws of Software Ecosystem Evolution: An Empirical Comparison of Seve...
Tom Mens
 
On the impact of security vulnerabilities in the npm package dependency network
On the impact of security vulnerabilities in the npm package dependency networkOn the impact of security vulnerabilities in the npm package dependency network
On the impact of security vulnerabilities in the npm package dependency network
Tom Mens
 
An Empirical Analysis of Technical Lag in npm Package Dependencies
An Empirical Analysis of Technical Lag in npm Package DependenciesAn Empirical Analysis of Technical Lag in npm Package Dependencies
An Empirical Analysis of Technical Lag in npm Package Dependencies
Ahmed Zerouali
 
Node.js security tour
Node.js security tourNode.js security tour
Node.js security tour
Giacomo De Liberali
 
Comparing semantic versioning practices in Cargo, npm, Packagist and Rubygems
Comparing semantic versioning practices in Cargo, npm, Packagist and RubygemsComparing semantic versioning practices in Cargo, npm, Packagist and Rubygems
Comparing semantic versioning practices in Cargo, npm, Packagist and Rubygems
Tom Mens
 
Fasten Industry Meeting with GitHub about Dependancy Management
Fasten Industry Meeting with GitHub about Dependancy ManagementFasten Industry Meeting with GitHub about Dependancy Management
Fasten Industry Meeting with GitHub about Dependancy Management
Fasten Project
 

Más contenido relacionado

La actualidad más candente

ITFAS Fire Alarm Cert_kaftan
ITFAS Fire Alarm Cert_kaftanITFAS Fire Alarm Cert_kaftan
ITFAS Fire Alarm Cert_kaftan
Kenneth Kaftan
 
Measuring Private Cloud Resiliency
Measuring Private Cloud ResiliencyMeasuring Private Cloud Resiliency
Measuring Private Cloud Resiliency
Ixia
 
A wireless intrusion detection system and a new attack model (synopsis)
A wireless intrusion detection system and a new attack model (synopsis)A wireless intrusion detection system and a new attack model (synopsis)
A wireless intrusion detection system and a new attack model (synopsis)
Mumbai Academisc
 
B.tech Final year Cryptography Project
B.tech Final year Cryptography ProjectB.tech Final year Cryptography Project
B.tech Final year Cryptography Project
Shivam Vatshayan
 
Wireless sensor network security issues
Wireless sensor network security issuesWireless sensor network security issues
Wireless sensor network security issues
Maha Saad
 

La actualidad más candente (11)

ITFAS Fire Alarm Cert_kaftan
ITFAS Fire Alarm Cert_kaftanITFAS Fire Alarm Cert_kaftan
ITFAS Fire Alarm Cert_kaftan
 
Measuring Private Cloud Resiliency
Measuring Private Cloud ResiliencyMeasuring Private Cloud Resiliency
Measuring Private Cloud Resiliency
 
National Cyber Security Crypto Program
National Cyber Security Crypto ProgramNational Cyber Security Crypto Program
National Cyber Security Crypto Program
 
WORMHOLE ATTACK DETECTION ALGORITHMS IN WIRELESS NETWORK CODING SYSTEMS
WORMHOLE ATTACK DETECTION ALGORITHMS IN WIRELESS NETWORK CODING SYSTEMSWORMHOLE ATTACK DETECTION ALGORITHMS IN WIRELESS NETWORK CODING SYSTEMS
WORMHOLE ATTACK DETECTION ALGORITHMS IN WIRELESS NETWORK CODING SYSTEMS
 
Ase2013
Ase2013Ase2013
Ase2013
 
A wireless intrusion detection system and a new attack model (synopsis)
A wireless intrusion detection system and a new attack model (synopsis)A wireless intrusion detection system and a new attack model (synopsis)
A wireless intrusion detection system and a new attack model (synopsis)
 
Wireless Sensor Network
Wireless Sensor NetworkWireless Sensor Network
Wireless Sensor Network
 
B.tech Final year Cryptography Project
B.tech Final year Cryptography ProjectB.tech Final year Cryptography Project
B.tech Final year Cryptography Project
 
IDS - Fact, Challenges and Future
IDS - Fact, Challenges and FutureIDS - Fact, Challenges and Future
IDS - Fact, Challenges and Future
 
Preventing Known and Unknown Threats
Preventing Known and Unknown ThreatsPreventing Known and Unknown Threats
Preventing Known and Unknown Threats
 
Wireless sensor network security issues
Wireless sensor network security issuesWireless sensor network security issues
Wireless sensor network security issues
 

Similar a Comparing dependency issues across software package distributions (FOSDEM 2020)

Evolving Software Ecosystems: Health and beyond
Evolving Software Ecosystems: Health and beyondEvolving Software Ecosystems: Health and beyond
Evolving Software Ecosystems: Health and beyond
econst
 
Towards Laws of Software Ecosystem Evolution: An Empirical Comparison of Seve...
Towards Laws of Software Ecosystem Evolution: An Empirical Comparison of Seve...Towards Laws of Software Ecosystem Evolution: An Empirical Comparison of Seve...
Towards Laws of Software Ecosystem Evolution: An Empirical Comparison of Seve...
Tom Mens
 
On the impact of security vulnerabilities in the npm package dependency network
On the impact of security vulnerabilities in the npm package dependency networkOn the impact of security vulnerabilities in the npm package dependency network
On the impact of security vulnerabilities in the npm package dependency network
Tom Mens
 
An Empirical Analysis of Technical Lag in npm Package Dependencies
An Empirical Analysis of Technical Lag in npm Package DependenciesAn Empirical Analysis of Technical Lag in npm Package Dependencies
An Empirical Analysis of Technical Lag in npm Package Dependencies
Ahmed Zerouali
 
Comparing semantic versioning practices in Cargo, npm, Packagist and Rubygems
Comparing semantic versioning practices in Cargo, npm, Packagist and RubygemsComparing semantic versioning practices in Cargo, npm, Packagist and Rubygems
Comparing semantic versioning practices in Cargo, npm, Packagist and Rubygems
Tom Mens
 
SFSCON23 - Ranindya Paramitha - Technical leverage analysis in the Python eco...
SFSCON23 - Ranindya Paramitha - Technical leverage analysis in the Python eco...SFSCON23 - Ranindya Paramitha - Technical leverage analysis in the Python eco...
SFSCON23 - Ranindya Paramitha - Technical leverage analysis in the Python eco...
South Tyrol Free Software Conference
 
Socio-Technical Analysis of Software Ecosystem Health
Socio-Technical Analysis of Software Ecosystem HealthSocio-Technical Analysis of Software Ecosystem Health
Socio-Technical Analysis of Software Ecosystem Health
Tom Mens
 
Needs of a Modern Incident Response Program
Needs of a Modern Incident Response ProgramNeeds of a Modern Incident Response Program
Needs of a Modern Incident Response Program
Lancope, Inc.
 
Percezione Vs Realtà: uno sguardo data-driven sull'OS risk management
Percezione Vs Realtà: uno sguardo data-driven sull'OS risk managementPercezione Vs Realtà: uno sguardo data-driven sull'OS risk management
Percezione Vs Realtà: uno sguardo data-driven sull'OS risk management
Emerasoft, solutions to collaborate
 
Towards an empirical analysis of the maintainability of CRAN packages
Towards an empirical analysis of the maintainability of CRAN packagesTowards an empirical analysis of the maintainability of CRAN packages
Towards an empirical analysis of the maintainability of CRAN packages
Tom Mens
 
INLINE_PATCH_PROXY_FOR_XEN_HYPERVISOR
INLINE_PATCH_PROXY_FOR_XEN_HYPERVISORINLINE_PATCH_PROXY_FOR_XEN_HYPERVISOR
INLINE_PATCH_PROXY_FOR_XEN_HYPERVISOR
Neha Rana
 

Similar a Comparing dependency issues across software package distributions (FOSDEM 2020) (20)

On the fragility of open source software packaging ecosystems
On the fragility of open source software packaging ecosystemsOn the fragility of open source software packaging ecosystems
On the fragility of open source software packaging ecosystems
 
On the Relation between Outdated Docker Containers, Severity Vulnerabilities,...
On the Relation between Outdated Docker Containers, Severity Vulnerabilities,...On the Relation between Outdated Docker Containers, Severity Vulnerabilities,...
On the Relation between Outdated Docker Containers, Severity Vulnerabilities,...
 
On the Impact of Security Vulnerabilities in the npm and RubyGems Dependency ...
On the Impact of Security Vulnerabilities in the npm and RubyGems Dependency ...On the Impact of Security Vulnerabilities in the npm and RubyGems Dependency ...
On the Impact of Security Vulnerabilities in the npm and RubyGems Dependency ...
 
How to increase the technical health of your software?
How to increase the technical health of your software?How to increase the technical health of your software?
How to increase the technical health of your software?
 
Evolving Software Ecosystems: Health and beyond
Evolving Software Ecosystems: Health and beyondEvolving Software Ecosystems: Health and beyond
Evolving Software Ecosystems: Health and beyond
 
Towards Laws of Software Ecosystem Evolution: An Empirical Comparison of Seve...
Towards Laws of Software Ecosystem Evolution: An Empirical Comparison of Seve...Towards Laws of Software Ecosystem Evolution: An Empirical Comparison of Seve...
Towards Laws of Software Ecosystem Evolution: An Empirical Comparison of Seve...
 
On the impact of security vulnerabilities in the npm package dependency network
On the impact of security vulnerabilities in the npm package dependency networkOn the impact of security vulnerabilities in the npm package dependency network
On the impact of security vulnerabilities in the npm package dependency network
 
An Empirical Analysis of Technical Lag in npm Package Dependencies
An Empirical Analysis of Technical Lag in npm Package DependenciesAn Empirical Analysis of Technical Lag in npm Package Dependencies
An Empirical Analysis of Technical Lag in npm Package Dependencies
 
Node.js security tour
Node.js security tourNode.js security tour
Node.js security tour
 
Comparing semantic versioning practices in Cargo, npm, Packagist and Rubygems
Comparing semantic versioning practices in Cargo, npm, Packagist and RubygemsComparing semantic versioning practices in Cargo, npm, Packagist and Rubygems
Comparing semantic versioning practices in Cargo, npm, Packagist and Rubygems
 
Fasten Industry Meeting with GitHub about Dependancy Management
Fasten Industry Meeting with GitHub about Dependancy ManagementFasten Industry Meeting with GitHub about Dependancy Management
Fasten Industry Meeting with GitHub about Dependancy Management
 
edgescan vulnerability stats report (2018)
edgescan vulnerability stats report (2018) edgescan vulnerability stats report (2018)
edgescan vulnerability stats report (2018)
 
SFSCON23 - Ranindya Paramitha - Technical leverage analysis in the Python eco...
SFSCON23 - Ranindya Paramitha - Technical leverage analysis in the Python eco...SFSCON23 - Ranindya Paramitha - Technical leverage analysis in the Python eco...
SFSCON23 - Ranindya Paramitha - Technical leverage analysis in the Python eco...
 
Socio-Technical Analysis of Software Ecosystem Health
Socio-Technical Analysis of Software Ecosystem HealthSocio-Technical Analysis of Software Ecosystem Health
Socio-Technical Analysis of Software Ecosystem Health
 
PacketsNeverLie
PacketsNeverLiePacketsNeverLie
PacketsNeverLie
 
Needs of a Modern Incident Response Program
Needs of a Modern Incident Response ProgramNeeds of a Modern Incident Response Program
Needs of a Modern Incident Response Program
 
Percezione Vs Realtà: uno sguardo data-driven sull'OS risk management
Percezione Vs Realtà: uno sguardo data-driven sull'OS risk managementPercezione Vs Realtà: uno sguardo data-driven sull'OS risk management
Percezione Vs Realtà: uno sguardo data-driven sull'OS risk management
 
Open source cloud native security with threat mapper
Open source cloud native security with threat mapperOpen source cloud native security with threat mapper
Open source cloud native security with threat mapper
 
Towards an empirical analysis of the maintainability of CRAN packages
Towards an empirical analysis of the maintainability of CRAN packagesTowards an empirical analysis of the maintainability of CRAN packages
Towards an empirical analysis of the maintainability of CRAN packages
 
INLINE_PATCH_PROXY_FOR_XEN_HYPERVISOR
INLINE_PATCH_PROXY_FOR_XEN_HYPERVISORINLINE_PATCH_PROXY_FOR_XEN_HYPERVISOR
INLINE_PATCH_PROXY_FOR_XEN_HYPERVISOR
 

Más de Tom Mens

Lost in Zero Space
Lost in Zero SpaceLost in Zero Space
Lost in Zero Space
Tom Mens
 
Evaluating a bot detection model on git commit messages
Evaluating a bot detection model on git commit messagesEvaluating a bot detection model on git commit messages
Evaluating a bot detection model on git commit messages
Tom Mens
 
Bot or not? Detecting bots in GitHub pull request activity based on comment s...
Bot or not? Detecting bots in GitHub pull request activity based on comment s...Bot or not? Detecting bots in GitHub pull request activity based on comment s...
Bot or not? Detecting bots in GitHub pull request activity based on comment s...
Tom Mens
 
On the diversity of software popularity metrics: An empirical study of npm
On the diversity of software popularity metrics: An empirical study of npmOn the diversity of software popularity metrics: An empirical study of npm
On the diversity of software popularity metrics: An empirical study of npm
Tom Mens
 

Más de Tom Mens (20)

How to be(come) a successful PhD student
How to be(come) a successful PhD studentHow to be(come) a successful PhD student
How to be(come) a successful PhD student
 
Recognising bot activity in collaborative software development
Recognising bot activity in collaborative software developmentRecognising bot activity in collaborative software development
Recognising bot activity in collaborative software development
 
A Dataset of Bot and Human Activities in GitHub
A Dataset of Bot and Human Activities in GitHubA Dataset of Bot and Human Activities in GitHub
A Dataset of Bot and Human Activities in GitHub
 
The (r)evolution of CI/CD on GitHub
The (r)evolution of CI/CD on GitHub The (r)evolution of CI/CD on GitHub
The (r)evolution of CI/CD on GitHub
 
Nurturing the Software Ecosystems of the Future
Nurturing the Software Ecosystems of the FutureNurturing the Software Ecosystems of the Future
Nurturing the Software Ecosystems of the Future
 
Comment programmer un robot en 30 minutes?
Comment programmer un robot en 30 minutes?Comment programmer un robot en 30 minutes?
Comment programmer un robot en 30 minutes?
 
On the rise and fall of CI services in GitHub
On the rise and fall of CI services in GitHubOn the rise and fall of CI services in GitHub
On the rise and fall of CI services in GitHub
 
Lost in Zero Space
Lost in Zero SpaceLost in Zero Space
Lost in Zero Space
 
Evaluating a bot detection model on git commit messages
Evaluating a bot detection model on git commit messagesEvaluating a bot detection model on git commit messages
Evaluating a bot detection model on git commit messages
 
Bot or not? Detecting bots in GitHub pull request activity based on comment s...
Bot or not? Detecting bots in GitHub pull request activity based on comment s...Bot or not? Detecting bots in GitHub pull request activity based on comment s...
Bot or not? Detecting bots in GitHub pull request activity based on comment s...
 
How magic is zero? An Empirical Analysis of Initial Development Releases in S...
How magic is zero? An Empirical Analysis of Initial Development Releases in S...How magic is zero? An Empirical Analysis of Initial Development Releases in S...
How magic is zero? An Empirical Analysis of Initial Development Releases in S...
 
Measuring Technical Lag in Software Deployments (CHAOSScon 2020)
Measuring Technical Lag in Software Deployments (CHAOSScon 2020)Measuring Technical Lag in Software Deployments (CHAOSScon 2020)
Measuring Technical Lag in Software Deployments (CHAOSScon 2020)
 
SecoHealth 2019 Research Achievements
SecoHealth 2019 Research AchievementsSecoHealth 2019 Research Achievements
SecoHealth 2019 Research Achievements
 
SECO-Assist 2019 research seminar
SECO-Assist 2019 research seminarSECO-Assist 2019 research seminar
SECO-Assist 2019 research seminar
 
ConPan: Analysing Packages Installed in Docker Containers
ConPan: Analysing Packages Installed in Docker ContainersConPan: Analysing Packages Installed in Docker Containers
ConPan: Analysing Packages Installed in Docker Containers
 
On the diversity of software popularity metrics: An empirical study of npm
On the diversity of software popularity metrics: An empirical study of npmOn the diversity of software popularity metrics: An empirical study of npm
On the diversity of software popularity metrics: An empirical study of npm
 
"Software Ecosystem Health" lightning talk
"Software Ecosystem Health" lightning talk"Software Ecosystem Health" lightning talk
"Software Ecosystem Health" lightning talk
 
SoHeal 2018 Welcome Slides: First International Workshop on Software Health
SoHeal 2018 Welcome Slides: First International Workshop on Software HealthSoHeal 2018 Welcome Slides: First International Workshop on Software Health
SoHeal 2018 Welcome Slides: First International Workshop on Software Health
 
Software Ecosystems = Big Data
Software Ecosystems = Big DataSoftware Ecosystems = Big Data
Software Ecosystems = Big Data
 
La santé des écosystèmes des logiciels open source
La santé des écosystèmes des logiciels open sourceLa santé des écosystèmes des logiciels open source
La santé des écosystèmes des logiciels open source
 

Último

call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
Delhi Call girls
 
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
masabamasaba
 
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesAI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
VictorSzoltysek
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Steffen Staab
 
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Nitya salvi
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
harshavardhanraghave
 
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
masabamasaba
 
The title is not connected to what is inside
The title is not connected to what is insideThe title is not connected to what is inside
The title is not connected to what is inside
shinachiaurasa2
 

Último (20)

Exploring the Best Video Editing App.pdf
Exploring the Best Video Editing App.pdfExploring the Best Video Editing App.pdf
Exploring the Best Video Editing App.pdf
 
%in Lydenburg+277-882-255-28 abortion pills for sale in Lydenburg
%in Lydenburg+277-882-255-28 abortion pills for sale in Lydenburg%in Lydenburg+277-882-255-28 abortion pills for sale in Lydenburg
%in Lydenburg+277-882-255-28 abortion pills for sale in Lydenburg
 
%+27788225528 love spells in Vancouver Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Vancouver Psychic Readings, Attraction spells,Br...%+27788225528 love spells in Vancouver Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Vancouver Psychic Readings, Attraction spells,Br...
 
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park %in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
 
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesAI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
 
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension AidDirect Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
 
SHRMPro HRMS Software Solutions Presentation
SHRMPro HRMS Software Solutions PresentationSHRMPro HRMS Software Solutions Presentation
SHRMPro HRMS Software Solutions Presentation
 
Microsoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdfMicrosoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdf
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
 
%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand
 
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
 
Define the academic and professional writing..pdf
Define the academic and professional writing..pdfDefine the academic and professional writing..pdf
Define the academic and professional writing..pdf
 
Announcing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK SoftwareAnnouncing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK Software
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
 
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
 
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
 
%in Harare+277-882-255-28 abortion pills for sale in Harare
%in Harare+277-882-255-28 abortion pills for sale in Harare%in Harare+277-882-255-28 abortion pills for sale in Harare
%in Harare+277-882-255-28 abortion pills for sale in Harare
 
The title is not connected to what is inside
The title is not connected to what is insideThe title is not connected to what is inside
The title is not connected to what is inside
 

Comparing dependency issues across software package distributions (FOSDEM 2020)

  • 1. Tom Mens Software Engineering Lab Faculty of Sciences tom.mens@umons.ac.be @tom_mens Comparing dependency issues across software package distributions
  • 2. SECO-ASSIST "Excellence of Science” Research Project 2018-2021 secoassist.github.io@secoassist
  • 3. Comparing dependency issues across software package distributions An Empirical Comparison of Dependency Network Evolution in Seven Software Packaging Ecosystems A Decan, T. Mens, Ph. Grosjean (2019) Empirical Software Engineering 24(1) What do package dependencies tell us about semantic versioning? A Decan, T Mens (2019) IEEE Transactions on Software Engineering A formal framework for measuring technical lag in component repositories – and its application to npm A Zerouali, T Mens, et al. (2019) J. Software Evolution and Process On the impact of security vulnerabilities in the npm package dependency network A Decan, T Mens, E Constantinou (2018) Int’l Conf. Mining Software Repositories On the evolution of technical lag in the npm package dependency network A Decan, T Mens, E Constantinou (2018) Int’l Conf. Software Maintenance and Evolution
  • 5. Dependency issues “Technical lag” due to outdated dependencies Missed opportunities to benefit from new functionality, or fixes of known bugs and security vulnerabilities “Dependency hell” • Too many direct and transitive dependencies • Broken dependencies due to backward incompatibilities • Co-installability problems Unmaintained packages due to departure of maintainers Nontransparent update policies Incompatible or prohibited licenses
  • 7. Fragility due to transitive dependencies March 2016 November 2010 Unexpected removal of left-pad caused > 2% of all packages to become uninstallable (> 5,400 packages) Release 0.5.0 of i18n broke dependent package ActiveRecord that was transitively required by >5% of all packages
  • 8. Libraries.io monitors 6,901,989 open source packages across 37 different package managers https://libraries.io (7 January 2020)
  • 9. Characterising the evolution of package dependency networks Decan & Mens (2019) An Empirical Comparison of Dependency Network Evolution in Seven Software Packaging Ecosystems. Empirical Software Engineering Journal 830K packages – 5.8M package versions – 20.5M dependencies (April 2017)
  • 10. Continuing Growth Package dependency networks grow exponentially in terms of number of packages and/or dependencies Fastest growth for npm Slowest growth for CRAN
  • 11. Continuing Change • Number of package updates grows over time • >50% of package releases are updated within 2 months • Required and young packages are updated more frequently Fastest growth for npm Slowest growth for CRAN
  • 12. Increasing level of reuse • Highly connected network, containing 60% to 80% of all packages • Power law behavior: A stable minority (20%) of required packages collect over 80% of all reverse dependencies Reusability index: Maximal value n such that there exist n required packages having at least n dependent packages. Fastest growth for npm
  • 13. High number of deep transitive dependencies • Fragile packages may have a very high transitive impact • Over 50% of top-level packages have a deep dependency graph Number of packages that are transitively required by at least 5% of all packages. Transitive dependency depth of top-level packages
  • 14. Outdated Dependencies Should package maintainers upgrade their dependencies to more recent versions? �Upgrades benefit from bug and security fixes � Upgrading allows to use new features � Upgrading requires effort � Upgrading may introduce breaking changes
  • 15. Outdated runtime dependencies in npm Outdated Dependencies Outdatedness is related to the type of dependency constraint being used Strict (i.e. pinned) constraints represent about 33% of all outdated dependencies
  • 16. Technical Lag Technical lag measures how outdated a package or dependency is w.r.t. the “ideal” situation where “ideal” = “most recent”; “most secure”; ”least bugs”; “most compatible”; … A Zerouali et al (Feb. 2019) A formal framework for measuring technical lag in component repositories – and its application to npm. Wiley Journal on Software Evolution and Process
  • 17. ~ 2.7.0 - 22-09-2017 2.0.1 - 16-05-2017 Technical Lag Technical lag measures how outdated a package or dependency is w.r.t. the “ideal” situation where “ideal” = “most recent”; “most secure”; ”least bugs”; “most compatible”; …
  • 18. Need for dependency monitoring tools Example: David Dependency Manager for npm projects https://david-dm.orgMy npm Project
  • 19. Avoiding breaking changes through Semantic Versioning https://chaoss.community Is semantic versioning respected by software package distributions? What do package dependencies tell us about semantic versioning? A Decan, T Mens (May 2019) IEEE Transactions on Software Engineering major minor patch 3 9 2 Breaking changes Backwards compatible changes Bug fixes Most permissive Most Restrictive
  • 20. Semantic versioning Different package managers interpret version constraints in different ways: More restrictive than semver More permissive than semver
  • 21. Semantic versioning • Cargo, npm and Packagist are mostly semver-compliant. All three are more permissive than semver for 0.y.z versions • All considered ecosystems become more compliant over time. • >16% of restrictive constraints in npm, Packagist and Rubygems  prevents adoption of backward compatible upgrades
  • 22. Security vulnerabilities OWASP Foundation Top 10 Application Security Risks You are likely vulnerable:  If you do not know the versions of all components you use … This includes components you directly use as well as nested dependencies.  If software is vulnerable, unsupported, or out of date. This includes the OS, web/application server, database management system (DBMS), applications, APIs and all components, runtime environments, and libraries.  If you do not scan for vulnerabilities regularly and subscribe to security bulletins related to the components you use.  If you do not fix or upgrade the underlying platform, frameworks, and dependencies in a risk-based, timely fashion. This commonly happens in environments when patching is a monthly or quarterly task under change control, which leaves organizations open to many days or months of unnecessary exposure to fixed vulnerabilities.  If software developers do not test the compatibility of updated, upgraded, or patched libraries. A9 - Using Components with Known Vulnerabilities
  • 23. Security vulnerabilities in npm On the impact of security vulnerabilities in the npm package dependency network. A Decan, T Mens, E Constantinou (2018) Int’l Conf. Mining Software Repositories Vulnerable packages # vulnerabilities 399 # vulnerable packages 269 # releases of vulnerable packages 14,931 # vulnerable releases 6,752 (45%) # dependent packages 133,602 # dependent packages affected by the vulnerable packages 72,470 (54%)
  • 24. Security vulnerabilities in npm When are vulnerabilities discovered? >40% of all vulnerabilities are not discovered even 2.5 years after their introduction, regardless of their severity.
  • 25. Security vulnerabilities in npm When are vulnerabilities fixed? ~20% of vulnerabilities take more than 1 year to be fixed.
  • 26. Security vulnerabilities in npm When are vulnerabilities fixed in dependent packages? Vulnerable packages # vulnerable packages 269 # releases of vulnerable packages 14,931 # vulnerable releases 6,752 # dependent packages 133,602 # dependent packages affected by the vulnerable packages 72,470 >33% of all affected dependents are not (yet) fixed!
  • 27. Security vulnerabilities in npm Why do vulnerabilities remain unfixed in dependent packages? Improper or too restrictive use of dependency constraints Maintainers are unaware of the vulnerability or how to fix it Fixed version of the dependency contains incompatible changes Package is no longer actively maintained
  • 28. Tool support: Monitor and update vulnerable dependencies GitHub Automated security alerts and updates https://help.github.com/en/github/managing-security-vulnerabilities Snyk Continuously find and fix known vulnerabilities in a package’s dependencies https://snyk.io Retire.js Scans for the use of JavaScript libraries with known vulnerabilities http://retirejs.github.io/retire.js/ OWASP Dependency-Check Detects publicly disclosed vulnerabilities contained within a project’s dependencies. https://github.com/jeremylong/DependencyCheck Eclipse Steady Detects known vulnerabilitis in dependencies to open source Java and Python components through combination of static and dynamic analysis techniques https://eclipse.github.io/steady/
  • 29. Conclusion • Package dependency networks are affected my multiple dependency issues • Many and deep transitive dependencies • Outdated dependencies • Breaking changes • Vulnerable dependencies • Automated tools and policies can help mitigating these issues • Measuring, monitoring and updating outdated and vulnerable dependencies • Supporting semantic versioning • Supporting transitive dependencies • Detecting vulnerabilities that matter (avoid false positives/negatives)

Notas del editor

  1. Technical Diversity: different platforms, different programming languages, different application domains, different packages with similar functionality Community Smells: Lone Wolfs, Isolated Teams, Communication Problems Contributor Abandonment: Rage quitting
  2. Technical Diversity: different platforms, different programming languages, different application domains, different packages with similar functionality Community Smells: Lone Wolfs, Isolated Teams, Communication Problems Contributor Abandonment: Rage quitting
  3. Technical Diversity: different platforms, different programming languages, different application domains, different packages with similar functionality Community Smells: Lone Wolfs, Isolated Teams, Communication Problems Contributor Abandonment: Rage quitting
  4. Cf. law of increasing growth
  5. Cf. law of increasing growth
  6. Cf. law of increasing growth
  7. Cf. law of increasing growth
  8. Quote by Ward Cunningham in 1992: “Shipping first-time code is like going into debt. A little debt speeds development so long as it is paid back promptly with a rewrite. Objects make the cost of this transaction tolerable. The danger occurs when the debt is not repaid. Every minute spent on not-quite-right code counts as interest on that debt. Entire engineering organizations can be brought to a stand-still under the debt load of an unconsolidated implementation, object-oriented or otherwise." The concept does not mean that debt should never be incurred. Just as leverage can help a company when used correctly, a quick solution can mean a faster time to market in software development. In addition, technical debt is not just poor code. Bad code is bad code, and technical debt can result from the work of good programmers under unrealistic project constraints.”
  9. Benefits of semantic versioing: For package providers: Inform your dependents about which releases are backwards incompatible For package consumers: Decide and control which newer dependency releases are permitted January 2018 dataset from libraries.io:
  10. Proportion of dependency constraints (for package releases ≥1.0.0) that are semver-compliant, more permissive, or more restrictive
  11. Package metadata from libraries.io on November 2017 Vulnerabilities from snyk.io
  12. Package metadata from libraries.io on November 2017 Vulnerabilities from snyk.io
  13. This slide tells about when vulnerabilities are fixed in the “source/upstream” packages, i.e. those that are the source of the vulnerability, not their dependents. The next slide will show the same but for the dependents… Most vulnerabilities are fixed after the reported discovery date but before they become public.
  14. Before upstream fix:12% of dependent packages Rolling back to a non-affected release Removing the dependency At upstream fix: 44% of dependent packages Dependency constraint allows automatic fixes After upstream fix: 10.8% of dependent packages Dependency constraints manually managed >33% of all affected dependents are not (yet) fixed! - S23: Je me demande si toute la partie sur les vulnérabilités ne serait pas mieux avant le papier TSE, et donc juste après la partie sur le technical lag (le technical lag est la "raison" pour laquelle les vulnérabilités prennent du temps à être propagées dans les paquets dépendants, et est une conséquence directe du choix des contraintes).
  15. Before upstream fix: Rolling back to a non-affected release Removing the dependency 12% of dependent packages At upstream fix: Dependency constraint allows automatic fixes 44% of dependent packages After upstream fix: Dependency constraints manually managed 10.8% of dependent packages >33% of all affected dependents are not (yet) fixed!