SlideShare a Scribd company logo

Comparing dependency issues across software package distributions (FOSDEM 2020)

Download as PPTX, PDF
Tom Mens
Tom Mens

This talk reports on our findings based on multiple empirical studies that we have conducted to understand different aspects of dependency management and their practical implications. This includes: * the outdatedness of package dependencies, the transitive impact of such "technical lag", and its relation to the presence of bugs and security vulnerabilities. * the impact of using either more permissive or more restrictive version contraints on dependencies. * the virtues and limitations of being compliant to semantic versioning, a common policy to inform dependents whether new releases of software packages introduce possibly backward incompatible changes. * the impact of specific characteristics, policies and tools used by the packaging ecosystem and its supporting community on all of the above. The contents of the talk is primarily based on the following peer-reviewed scientific articles: * What do package dependencies tell us about semantic versioning? Alexandre Decan, Tom Mens. IEEE Transactions on Software Engineering, 2019. https://doi.org/10.1109/TSE.2019.2918315 * An empirical comparison of dependency network evolution in seven software packaging ecosystems. Alexandre Decan, Tom Mens, Philippe Grosjean. Empirical Software Engineering 24(1):381-416, 2019. https://doi.org/10.1007/s10664-017-9589-y * A formal framework for measuring technical lag in component repositories and its application to npm. Ahmed Zerouali, Tom Mens, Jesus Gonzalez‐Barahona, Alexandre Decan, Eleni Constantinou, Gregorio Robles. Journal of Software: Evolution and Process 31(8), 2019. https://doi.org/10.1002/smr.2157 * On the Impact of Security Vulnerabilities in the npm Package Dependency Network. Alexandre Decan, Tom Mens, Eleni Constantinou. International Conference on Mining Software Repositories, 2018. https://doi.org/10.1145/3196398.3196401 * On the Evolution of Technical Lag in the npm Package Dependency Network. Alexandre Decan, Tom Mens, Eleni Constantinou. International Conference on Software Maintenance and Evolution, 2018. https://doi.org/10.1109/ICSME.2018.00050

Software
1 of 29
Tom Mens Software Engineering Lab Faculty of Sciences tom.mens@umons.ac.be @tom_mens Comparing dependency issues across software package distributions
SECO-ASSIST "Excellence of Science” Research Project 2018-2021 secoassist.github.io@secoassist
Comparing dependency issues across software package distributions An Empirical Comparison of Dependency Network Evolution in Seven Software Packaging Ecosystems A Decan, T. Mens, Ph. Grosjean (2019) Empirical Software Engineering 24(1) What do package dependencies tell us about semantic versioning? A Decan, T Mens (2019) IEEE Transactions on Software Engineering A formal framework for measuring technical lag in component repositories – and its application to npm A Zerouali, T Mens, et al. (2019) J. Software Evolution and Process On the impact of security vulnerabilities in the npm package dependency network A Decan, T Mens, E Constantinou (2018) Int’l Conf. Mining Software Repositories On the evolution of technical lag in the npm package dependency network A Decan, T Mens, E Constantinou (2018) Int’l Conf. Software Maintenance and Evolution
Dependency issues
Dependency issues “Technical lag” due to outdated dependencies Missed opportunities to benefit from new functionality, or fixes of known bugs and security vulnerabilities “Dependency hell” • Too many direct and transitive dependencies • Broken dependencies due to backward incompatibilities • Co-installability problems Unmaintained packages due to departure of maintainers Nontransparent update policies Incompatible or prohibited licenses
Incompatible licenses https://tidelift.com
Fragility due to transitive dependencies March 2016 November 2010 Unexpected removal of left-pad caused > 2% of all packages to become uninstallable (> 5,400 packages) Release 0.5.0 of i18n broke dependent package ActiveRecord that was transitively required by >5% of all packages
Libraries.io monitors 6,901,989 open source packages across 37 different package managers https://libraries.io (7 January 2020)
Characterising the evolution of package dependency networks Decan & Mens (2019) An Empirical Comparison of Dependency Network Evolution in Seven Software Packaging Ecosystems. Empirical Software Engineering Journal 830K packages – 5.8M package versions – 20.5M dependencies (April 2017)
Continuing Growth Package dependency networks grow exponentially in terms of number of packages and/or dependencies Fastest growth for npm Slowest growth for CRAN
Continuing Change • Number of package updates grows over time • >50% of package releases are updated within 2 months • Required and young packages are updated more frequently Fastest growth for npm Slowest growth for CRAN
Increasing level of reuse • Highly connected network, containing 60% to 80% of all packages • Power law behavior: A stable minority (20%) of required packages collect over 80% of all reverse dependencies Reusability index: Maximal value n such that there exist n required packages having at least n dependent packages. Fastest growth for npm
High number of deep transitive dependencies • Fragile packages may have a very high transitive impact • Over 50% of top-level packages have a deep dependency graph Number of packages that are transitively required by at least 5% of all packages. Transitive dependency depth of top-level packages
Outdated Dependencies Should package maintainers upgrade their dependencies to more recent versions? �Upgrades benefit from bug and security fixes � Upgrading allows to use new features � Upgrading requires effort � Upgrading may introduce breaking changes
Outdated runtime dependencies in npm Outdated Dependencies Outdatedness is related to the type of dependency constraint being used Strict (i.e. pinned) constraints represent about 33% of all outdated dependencies
Technical Lag Technical lag measures how outdated a package or dependency is w.r.t. the “ideal” situation where “ideal” = “most recent”; “most secure”; ”least bugs”; “most compatible”; … A Zerouali et al (Feb. 2019) A formal framework for measuring technical lag in component repositories – and its application to npm. Wiley Journal on Software Evolution and Process
~ 2.7.0 - 22-09-2017 2.0.1 - 16-05-2017 Technical Lag Technical lag measures how outdated a package or dependency is w.r.t. the “ideal” situation where “ideal” = “most recent”; “most secure”; ”least bugs”; “most compatible”; …
Need for dependency monitoring tools Example: David Dependency Manager for npm projects https://david-dm.orgMy npm Project
Avoiding breaking changes through Semantic Versioning https://chaoss.community Is semantic versioning respected by software package distributions? What do package dependencies tell us about semantic versioning? A Decan, T Mens (May 2019) IEEE Transactions on Software Engineering major minor patch 3 9 2 Breaking changes Backwards compatible changes Bug fixes Most permissive Most Restrictive
Semantic versioning Different package managers interpret version constraints in different ways: More restrictive than semver More permissive than semver
Semantic versioning • Cargo, npm and Packagist are mostly semver-compliant. All three are more permissive than semver for 0.y.z versions • All considered ecosystems become more compliant over time. • >16% of restrictive constraints in npm, Packagist and Rubygems  prevents adoption of backward compatible upgrades
Security vulnerabilities OWASP Foundation Top 10 Application Security Risks You are likely vulnerable:  If you do not know the versions of all components you use … This includes components you directly use as well as nested dependencies.  If software is vulnerable, unsupported, or out of date. This includes the OS, web/application server, database management system (DBMS), applications, APIs and all components, runtime environments, and libraries.  If you do not scan for vulnerabilities regularly and subscribe to security bulletins related to the components you use.  If you do not fix or upgrade the underlying platform, frameworks, and dependencies in a risk-based, timely fashion. This commonly happens in environments when patching is a monthly or quarterly task under change control, which leaves organizations open to many days or months of unnecessary exposure to fixed vulnerabilities.  If software developers do not test the compatibility of updated, upgraded, or patched libraries. A9 - Using Components with Known Vulnerabilities
Security vulnerabilities in npm On the impact of security vulnerabilities in the npm package dependency network. A Decan, T Mens, E Constantinou (2018) Int’l Conf. Mining Software Repositories Vulnerable packages # vulnerabilities 399 # vulnerable packages 269 # releases of vulnerable packages 14,931 # vulnerable releases 6,752 (45%) # dependent packages 133,602 # dependent packages affected by the vulnerable packages 72,470 (54%)
Security vulnerabilities in npm When are vulnerabilities discovered? >40% of all vulnerabilities are not discovered even 2.5 years after their introduction, regardless of their severity.
Security vulnerabilities in npm When are vulnerabilities fixed? ~20% of vulnerabilities take more than 1 year to be fixed.
Security vulnerabilities in npm When are vulnerabilities fixed in dependent packages? Vulnerable packages # vulnerable packages 269 # releases of vulnerable packages 14,931 # vulnerable releases 6,752 # dependent packages 133,602 # dependent packages affected by the vulnerable packages 72,470 >33% of all affected dependents are not (yet) fixed!
Security vulnerabilities in npm Why do vulnerabilities remain unfixed in dependent packages? Improper or too restrictive use of dependency constraints Maintainers are unaware of the vulnerability or how to fix it Fixed version of the dependency contains incompatible changes Package is no longer actively maintained
Tool support: Monitor and update vulnerable dependencies GitHub Automated security alerts and updates https://help.github.com/en/github/managing-security-vulnerabilities Snyk Continuously find and fix known vulnerabilities in a package’s dependencies https://snyk.io Retire.js Scans for the use of JavaScript libraries with known vulnerabilities http://retirejs.github.io/retire.js/ OWASP Dependency-Check Detects publicly disclosed vulnerabilities contained within a project’s dependencies. https://github.com/jeremylong/DependencyCheck Eclipse Steady Detects known vulnerabilitis in dependencies to open source Java and Python components through combination of static and dynamic analysis techniques https://eclipse.github.io/steady/
Conclusion • Package dependency networks are affected my multiple dependency issues • Many and deep transitive dependencies • Outdated dependencies • Breaking changes • Vulnerable dependencies • Automated tools and policies can help mitigating these issues • Measuring, monitoring and updating outdated and vulnerable dependencies • Supporting semantic versioning • Supporting transitive dependencies • Detecting vulnerabilities that matter (avoid false positives/negatives)

Recommended

FOSDEM 2020 Presentation: Comparing dependency management issues across packa...
FOSDEM 2020 Presentation: Comparing dependency management issues across packa...FOSDEM 2020 Presentation: Comparing dependency management issues across packa...
FOSDEM 2020 Presentation: Comparing dependency management issues across packa...Fasten Project
 
Empirically Analysing the Socio-Technical Health of Software Package Managers
Empirically Analysing the Socio-Technical Health of Software Package ManagersEmpirically Analysing the Socio-Technical Health of Software Package Managers
Empirically Analysing the Socio-Technical Health of Software Package ManagersTom Mens
 
Is my software ecosystem healthy? It depends!
Is my software ecosystem healthy? It depends!Is my software ecosystem healthy? It depends!
Is my software ecosystem healthy? It depends!Tom Mens
 
On the evolution of technical lag in the npm package dependency network
On the evolution of technical lag in the npm package dependency networkOn the evolution of technical lag in the npm package dependency network
On the evolution of technical lag in the npm package dependency networkeconst
 
On the evolution of technical lag in the npm package dependency network
On the evolution of technical lag in the npm package dependency networkOn the evolution of technical lag in the npm package dependency network
On the evolution of technical lag in the npm package dependency networkTom Mens
 
On backporting practices in package dependency networks
On backporting practices in package dependency networksOn backporting practices in package dependency networks
On backporting practices in package dependency networksTom Mens
 
On the health of the npm packaging ecosystem
On the health of the npm packaging ecosystemOn the health of the npm packaging ecosystem
On the health of the npm packaging ecosystemTom Mens
 
Detroit case study
Detroit case studyDetroit case study
Detroit case studyIlias Varsamis
 

Recommended

FOSDEM 2020 Presentation: Comparing dependency management issues across packa...
FOSDEM 2020 Presentation: Comparing dependency management issues across packa...FOSDEM 2020 Presentation: Comparing dependency management issues across packa...
FOSDEM 2020 Presentation: Comparing dependency management issues across packa...Fasten Project
 
Empirically Analysing the Socio-Technical Health of Software Package Managers
Empirically Analysing the Socio-Technical Health of Software Package ManagersEmpirically Analysing the Socio-Technical Health of Software Package Managers
Empirically Analysing the Socio-Technical Health of Software Package ManagersTom Mens
 
Is my software ecosystem healthy? It depends!
Is my software ecosystem healthy? It depends!Is my software ecosystem healthy? It depends!
Is my software ecosystem healthy? It depends!Tom Mens
 
On the evolution of technical lag in the npm package dependency network
On the evolution of technical lag in the npm package dependency networkOn the evolution of technical lag in the npm package dependency network
On the evolution of technical lag in the npm package dependency networkeconst
 
On the evolution of technical lag in the npm package dependency network
On the evolution of technical lag in the npm package dependency networkOn the evolution of technical lag in the npm package dependency network
On the evolution of technical lag in the npm package dependency networkTom Mens
 
On backporting practices in package dependency networks
On backporting practices in package dependency networksOn backporting practices in package dependency networks
On backporting practices in package dependency networksTom Mens
 
On the health of the npm packaging ecosystem
On the health of the npm packaging ecosystemOn the health of the npm packaging ecosystem
On the health of the npm packaging ecosystemTom Mens
 
Detroit case study
Detroit case studyDetroit case study
Detroit case studyIlias Varsamis
 
ITFAS Fire Alarm Cert_kaftan
ITFAS Fire Alarm Cert_kaftanITFAS Fire Alarm Cert_kaftan
ITFAS Fire Alarm Cert_kaftanKenneth Kaftan
 
Measuring Private Cloud Resiliency
Measuring Private Cloud ResiliencyMeasuring Private Cloud Resiliency
Measuring Private Cloud ResiliencyIxia
 
National Cyber Security Crypto Program
National Cyber Security Crypto ProgramNational Cyber Security Crypto Program
National Cyber Security Crypto ProgramJorge Sebastiao
 
WORMHOLE ATTACK DETECTION ALGORITHMS IN WIRELESS NETWORK CODING SYSTEMS
WORMHOLE ATTACK DETECTION ALGORITHMS IN WIRELESS NETWORK CODING SYSTEMSWORMHOLE ATTACK DETECTION ALGORITHMS IN WIRELESS NETWORK CODING SYSTEMS
WORMHOLE ATTACK DETECTION ALGORITHMS IN WIRELESS NETWORK CODING SYSTEMSI3E Technologies
 
Ase2013
Ase2013Ase2013
Ase2013CS, NcState
 
A wireless intrusion detection system and a new attack model (synopsis)
A wireless intrusion detection system and a new attack model (synopsis)A wireless intrusion detection system and a new attack model (synopsis)
A wireless intrusion detection system and a new attack model (synopsis)Mumbai Academisc
 
Wireless Sensor Network
Wireless Sensor NetworkWireless Sensor Network
Wireless Sensor NetworkMuhammad Farooq Hussain
 
B.tech Final year Cryptography Project
B.tech Final year Cryptography ProjectB.tech Final year Cryptography Project
B.tech Final year Cryptography ProjectShivam Vatshayan
 
IDS - Fact, Challenges and Future
IDS - Fact, Challenges and FutureIDS - Fact, Challenges and Future
IDS - Fact, Challenges and Futureamiable_indian
 
Preventing Known and Unknown Threats
Preventing Known and Unknown ThreatsPreventing Known and Unknown Threats
Preventing Known and Unknown ThreatsOPSWAT
 
Wireless sensor network security issues
Wireless sensor network security issuesWireless sensor network security issues
Wireless sensor network security issuesMaha Saad
 
On the fragility of open source software packaging ecosystems
On the fragility of open source software packaging ecosystemsOn the fragility of open source software packaging ecosystems
On the fragility of open source software packaging ecosystemsTom Mens
 
On the Relation between Outdated Docker Containers, Severity Vulnerabilities,...
On the Relation between Outdated Docker Containers, Severity Vulnerabilities,...On the Relation between Outdated Docker Containers, Severity Vulnerabilities,...
On the Relation between Outdated Docker Containers, Severity Vulnerabilities,...Tom Mens
 
On the Impact of Security Vulnerabilities in the npm and RubyGems Dependency ...
On the Impact of Security Vulnerabilities in the npm and RubyGems Dependency ...On the Impact of Security Vulnerabilities in the npm and RubyGems Dependency ...
On the Impact of Security Vulnerabilities in the npm and RubyGems Dependency ...Ahmed Zerouali
 
How to increase the technical health of your software?
How to increase the technical health of your software?How to increase the technical health of your software?
How to increase the technical health of your software?Tom Mens
 
Evolving Software Ecosystems: Health and beyond
Evolving Software Ecosystems: Health and beyondEvolving Software Ecosystems: Health and beyond
Evolving Software Ecosystems: Health and beyondeconst
 
Towards Laws of Software Ecosystem Evolution: An Empirical Comparison of Seve...
Towards Laws of Software Ecosystem Evolution: An Empirical Comparison of Seve...Towards Laws of Software Ecosystem Evolution: An Empirical Comparison of Seve...
Towards Laws of Software Ecosystem Evolution: An Empirical Comparison of Seve...Tom Mens
 
On the impact of security vulnerabilities in the npm package dependency network
On the impact of security vulnerabilities in the npm package dependency networkOn the impact of security vulnerabilities in the npm package dependency network
On the impact of security vulnerabilities in the npm package dependency networkTom Mens
 
An Empirical Analysis of Technical Lag in npm Package Dependencies
An Empirical Analysis of Technical Lag in npm Package DependenciesAn Empirical Analysis of Technical Lag in npm Package Dependencies
An Empirical Analysis of Technical Lag in npm Package DependenciesAhmed Zerouali
 
Node.js security tour
Node.js security tourNode.js security tour
Node.js security tourGiacomo De Liberali
 
Comparing semantic versioning practices in Cargo, npm, Packagist and Rubygems
Comparing semantic versioning practices in Cargo, npm, Packagist and RubygemsComparing semantic versioning practices in Cargo, npm, Packagist and Rubygems
Comparing semantic versioning practices in Cargo, npm, Packagist and RubygemsTom Mens
 
Fasten Industry Meeting with GitHub about Dependancy Management
Fasten Industry Meeting with GitHub about Dependancy ManagementFasten Industry Meeting with GitHub about Dependancy Management
Fasten Industry Meeting with GitHub about Dependancy ManagementFasten Project
 

More Related Content

What's hot

ITFAS Fire Alarm Cert_kaftan
ITFAS Fire Alarm Cert_kaftanITFAS Fire Alarm Cert_kaftan
ITFAS Fire Alarm Cert_kaftanKenneth Kaftan
 
Measuring Private Cloud Resiliency
Measuring Private Cloud ResiliencyMeasuring Private Cloud Resiliency
Measuring Private Cloud ResiliencyIxia
 
National Cyber Security Crypto Program
National Cyber Security Crypto ProgramNational Cyber Security Crypto Program
National Cyber Security Crypto ProgramJorge Sebastiao
 
WORMHOLE ATTACK DETECTION ALGORITHMS IN WIRELESS NETWORK CODING SYSTEMS
WORMHOLE ATTACK DETECTION ALGORITHMS IN WIRELESS NETWORK CODING SYSTEMSWORMHOLE ATTACK DETECTION ALGORITHMS IN WIRELESS NETWORK CODING SYSTEMS
WORMHOLE ATTACK DETECTION ALGORITHMS IN WIRELESS NETWORK CODING SYSTEMSI3E Technologies
 
A wireless intrusion detection system and a new attack model (synopsis)
A wireless intrusion detection system and a new attack model (synopsis)A wireless intrusion detection system and a new attack model (synopsis)
A wireless intrusion detection system and a new attack model (synopsis)Mumbai Academisc
 
B.tech Final year Cryptography Project
B.tech Final year Cryptography ProjectB.tech Final year Cryptography Project
B.tech Final year Cryptography ProjectShivam Vatshayan
 
IDS - Fact, Challenges and Future
IDS - Fact, Challenges and FutureIDS - Fact, Challenges and Future
IDS - Fact, Challenges and Futureamiable_indian
 
Preventing Known and Unknown Threats
Preventing Known and Unknown ThreatsPreventing Known and Unknown Threats
Preventing Known and Unknown ThreatsOPSWAT
 
Wireless sensor network security issues
Wireless sensor network security issuesWireless sensor network security issues
Wireless sensor network security issuesMaha Saad
 

What's hot (11)

ITFAS Fire Alarm Cert_kaftan
ITFAS Fire Alarm Cert_kaftanITFAS Fire Alarm Cert_kaftan
ITFAS Fire Alarm Cert_kaftan
 
Measuring Private Cloud Resiliency
Measuring Private Cloud ResiliencyMeasuring Private Cloud Resiliency
Measuring Private Cloud Resiliency
 
National Cyber Security Crypto Program
National Cyber Security Crypto ProgramNational Cyber Security Crypto Program
National Cyber Security Crypto Program
 
WORMHOLE ATTACK DETECTION ALGORITHMS IN WIRELESS NETWORK CODING SYSTEMS
WORMHOLE ATTACK DETECTION ALGORITHMS IN WIRELESS NETWORK CODING SYSTEMSWORMHOLE ATTACK DETECTION ALGORITHMS IN WIRELESS NETWORK CODING SYSTEMS
WORMHOLE ATTACK DETECTION ALGORITHMS IN WIRELESS NETWORK CODING SYSTEMS
 
Ase2013
Ase2013Ase2013
Ase2013
 
A wireless intrusion detection system and a new attack model (synopsis)
A wireless intrusion detection system and a new attack model (synopsis)A wireless intrusion detection system and a new attack model (synopsis)
A wireless intrusion detection system and a new attack model (synopsis)
 
Wireless Sensor Network
Wireless Sensor NetworkWireless Sensor Network
Wireless Sensor Network
 
B.tech Final year Cryptography Project
B.tech Final year Cryptography ProjectB.tech Final year Cryptography Project
B.tech Final year Cryptography Project
 
IDS - Fact, Challenges and Future
IDS - Fact, Challenges and FutureIDS - Fact, Challenges and Future
IDS - Fact, Challenges and Future
 
Preventing Known and Unknown Threats
Preventing Known and Unknown ThreatsPreventing Known and Unknown Threats
Preventing Known and Unknown Threats
 
Wireless sensor network security issues
Wireless sensor network security issuesWireless sensor network security issues
Wireless sensor network security issues
 

Similar to Comparing dependency issues across software package distributions (FOSDEM 2020)

On the fragility of open source software packaging ecosystems
On the fragility of open source software packaging ecosystemsOn the fragility of open source software packaging ecosystems
On the fragility of open source software packaging ecosystemsTom Mens
 
On the Relation between Outdated Docker Containers, Severity Vulnerabilities,...
On the Relation between Outdated Docker Containers, Severity Vulnerabilities,...On the Relation between Outdated Docker Containers, Severity Vulnerabilities,...
On the Relation between Outdated Docker Containers, Severity Vulnerabilities,...Tom Mens
 
On the Impact of Security Vulnerabilities in the npm and RubyGems Dependency ...
On the Impact of Security Vulnerabilities in the npm and RubyGems Dependency ...On the Impact of Security Vulnerabilities in the npm and RubyGems Dependency ...
On the Impact of Security Vulnerabilities in the npm and RubyGems Dependency ...Ahmed Zerouali
 
How to increase the technical health of your software?
How to increase the technical health of your software?How to increase the technical health of your software?
How to increase the technical health of your software?Tom Mens
 
Evolving Software Ecosystems: Health and beyond
Evolving Software Ecosystems: Health and beyondEvolving Software Ecosystems: Health and beyond
Evolving Software Ecosystems: Health and beyondeconst
 
Towards Laws of Software Ecosystem Evolution: An Empirical Comparison of Seve...
Towards Laws of Software Ecosystem Evolution: An Empirical Comparison of Seve...Towards Laws of Software Ecosystem Evolution: An Empirical Comparison of Seve...
Towards Laws of Software Ecosystem Evolution: An Empirical Comparison of Seve...Tom Mens
 
On the impact of security vulnerabilities in the npm package dependency network
On the impact of security vulnerabilities in the npm package dependency networkOn the impact of security vulnerabilities in the npm package dependency network
On the impact of security vulnerabilities in the npm package dependency networkTom Mens
 
An Empirical Analysis of Technical Lag in npm Package Dependencies
An Empirical Analysis of Technical Lag in npm Package DependenciesAn Empirical Analysis of Technical Lag in npm Package Dependencies
An Empirical Analysis of Technical Lag in npm Package DependenciesAhmed Zerouali
 
Comparing semantic versioning practices in Cargo, npm, Packagist and Rubygems
Comparing semantic versioning practices in Cargo, npm, Packagist and RubygemsComparing semantic versioning practices in Cargo, npm, Packagist and Rubygems
Comparing semantic versioning practices in Cargo, npm, Packagist and RubygemsTom Mens
 
Fasten Industry Meeting with GitHub about Dependancy Management
Fasten Industry Meeting with GitHub about Dependancy ManagementFasten Industry Meeting with GitHub about Dependancy Management
Fasten Industry Meeting with GitHub about Dependancy ManagementFasten Project
 
Socio-Technical Empirical Comparison of Software Package Ecosystems
Socio-Technical Empirical Comparison of Software Package EcosystemsSocio-Technical Empirical Comparison of Software Package Ecosystems
Socio-Technical Empirical Comparison of Software Package EcosystemsTom Mens
 
edgescan vulnerability stats report (2018)
edgescan vulnerability stats report (2018) edgescan vulnerability stats report (2018)
edgescan vulnerability stats report (2018) Eoin Keary
 
SFSCON23 - Ranindya Paramitha - Technical leverage analysis in the Python eco...
SFSCON23 - Ranindya Paramitha - Technical leverage analysis in the Python eco...SFSCON23 - Ranindya Paramitha - Technical leverage analysis in the Python eco...
SFSCON23 - Ranindya Paramitha - Technical leverage analysis in the Python eco...South Tyrol Free Software Conference
 
Socio-Technical Analysis of Software Ecosystem Health
Socio-Technical Analysis of Software Ecosystem HealthSocio-Technical Analysis of Software Ecosystem Health
Socio-Technical Analysis of Software Ecosystem HealthTom Mens
 
Needs of a Modern Incident Response Program
Needs of a Modern Incident Response ProgramNeeds of a Modern Incident Response Program
Needs of a Modern Incident Response ProgramLancope, Inc.
 
Percezione Vs Realtà: uno sguardo data-driven sull'OS risk management
Percezione Vs Realtà: uno sguardo data-driven sull'OS risk managementPercezione Vs Realtà: uno sguardo data-driven sull'OS risk management
Percezione Vs Realtà: uno sguardo data-driven sull'OS risk managementEmerasoft, solutions to collaborate
 
Open source cloud native security with threat mapper
Open source cloud native security with threat mapperOpen source cloud native security with threat mapper
Open source cloud native security with threat mapperLibbySchulze
 
Towards an empirical analysis of the maintainability of CRAN packages
Towards an empirical analysis of the maintainability of CRAN packagesTowards an empirical analysis of the maintainability of CRAN packages
Towards an empirical analysis of the maintainability of CRAN packagesTom Mens
 

Similar to Comparing dependency issues across software package distributions (FOSDEM 2020) (20)

On the fragility of open source software packaging ecosystems
On the fragility of open source software packaging ecosystemsOn the fragility of open source software packaging ecosystems
On the fragility of open source software packaging ecosystems
 
On the Relation between Outdated Docker Containers, Severity Vulnerabilities,...
On the Relation between Outdated Docker Containers, Severity Vulnerabilities,...On the Relation between Outdated Docker Containers, Severity Vulnerabilities,...
On the Relation between Outdated Docker Containers, Severity Vulnerabilities,...
 
On the Impact of Security Vulnerabilities in the npm and RubyGems Dependency ...
On the Impact of Security Vulnerabilities in the npm and RubyGems Dependency ...On the Impact of Security Vulnerabilities in the npm and RubyGems Dependency ...
On the Impact of Security Vulnerabilities in the npm and RubyGems Dependency ...
 
How to increase the technical health of your software?
How to increase the technical health of your software?How to increase the technical health of your software?
How to increase the technical health of your software?
 
Evolving Software Ecosystems: Health and beyond
Evolving Software Ecosystems: Health and beyondEvolving Software Ecosystems: Health and beyond
Evolving Software Ecosystems: Health and beyond
 
Towards Laws of Software Ecosystem Evolution: An Empirical Comparison of Seve...
Towards Laws of Software Ecosystem Evolution: An Empirical Comparison of Seve...Towards Laws of Software Ecosystem Evolution: An Empirical Comparison of Seve...
Towards Laws of Software Ecosystem Evolution: An Empirical Comparison of Seve...
 
On the impact of security vulnerabilities in the npm package dependency network
On the impact of security vulnerabilities in the npm package dependency networkOn the impact of security vulnerabilities in the npm package dependency network
On the impact of security vulnerabilities in the npm package dependency network
 
An Empirical Analysis of Technical Lag in npm Package Dependencies
An Empirical Analysis of Technical Lag in npm Package DependenciesAn Empirical Analysis of Technical Lag in npm Package Dependencies
An Empirical Analysis of Technical Lag in npm Package Dependencies
 
Node.js security tour
Node.js security tourNode.js security tour
Node.js security tour
 
Comparing semantic versioning practices in Cargo, npm, Packagist and Rubygems
Comparing semantic versioning practices in Cargo, npm, Packagist and RubygemsComparing semantic versioning practices in Cargo, npm, Packagist and Rubygems
Comparing semantic versioning practices in Cargo, npm, Packagist and Rubygems
 
Fasten Industry Meeting with GitHub about Dependancy Management
Fasten Industry Meeting with GitHub about Dependancy ManagementFasten Industry Meeting with GitHub about Dependancy Management
Fasten Industry Meeting with GitHub about Dependancy Management
 
Socio-Technical Empirical Comparison of Software Package Ecosystems
Socio-Technical Empirical Comparison of Software Package EcosystemsSocio-Technical Empirical Comparison of Software Package Ecosystems
Socio-Technical Empirical Comparison of Software Package Ecosystems
 
edgescan vulnerability stats report (2018)
edgescan vulnerability stats report (2018) edgescan vulnerability stats report (2018)
edgescan vulnerability stats report (2018)
 
SFSCON23 - Ranindya Paramitha - Technical leverage analysis in the Python eco...
SFSCON23 - Ranindya Paramitha - Technical leverage analysis in the Python eco...SFSCON23 - Ranindya Paramitha - Technical leverage analysis in the Python eco...
SFSCON23 - Ranindya Paramitha - Technical leverage analysis in the Python eco...
 
Socio-Technical Analysis of Software Ecosystem Health
Socio-Technical Analysis of Software Ecosystem HealthSocio-Technical Analysis of Software Ecosystem Health
Socio-Technical Analysis of Software Ecosystem Health
 
PacketsNeverLie
PacketsNeverLiePacketsNeverLie
PacketsNeverLie
 
Needs of a Modern Incident Response Program
Needs of a Modern Incident Response ProgramNeeds of a Modern Incident Response Program
Needs of a Modern Incident Response Program
 
Percezione Vs Realtà: uno sguardo data-driven sull'OS risk management
Percezione Vs Realtà: uno sguardo data-driven sull'OS risk managementPercezione Vs Realtà: uno sguardo data-driven sull'OS risk management
Percezione Vs Realtà: uno sguardo data-driven sull'OS risk management
 
Open source cloud native security with threat mapper
Open source cloud native security with threat mapperOpen source cloud native security with threat mapper
Open source cloud native security with threat mapper
 
Towards an empirical analysis of the maintainability of CRAN packages
Towards an empirical analysis of the maintainability of CRAN packagesTowards an empirical analysis of the maintainability of CRAN packages
Towards an empirical analysis of the maintainability of CRAN packages
 

More from Tom Mens

How to be(come) a successful PhD student
How to be(come) a successful PhD studentHow to be(come) a successful PhD student
How to be(come) a successful PhD studentTom Mens
 
Recognising bot activity in collaborative software development
Recognising bot activity in collaborative software developmentRecognising bot activity in collaborative software development
Recognising bot activity in collaborative software developmentTom Mens
 
A Dataset of Bot and Human Activities in GitHub
A Dataset of Bot and Human Activities in GitHubA Dataset of Bot and Human Activities in GitHub
A Dataset of Bot and Human Activities in GitHubTom Mens
 
The (r)evolution of CI/CD on GitHub
The (r)evolution of CI/CD on GitHub The (r)evolution of CI/CD on GitHub
The (r)evolution of CI/CD on GitHubTom Mens
 
Nurturing the Software Ecosystems of the Future
Nurturing the Software Ecosystems of the FutureNurturing the Software Ecosystems of the Future
Nurturing the Software Ecosystems of the FutureTom Mens
 
Comment programmer un robot en 30 minutes?
Comment programmer un robot en 30 minutes?Comment programmer un robot en 30 minutes?
Comment programmer un robot en 30 minutes?Tom Mens
 
On the rise and fall of CI services in GitHub
On the rise and fall of CI services in GitHubOn the rise and fall of CI services in GitHub
On the rise and fall of CI services in GitHubTom Mens
 
Lost in Zero Space
Lost in Zero SpaceLost in Zero Space
Lost in Zero SpaceTom Mens
 
Evaluating a bot detection model on git commit messages
Evaluating a bot detection model on git commit messagesEvaluating a bot detection model on git commit messages
Evaluating a bot detection model on git commit messagesTom Mens
 
Bot or not? Detecting bots in GitHub pull request activity based on comment s...
Bot or not? Detecting bots in GitHub pull request activity based on comment s...Bot or not? Detecting bots in GitHub pull request activity based on comment s...
Bot or not? Detecting bots in GitHub pull request activity based on comment s...Tom Mens
 
How magic is zero? An Empirical Analysis of Initial Development Releases in S...
How magic is zero? An Empirical Analysis of Initial Development Releases in S...How magic is zero? An Empirical Analysis of Initial Development Releases in S...
How magic is zero? An Empirical Analysis of Initial Development Releases in S...Tom Mens
 
Measuring Technical Lag in Software Deployments (CHAOSScon 2020)
Measuring Technical Lag in Software Deployments (CHAOSScon 2020)Measuring Technical Lag in Software Deployments (CHAOSScon 2020)
Measuring Technical Lag in Software Deployments (CHAOSScon 2020)Tom Mens
 
SecoHealth 2019 Research Achievements
SecoHealth 2019 Research AchievementsSecoHealth 2019 Research Achievements
SecoHealth 2019 Research AchievementsTom Mens
 
SECO-Assist 2019 research seminar
SECO-Assist 2019 research seminarSECO-Assist 2019 research seminar
SECO-Assist 2019 research seminarTom Mens
 
ConPan: Analysing Packages Installed in Docker Containers
ConPan: Analysing Packages Installed in Docker ContainersConPan: Analysing Packages Installed in Docker Containers
ConPan: Analysing Packages Installed in Docker ContainersTom Mens
 
On the diversity of software popularity metrics: An empirical study of npm
On the diversity of software popularity metrics: An empirical study of npmOn the diversity of software popularity metrics: An empirical study of npm
On the diversity of software popularity metrics: An empirical study of npmTom Mens
 
"Software Ecosystem Health" lightning talk
"Software Ecosystem Health" lightning talk"Software Ecosystem Health" lightning talk
"Software Ecosystem Health" lightning talkTom Mens
 
SoHeal 2018 Welcome Slides: First International Workshop on Software Health
SoHeal 2018 Welcome Slides: First International Workshop on Software HealthSoHeal 2018 Welcome Slides: First International Workshop on Software Health
SoHeal 2018 Welcome Slides: First International Workshop on Software HealthTom Mens
 
Software Ecosystems = Big Data
Software Ecosystems = Big DataSoftware Ecosystems = Big Data
Software Ecosystems = Big DataTom Mens
 
La santé des écosystèmes des logiciels open source
La santé des écosystèmes des logiciels open sourceLa santé des écosystèmes des logiciels open source
La santé des écosystèmes des logiciels open sourceTom Mens
 

More from Tom Mens (20)

How to be(come) a successful PhD student
How to be(come) a successful PhD studentHow to be(come) a successful PhD student
How to be(come) a successful PhD student
 
Recognising bot activity in collaborative software development
Recognising bot activity in collaborative software developmentRecognising bot activity in collaborative software development
Recognising bot activity in collaborative software development
 
A Dataset of Bot and Human Activities in GitHub
A Dataset of Bot and Human Activities in GitHubA Dataset of Bot and Human Activities in GitHub
A Dataset of Bot and Human Activities in GitHub
 
The (r)evolution of CI/CD on GitHub
The (r)evolution of CI/CD on GitHub The (r)evolution of CI/CD on GitHub
The (r)evolution of CI/CD on GitHub
 
Nurturing the Software Ecosystems of the Future
Nurturing the Software Ecosystems of the FutureNurturing the Software Ecosystems of the Future
Nurturing the Software Ecosystems of the Future
 
Comment programmer un robot en 30 minutes?
Comment programmer un robot en 30 minutes?Comment programmer un robot en 30 minutes?
Comment programmer un robot en 30 minutes?
 
On the rise and fall of CI services in GitHub
On the rise and fall of CI services in GitHubOn the rise and fall of CI services in GitHub
On the rise and fall of CI services in GitHub
 
Lost in Zero Space
Lost in Zero SpaceLost in Zero Space
Lost in Zero Space
 
Evaluating a bot detection model on git commit messages
Evaluating a bot detection model on git commit messagesEvaluating a bot detection model on git commit messages
Evaluating a bot detection model on git commit messages
 
Bot or not? Detecting bots in GitHub pull request activity based on comment s...
Bot or not? Detecting bots in GitHub pull request activity based on comment s...Bot or not? Detecting bots in GitHub pull request activity based on comment s...
Bot or not? Detecting bots in GitHub pull request activity based on comment s...
 
How magic is zero? An Empirical Analysis of Initial Development Releases in S...
How magic is zero? An Empirical Analysis of Initial Development Releases in S...How magic is zero? An Empirical Analysis of Initial Development Releases in S...
How magic is zero? An Empirical Analysis of Initial Development Releases in S...
 
Measuring Technical Lag in Software Deployments (CHAOSScon 2020)
Measuring Technical Lag in Software Deployments (CHAOSScon 2020)Measuring Technical Lag in Software Deployments (CHAOSScon 2020)
Measuring Technical Lag in Software Deployments (CHAOSScon 2020)
 
SecoHealth 2019 Research Achievements
SecoHealth 2019 Research AchievementsSecoHealth 2019 Research Achievements
SecoHealth 2019 Research Achievements
 
SECO-Assist 2019 research seminar
SECO-Assist 2019 research seminarSECO-Assist 2019 research seminar
SECO-Assist 2019 research seminar
 
ConPan: Analysing Packages Installed in Docker Containers
ConPan: Analysing Packages Installed in Docker ContainersConPan: Analysing Packages Installed in Docker Containers
ConPan: Analysing Packages Installed in Docker Containers
 
On the diversity of software popularity metrics: An empirical study of npm
On the diversity of software popularity metrics: An empirical study of npmOn the diversity of software popularity metrics: An empirical study of npm
On the diversity of software popularity metrics: An empirical study of npm
 
"Software Ecosystem Health" lightning talk
"Software Ecosystem Health" lightning talk"Software Ecosystem Health" lightning talk
"Software Ecosystem Health" lightning talk
 
SoHeal 2018 Welcome Slides: First International Workshop on Software Health
SoHeal 2018 Welcome Slides: First International Workshop on Software HealthSoHeal 2018 Welcome Slides: First International Workshop on Software Health
SoHeal 2018 Welcome Slides: First International Workshop on Software Health
 
Software Ecosystems = Big Data
Software Ecosystems = Big DataSoftware Ecosystems = Big Data
Software Ecosystems = Big Data
 
La santé des écosystèmes des logiciels open source
La santé des écosystèmes des logiciels open sourceLa santé des écosystèmes des logiciels open source
La santé des écosystèmes des logiciels open source
 

Recently uploaded

SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AISyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AIABDERRAOUF MEHENNI
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfkalichargn70th171
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsAndolasoft Inc
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software DevelopersVinodh Ram
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsJhone kinadey
 
DNT_Corporate presentation know about us
DNT_Corporate presentation know about usDNT_Corporate presentation know about us
DNT_Corporate presentation know about usDynamic Netsoft
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...kellynguyen01
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providermohitmore19
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...OnePlan Solutions
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerThousandEyes
 
Clustering techniques data mining book ....
Clustering techniques data mining book ....Clustering techniques data mining book ....
Clustering techniques data mining book ....ShaimaaMohamedGalal
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Modelsaagamshah0812
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Steffen Staab
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionSolGuruz
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...harshavardhanraghave
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsAlberto González Trastoy
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantAxelRicardoTrocheRiq
 

Recently uploaded (20)

SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AISyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
 
Microsoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdfMicrosoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdf
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.js
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software Developers
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
 
DNT_Corporate presentation know about us
DNT_Corporate presentation know about usDNT_Corporate presentation know about us
DNT_Corporate presentation know about us
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
 
Clustering techniques data mining book ....
Clustering techniques data mining book ....Clustering techniques data mining book ....
Clustering techniques data mining book ....
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Models
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with Precision
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service Consultant
 
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
 

Comparing dependency issues across software package distributions (FOSDEM 2020)

  • 1. Tom Mens Software Engineering Lab Faculty of Sciences tom.mens@umons.ac.be @tom_mens Comparing dependency issues across software package distributions
  • 2. SECO-ASSIST "Excellence of Science” Research Project 2018-2021 secoassist.github.io@secoassist
  • 3. Comparing dependency issues across software package distributions An Empirical Comparison of Dependency Network Evolution in Seven Software Packaging Ecosystems A Decan, T. Mens, Ph. Grosjean (2019) Empirical Software Engineering 24(1) What do package dependencies tell us about semantic versioning? A Decan, T Mens (2019) IEEE Transactions on Software Engineering A formal framework for measuring technical lag in component repositories – and its application to npm A Zerouali, T Mens, et al. (2019) J. Software Evolution and Process On the impact of security vulnerabilities in the npm package dependency network A Decan, T Mens, E Constantinou (2018) Int’l Conf. Mining Software Repositories On the evolution of technical lag in the npm package dependency network A Decan, T Mens, E Constantinou (2018) Int’l Conf. Software Maintenance and Evolution
  • 5. Dependency issues “Technical lag” due to outdated dependencies Missed opportunities to benefit from new functionality, or fixes of known bugs and security vulnerabilities “Dependency hell” • Too many direct and transitive dependencies • Broken dependencies due to backward incompatibilities • Co-installability problems Unmaintained packages due to departure of maintainers Nontransparent update policies Incompatible or prohibited licenses
  • 7. Fragility due to transitive dependencies March 2016 November 2010 Unexpected removal of left-pad caused > 2% of all packages to become uninstallable (> 5,400 packages) Release 0.5.0 of i18n broke dependent package ActiveRecord that was transitively required by >5% of all packages
  • 8. Libraries.io monitors 6,901,989 open source packages across 37 different package managers https://libraries.io (7 January 2020)
  • 9. Characterising the evolution of package dependency networks Decan & Mens (2019) An Empirical Comparison of Dependency Network Evolution in Seven Software Packaging Ecosystems. Empirical Software Engineering Journal 830K packages – 5.8M package versions – 20.5M dependencies (April 2017)
  • 10. Continuing Growth Package dependency networks grow exponentially in terms of number of packages and/or dependencies Fastest growth for npm Slowest growth for CRAN
  • 11. Continuing Change • Number of package updates grows over time • >50% of package releases are updated within 2 months • Required and young packages are updated more frequently Fastest growth for npm Slowest growth for CRAN
  • 12. Increasing level of reuse • Highly connected network, containing 60% to 80% of all packages • Power law behavior: A stable minority (20%) of required packages collect over 80% of all reverse dependencies Reusability index: Maximal value n such that there exist n required packages having at least n dependent packages. Fastest growth for npm
  • 13. High number of deep transitive dependencies • Fragile packages may have a very high transitive impact • Over 50% of top-level packages have a deep dependency graph Number of packages that are transitively required by at least 5% of all packages. Transitive dependency depth of top-level packages
  • 14. Outdated Dependencies Should package maintainers upgrade their dependencies to more recent versions? �Upgrades benefit from bug and security fixes � Upgrading allows to use new features � Upgrading requires effort � Upgrading may introduce breaking changes
  • 15. Outdated runtime dependencies in npm Outdated Dependencies Outdatedness is related to the type of dependency constraint being used Strict (i.e. pinned) constraints represent about 33% of all outdated dependencies
  • 16. Technical Lag Technical lag measures how outdated a package or dependency is w.r.t. the “ideal” situation where “ideal” = “most recent”; “most secure”; ”least bugs”; “most compatible”; … A Zerouali et al (Feb. 2019) A formal framework for measuring technical lag in component repositories – and its application to npm. Wiley Journal on Software Evolution and Process
  • 17. ~ 2.7.0 - 22-09-2017 2.0.1 - 16-05-2017 Technical Lag Technical lag measures how outdated a package or dependency is w.r.t. the “ideal” situation where “ideal” = “most recent”; “most secure”; ”least bugs”; “most compatible”; …
  • 18. Need for dependency monitoring tools Example: David Dependency Manager for npm projects https://david-dm.orgMy npm Project
  • 19. Avoiding breaking changes through Semantic Versioning https://chaoss.community Is semantic versioning respected by software package distributions? What do package dependencies tell us about semantic versioning? A Decan, T Mens (May 2019) IEEE Transactions on Software Engineering major minor patch 3 9 2 Breaking changes Backwards compatible changes Bug fixes Most permissive Most Restrictive
  • 20. Semantic versioning Different package managers interpret version constraints in different ways: More restrictive than semver More permissive than semver
  • 21. Semantic versioning • Cargo, npm and Packagist are mostly semver-compliant. All three are more permissive than semver for 0.y.z versions • All considered ecosystems become more compliant over time. • >16% of restrictive constraints in npm, Packagist and Rubygems  prevents adoption of backward compatible upgrades
  • 22. Security vulnerabilities OWASP Foundation Top 10 Application Security Risks You are likely vulnerable:  If you do not know the versions of all components you use … This includes components you directly use as well as nested dependencies.  If software is vulnerable, unsupported, or out of date. This includes the OS, web/application server, database management system (DBMS), applications, APIs and all components, runtime environments, and libraries.  If you do not scan for vulnerabilities regularly and subscribe to security bulletins related to the components you use.  If you do not fix or upgrade the underlying platform, frameworks, and dependencies in a risk-based, timely fashion. This commonly happens in environments when patching is a monthly or quarterly task under change control, which leaves organizations open to many days or months of unnecessary exposure to fixed vulnerabilities.  If software developers do not test the compatibility of updated, upgraded, or patched libraries. A9 - Using Components with Known Vulnerabilities
  • 23. Security vulnerabilities in npm On the impact of security vulnerabilities in the npm package dependency network. A Decan, T Mens, E Constantinou (2018) Int’l Conf. Mining Software Repositories Vulnerable packages # vulnerabilities 399 # vulnerable packages 269 # releases of vulnerable packages 14,931 # vulnerable releases 6,752 (45%) # dependent packages 133,602 # dependent packages affected by the vulnerable packages 72,470 (54%)
  • 24. Security vulnerabilities in npm When are vulnerabilities discovered? >40% of all vulnerabilities are not discovered even 2.5 years after their introduction, regardless of their severity.
  • 25. Security vulnerabilities in npm When are vulnerabilities fixed? ~20% of vulnerabilities take more than 1 year to be fixed.
  • 26. Security vulnerabilities in npm When are vulnerabilities fixed in dependent packages? Vulnerable packages # vulnerable packages 269 # releases of vulnerable packages 14,931 # vulnerable releases 6,752 # dependent packages 133,602 # dependent packages affected by the vulnerable packages 72,470 >33% of all affected dependents are not (yet) fixed!
  • 27. Security vulnerabilities in npm Why do vulnerabilities remain unfixed in dependent packages? Improper or too restrictive use of dependency constraints Maintainers are unaware of the vulnerability or how to fix it Fixed version of the dependency contains incompatible changes Package is no longer actively maintained
  • 28. Tool support: Monitor and update vulnerable dependencies GitHub Automated security alerts and updates https://help.github.com/en/github/managing-security-vulnerabilities Snyk Continuously find and fix known vulnerabilities in a package’s dependencies https://snyk.io Retire.js Scans for the use of JavaScript libraries with known vulnerabilities http://retirejs.github.io/retire.js/ OWASP Dependency-Check Detects publicly disclosed vulnerabilities contained within a project’s dependencies. https://github.com/jeremylong/DependencyCheck Eclipse Steady Detects known vulnerabilitis in dependencies to open source Java and Python components through combination of static and dynamic analysis techniques https://eclipse.github.io/steady/
  • 29. Conclusion • Package dependency networks are affected my multiple dependency issues • Many and deep transitive dependencies • Outdated dependencies • Breaking changes • Vulnerable dependencies • Automated tools and policies can help mitigating these issues • Measuring, monitoring and updating outdated and vulnerable dependencies • Supporting semantic versioning • Supporting transitive dependencies • Detecting vulnerabilities that matter (avoid false positives/negatives)

Editor's Notes

  1. Technical Diversity: different platforms, different programming languages, different application domains, different packages with similar functionality Community Smells: Lone Wolfs, Isolated Teams, Communication Problems Contributor Abandonment: Rage quitting
  2. Technical Diversity: different platforms, different programming languages, different application domains, different packages with similar functionality Community Smells: Lone Wolfs, Isolated Teams, Communication Problems Contributor Abandonment: Rage quitting
  3. Technical Diversity: different platforms, different programming languages, different application domains, different packages with similar functionality Community Smells: Lone Wolfs, Isolated Teams, Communication Problems Contributor Abandonment: Rage quitting
  4. Cf. law of increasing growth
  5. Cf. law of increasing growth
  6. Cf. law of increasing growth
  7. Cf. law of increasing growth
  8. Quote by Ward Cunningham in 1992: “Shipping first-time code is like going into debt. A little debt speeds development so long as it is paid back promptly with a rewrite. Objects make the cost of this transaction tolerable. The danger occurs when the debt is not repaid. Every minute spent on not-quite-right code counts as interest on that debt. Entire engineering organizations can be brought to a stand-still under the debt load of an unconsolidated implementation, object-oriented or otherwise." The concept does not mean that debt should never be incurred. Just as leverage can help a company when used correctly, a quick solution can mean a faster time to market in software development. In addition, technical debt is not just poor code. Bad code is bad code, and technical debt can result from the work of good programmers under unrealistic project constraints.”
  9. Benefits of semantic versioing: For package providers: Inform your dependents about which releases are backwards incompatible For package consumers: Decide and control which newer dependency releases are permitted January 2018 dataset from libraries.io:
  10. Proportion of dependency constraints (for package releases ≥1.0.0) that are semver-compliant, more permissive, or more restrictive
  11. Package metadata from libraries.io on November 2017 Vulnerabilities from snyk.io
  12. Package metadata from libraries.io on November 2017 Vulnerabilities from snyk.io
  13. This slide tells about when vulnerabilities are fixed in the “source/upstream” packages, i.e. those that are the source of the vulnerability, not their dependents. The next slide will show the same but for the dependents… Most vulnerabilities are fixed after the reported discovery date but before they become public.
  14. Before upstream fix:12% of dependent packages Rolling back to a non-affected release Removing the dependency At upstream fix: 44% of dependent packages Dependency constraint allows automatic fixes After upstream fix: 10.8% of dependent packages Dependency constraints manually managed >33% of all affected dependents are not (yet) fixed! - S23: Je me demande si toute la partie sur les vulnérabilités ne serait pas mieux avant le papier TSE, et donc juste après la partie sur le technical lag (le technical lag est la "raison" pour laquelle les vulnérabilités prennent du temps à être propagées dans les paquets dépendants, et est une conséquence directe du choix des contraintes).
  15. Before upstream fix: Rolling back to a non-affected release Removing the dependency 12% of dependent packages At upstream fix: Dependency constraint allows automatic fixes 44% of dependent packages After upstream fix: Dependency constraints manually managed 10.8% of dependent packages >33% of all affected dependents are not (yet) fixed!