SlideShare a Scribd company logo

FASTEN H2020 project presentation at Paris Open Source Summit, December 2019.

FASTEN Intelligent Package Management is an H2020 project funded by the European Commission. It was presented at Paris Open Source Summit in December 2019.

1 of 34
Download to read offline
Fine-Grained Analysis of Software Ecosystems as Networks The FASTEN project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No 825328. FASTEN: Intelligent Package Management Giasemi Seisa
Dec 10, 2019 22019 1. Risks on using Open Source Software (OSS)1. Risks on using Open Source Software (OSS) 2. Ecosystem Failures2. Ecosystem Failures 3. FASTEN project3. FASTEN project 3.1 Introduction3.1 Introduction 3.2 Integration into package management tools3.2 Integration into package management tools 3.3 Build your project!3.3 Build your project!
Dec 10, 2019 32019 Risks on using Open Source Software Anyone who uses the internet benefits from the existence of OSS Why? → Data are open and accessible by anyone What is the risk of using OSS?
Dec 10, 2019 42019 Risks on using Open Source Software How the risk is created: By the use of OSS libraries. Why? Programs and libraries can have dependencies on other libraries and those dependencies co-evolve without centralized coordination. Increasingly, libraries are being used as building blocks for creating other libraries.
Dec 10, 2019 52019 Risks on using Open Source Software
Dec 10, 2019 62019 Risks on using Open Source Software
Dec 10, 2019 72019 Risks on using OSS Including arbitrary code from an online repository can introduce: Trust issues Does the code perform the expected functionality? How can I trust code I download from the Internet with my valuable data? Security issues How can developers ensure the imported code contains no security holes? How can we know when a security issue discovered in a transitive dependency requires an update? The observability problem: How can I know that one of my dependencies is outdated? The update problem: How can I check if an updated dependency breaks my code?
Dec 10, 2019 82019 Risks on using OSS (2) Including arbitrary code from an online repository can introduce: Compliance implications How do I know that I am not violating anyone’s copyrights or that I am not linking against code featuring incompatible licenses? Creates challenges to library maintainers: ● How can I assess the (direct or transitive) impact of my changes? How can I deprecate features (e.g., remove functionality) without knowing who is using them? ● Why should I use my (free!) time to maintain a library that large corporations depend upon? ● How can I spot instances of my code being distributed without permission?
Dec 10, 2019 92019 Ecosystem Failures The left-pad incident The left-pad library was removed from NPM ecosystem Outcome: Thousands of libraries which directly or transitively depended on left-pad collapsed. Thousands of the most popular Javascript libraries (e.g., babel, and React), used by millions of web sites, stopped working. Even after the left-pad incident, a study estimated that libraries exist whose removal can affect more that 30% of the core components of the network.
Dec 10, 2019 102019 Ecosystem Failures Equifax data breach A company named Equifax leaked over 100.000 credit card records due to a dependency that was not updated. A vulnerable version of the Apache Struts library was used, whose update was postponed as the Equifax security team erroneously underestimated the impact of the bug on their codebase. The breach has costed Equifax an unprecedented $4 billion.
Dec 10, 2019 112019 Risks overview The dream of code reuse is a reality, but this reality is not without problems. Package users need to invest significant resources into shielding themselves from software security, legal compliance and source code incompatibility issues. On the other hand, package providers have no reasonable means of evolving their offerings in an systematic way, which leads to incompatibility problems with upstream projects.
Dec 10, 2019 122019 FASTEN
Dec 10, 2019 132019 The FASTEN Project ➢ A European Union’s H2020 research and innovation programme led by TU Delft ➢ Team: ● Technische Universiteit Delt (TUDelft) ● Athens University of Economics and Business (AUEB) ● Universita degli Studi di Milano ● Endocode AG ● OW2 ● Software Improvement Group B.V. (SIG) ● XWIKI SAS
Dec 10, 2019 142019 The FASTEN Project Our goal is to make software ecosystems more robust by making package managementOur goal is to make software ecosystems more robust by making package management more intelligentmore intelligent
Dec 10, 2019 152019 The FASTEN Project HOW? Creation of an ecosystem-wide Fine-Grained Call Graph (FGCG), at the function levelCreation of an ecosystem-wide Fine-Grained Call Graph (FGCG), at the function level
Dec 10, 2019 162019 The FASTEN Project 1. Current status
Dec 10, 2019 172019 The FASTEN Project 1. Current status 2. Fine-Grained Call Graph (FGCG)
Dec 10, 2019 182019 Promises of Call-based Dependency Networks Fully precise usage analysis Does this vulnerability affect my code? Am I linking to GPL code? Fully precise impact analysis How many clients will I break if I change this? Can I safely update?
Dec 10, 2019 192019 The FASTEN Project
Dec 10, 2019 202019 Example of FASTEN workflow
Dec 10, 2019 212019 Example of FASTEN workflow
Dec 10, 2019 222019 Example of FASTEN workflow
Dec 10, 2019 232019 Example of FASTEN workflow Deciding to use a library
Dec 10, 2019 242019 Example of FASTEN workflow Deciding to use a library
Dec 10, 2019 252019 Example of FASTEN workflow Maintaining a library
Dec 10, 2019 262019 Example of FASTEN workflow Maintaining a library
Dec 10, 2019 272019 Example of FASTEN workflow Maintaining a library
Dec 10, 2019 282019 Example of FASTEN workflow Maintaining a library
Dec 10, 2019 292019 Example of FASTEN workflow Maintaining a library
Dec 10, 2019 302019 ● By using a package management tool you connect to the FASTEN knowledge base: ➢ Static call graph generation – dependency network ➢ Fasten analysis [security,compliance, quality and risk] ➢ Risk overview of the application Build your project!
Dec 10, 2019 312019 Risk Analyzer: ● Evaluation of application-level risk regarding: 1. The claimed dependencies by the application and 2. The detected transitive dependencies ● Evaluation of the actual usage of the libraries → Reports risk profile (about security, code quality, library freshness, etc.) ● Continuous risk evaluation on the library dependencies of an application → Fasten analysis [security, quality and risk]
Dec 10, 2019 322019 Detection of License Compliance: ● License metadata: – License information, copyrights etc. – License obligations → e.g. requirement to provide the corresponding source code or that the outgoing software has to be non profitable ● License compliance: – Through internal statements and rules we can conclude to license compliance → Reports risk profile → Fasten analysis [license compliance]
Dec 10, 2019 332019 https://www.fasten-project.eu Contributors: https://twitter.com/fastenproject https://github.com/fasten-project
Dec 10, 2019 342019 The FASTEN project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No 825328. The opinions expressed in this document reflects only the author`s view and in no way reflect the European Commission’s opinions. The European Commission is not responsible for any use that may be made of the information it contains.

More Related Content

FASTEN H2020 project presentation at Paris Open Source Summit, December 2019.

  • 1. Fine-Grained Analysis of Software Ecosystems as Networks The FASTEN project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No 825328. FASTEN: Intelligent Package Management Giasemi Seisa
  • 2. Dec 10, 2019 22019 1. Risks on using Open Source Software (OSS)1. Risks on using Open Source Software (OSS) 2. Ecosystem Failures2. Ecosystem Failures 3. FASTEN project3. FASTEN project 3.1 Introduction3.1 Introduction 3.2 Integration into package management tools3.2 Integration into package management tools 3.3 Build your project!3.3 Build your project!
  • 3. Dec 10, 2019 32019 Risks on using Open Source Software Anyone who uses the internet benefits from the existence of OSS Why? → Data are open and accessible by anyone What is the risk of using OSS?
  • 4. Dec 10, 2019 42019 Risks on using Open Source Software How the risk is created: By the use of OSS libraries. Why? Programs and libraries can have dependencies on other libraries and those dependencies co-evolve without centralized coordination. Increasingly, libraries are being used as building blocks for creating other libraries.
  • 5. Dec 10, 2019 52019 Risks on using Open Source Software
  • 6. Dec 10, 2019 62019 Risks on using Open Source Software
  • 7. Dec 10, 2019 72019 Risks on using OSS Including arbitrary code from an online repository can introduce: Trust issues Does the code perform the expected functionality? How can I trust code I download from the Internet with my valuable data? Security issues How can developers ensure the imported code contains no security holes? How can we know when a security issue discovered in a transitive dependency requires an update? The observability problem: How can I know that one of my dependencies is outdated? The update problem: How can I check if an updated dependency breaks my code?
  • 8. Dec 10, 2019 82019 Risks on using OSS (2) Including arbitrary code from an online repository can introduce: Compliance implications How do I know that I am not violating anyone’s copyrights or that I am not linking against code featuring incompatible licenses? Creates challenges to library maintainers: ● How can I assess the (direct or transitive) impact of my changes? How can I deprecate features (e.g., remove functionality) without knowing who is using them? ● Why should I use my (free!) time to maintain a library that large corporations depend upon? ● How can I spot instances of my code being distributed without permission?
  • 9. Dec 10, 2019 92019 Ecosystem Failures The left-pad incident The left-pad library was removed from NPM ecosystem Outcome: Thousands of libraries which directly or transitively depended on left-pad collapsed. Thousands of the most popular Javascript libraries (e.g., babel, and React), used by millions of web sites, stopped working. Even after the left-pad incident, a study estimated that libraries exist whose removal can affect more that 30% of the core components of the network.
  • 10. Dec 10, 2019 102019 Ecosystem Failures Equifax data breach A company named Equifax leaked over 100.000 credit card records due to a dependency that was not updated. A vulnerable version of the Apache Struts library was used, whose update was postponed as the Equifax security team erroneously underestimated the impact of the bug on their codebase. The breach has costed Equifax an unprecedented $4 billion.
  • 11. Dec 10, 2019 112019 Risks overview The dream of code reuse is a reality, but this reality is not without problems. Package users need to invest significant resources into shielding themselves from software security, legal compliance and source code incompatibility issues. On the other hand, package providers have no reasonable means of evolving their offerings in an systematic way, which leads to incompatibility problems with upstream projects.
  • 12. Dec 10, 2019 122019 FASTEN
  • 13. Dec 10, 2019 132019 The FASTEN Project ➢ A European Union’s H2020 research and innovation programme led by TU Delft ➢ Team: ● Technische Universiteit Delt (TUDelft) ● Athens University of Economics and Business (AUEB) ● Universita degli Studi di Milano ● Endocode AG ● OW2 ● Software Improvement Group B.V. (SIG) ● XWIKI SAS
  • 14. Dec 10, 2019 142019 The FASTEN Project Our goal is to make software ecosystems more robust by making package managementOur goal is to make software ecosystems more robust by making package management more intelligentmore intelligent
  • 15. Dec 10, 2019 152019 The FASTEN Project HOW? Creation of an ecosystem-wide Fine-Grained Call Graph (FGCG), at the function levelCreation of an ecosystem-wide Fine-Grained Call Graph (FGCG), at the function level
  • 16. Dec 10, 2019 162019 The FASTEN Project 1. Current status
  • 17. Dec 10, 2019 172019 The FASTEN Project 1. Current status 2. Fine-Grained Call Graph (FGCG)
  • 18. Dec 10, 2019 182019 Promises of Call-based Dependency Networks Fully precise usage analysis Does this vulnerability affect my code? Am I linking to GPL code? Fully precise impact analysis How many clients will I break if I change this? Can I safely update?
  • 19. Dec 10, 2019 192019 The FASTEN Project
  • 20. Dec 10, 2019 202019 Example of FASTEN workflow
  • 21. Dec 10, 2019 212019 Example of FASTEN workflow
  • 22. Dec 10, 2019 222019 Example of FASTEN workflow
  • 23. Dec 10, 2019 232019 Example of FASTEN workflow Deciding to use a library
  • 24. Dec 10, 2019 242019 Example of FASTEN workflow Deciding to use a library
  • 25. Dec 10, 2019 252019 Example of FASTEN workflow Maintaining a library
  • 26. Dec 10, 2019 262019 Example of FASTEN workflow Maintaining a library
  • 27. Dec 10, 2019 272019 Example of FASTEN workflow Maintaining a library
  • 28. Dec 10, 2019 282019 Example of FASTEN workflow Maintaining a library
  • 29. Dec 10, 2019 292019 Example of FASTEN workflow Maintaining a library
  • 30. Dec 10, 2019 302019 ● By using a package management tool you connect to the FASTEN knowledge base: ➢ Static call graph generation – dependency network ➢ Fasten analysis [security,compliance, quality and risk] ➢ Risk overview of the application Build your project!
  • 31. Dec 10, 2019 312019 Risk Analyzer: ● Evaluation of application-level risk regarding: 1. The claimed dependencies by the application and 2. The detected transitive dependencies ● Evaluation of the actual usage of the libraries → Reports risk profile (about security, code quality, library freshness, etc.) ● Continuous risk evaluation on the library dependencies of an application → Fasten analysis [security, quality and risk]
  • 32. Dec 10, 2019 322019 Detection of License Compliance: ● License metadata: – License information, copyrights etc. – License obligations → e.g. requirement to provide the corresponding source code or that the outgoing software has to be non profitable ● License compliance: – Through internal statements and rules we can conclude to license compliance → Reports risk profile → Fasten analysis [license compliance]
  • 33. Dec 10, 2019 332019 https://www.fasten-project.eu Contributors: https://twitter.com/fastenproject https://github.com/fasten-project
  • 34. Dec 10, 2019 342019 The FASTEN project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No 825328. The opinions expressed in this document reflects only the author`s view and in no way reflect the European Commission’s opinions. The European Commission is not responsible for any use that may be made of the information it contains.