6. Sharing through software libraries
❖ One form of sharing is providing libraries
❖ Today, libraries are made available in the Internet
7. Sharing through software libraries
❖ One form of sharing is providing libraries
❖ Today, libraries are made available in the Internet
❖ on forges (SourceForge, GitHub, BitBucket, …)
8. Sharing through software libraries
❖ One form of sharing is providing libraries
❖ Today, libraries are made available in the Internet
❖ on forges (SourceForge, GitHub, BitBucket, …)
❖ or repositories (Maven, PyPi, CPAN, …)
9. Sharing through software libraries
❖ One form of sharing is providing libraries
❖ Today, libraries are made available in the Internet
❖ on forges (SourceForge, GitHub, BitBucket, …)
❖ or repositories (Maven, PyPi, CPAN, …)
❖ Internet made the dream of collaborative development a
reality
11. Industrial revolution
at the harbour of software development
❖ All trades, arts, and handiworks have gained by
division of labour, namely, when, instead of one
man doing everything, each confines himself to a
certain kind of work distinct from others in the
treatment it requires, so as to be able to perform it
with greater facility and in the greatest
perfection. Where the different kinds of work are
not distinguished and divided, where everyone is
a jack-of-all-trades, there manufactures remain
still in the greatest barbarism.
Immanuel Kant
Groundwork for the Metaphysics
of Morals (1785)
23. Dependency graphs
❖ Library+versions and their
dependencies form (complex,
huge) dependency networks
❖ Version constraints make these
networks more complicated
than simple graphs
24. Dependency graphs
❖ Library+versions and their
dependencies form (complex,
huge) dependency networks
❖ Version constraints make these
networks more complicated
than simple graphs
❖ Package manager will finally
determine which version is
chosen for each library
31. Recent dependency nightmares
❖ The leftpad incident (2016): millions of websites
affected
❖ The Equifax breach (2017): costed 4B$
32. Epidemics in dependency graphs
Lib A, vers 1.0
Lib B, vers 2.5
Lib C, vers 1.5Lib D, vers 3.0
33. Epidemics in dependency graphs
Lib A, vers 1.0
Lib B, vers 2.5
Lib C, vers 1.5Lib D, vers 3.0
A vulnerability alert
is issued
about Lib D, vers 3.0
34. Epidemics in dependency graphs
Lib A, vers 1.0
Lib B, vers 2.5
Lib C, vers 1.5Lib D, vers 3.0
A vulnerability alert
is issued
about Lib D, vers 3.0
All libraries in this
graph are infected!
39. Epidemics in dependency graphs
A.f0
A.f2
A.f3
B.f1
B.f2
B.f3
C.f1
C.f2
D.f1
D.f2
D.f3
A vulnerability alert
is issued
about Lib D, vers 3.0,
function f3
40. Epidemics in dependency graphs
A.f0
A.f2
A.f3
B.f1
B.f2
B.f3
C.f1
C.f2
D.f1
D.f2
D.f3
A vulnerability alert
is issued
about Lib D, vers 3.0,
function f3
41. Epidemics in dependency graphs
A.f0
A.f2
A.f3
B.f1
B.f2
B.f3
C.f1
C.f2
D.f1
D.f2
D.f3
A vulnerability alert
is issued
about Lib D, vers 3.0,
function f3
Much more informative!
43. Examples
❖ Fully precise change impact analysis: “How many libraries
are affected if I remove/modify a certain method/interface?”
44. Examples
❖ Fully precise change impact analysis: “How many libraries
are affected if I remove/modify a certain method/interface?”
❖ Fully precise license compliance: “Is my library compliant
with the licenses of the libraries that I depend from (directly or
indirectly)? (e.g., am I linking any GPL code?)”
45. Examples
❖ Fully precise change impact analysis: “How many libraries
are affected if I remove/modify a certain method/interface?”
❖ Fully precise license compliance: “Is my library compliant
with the licenses of the libraries that I depend from (directly or
indirectly)? (e.g., am I linking any GPL code?)”
❖ Fully precise risk profiling: “Does this vulnerability affect my
code?”
46. Examples
❖ Fully precise change impact analysis: “How many libraries
are affected if I remove/modify a certain method/interface?”
❖ Fully precise license compliance: “Is my library compliant
with the licenses of the libraries that I depend from (directly or
indirectly)? (e.g., am I linking any GPL code?)”
❖ Fully precise risk profiling: “Does this vulnerability affect my
code?”
❖ Centrality analysis: “What methods/functions are more central
within a given ecosystem? are there bottlenecks? critical points?”
50. The FASTEN toolchain
Project information
Security
alerts
Repositories
publish
Data stream
FASTEN
server
publish
publish
51. The FASTEN toolchain
Project information
Security
alerts
Repositories
publish
Data stream
FASTEN
server
Call-graph
construction
publish
publish
52. The FASTEN toolchain
Project information
Security
alerts
Repositories
publish
Data stream
FASTEN
server
Call-graph
construction
Storage
layer
publish
publish
53. The FASTEN toolchain
Project information
Security
alerts
Repositories
publish
Data stream
FASTEN
server
Call-graph
construction
Storage
layer
Analysis
layer
publish
publish
54. The FASTEN toolchain
Project information
Security
alerts
Repositories
publish
Data stream
FASTEN
server
Call-graph
construction
Storage
layer
Analysis
layer
RESTApi
publish
publish
55. The FASTEN toolchain
Project information
Security
alerts
Repositories
publish
Data stream
FASTEN
server
Call-graph
construction
Storage
layer
Analysis
layer
RESTApiWebUI
publish
publish
56. The FASTEN toolchain
Project information
Security
alerts
Repositories
publish
Data stream
FASTEN
server
Call-graph
construction
Storage
layer
Analysis
layer
RESTApiWebUI
publish
publish
Continuous
integration server
57. The FASTEN toolchain
Project information
Security
alerts
Repositories
publish
Data stream
FASTEN
server
Call-graph
construction
Storage
layer
Analysis
layer
RESTApiWebUI
publish
publish
Continuous
integration server
58. The FASTEN toolchain
Project information
Security
alerts
Repositories
publish
Data stream
FASTEN
server
Call-graph
construction
Storage
layer
Analysis
layer
RESTApiWebUI
publish
publish
Continuous
integration server
Developer
60. Updating a library
# Check outdated dependencies
$ pip list --outdated
Package Version Latest Type
---------- ------- ------ -----
Pygments 2.2.0 2.3.1 wheel
Before
61. Updating a library
# Check outdated dependencies
$ pip list --outdated
Package Version Latest Type
---------- ------- ------ -----
Pygments 2.2.0 2.3.1 wheel
Before # Check outdated dependencies
$ pip list --outdated
Package Version Latest Type
---------- ------- ------ -----
Pygments 2.2.0 2.3.1 wheel
Updating Pygments will affect:
foo.py: function colorize
bar.py: function parse
After
62. Updating a library
# Check outdated dependencies
$ pip list --outdated
Package Version Latest Type
---------- ------- ------ -----
Pygments 2.2.0 2.3.1 wheel
Before # Check outdated dependencies
$ pip list --outdated
Package Version Latest Type
---------- ------- ------ -----
Pygments 2.2.0 2.3.1 wheel
Updating Pygments will affect:
foo.py: function colorize
bar.py: function parse
After
# Estimate update impact
$ pip install --dry-run Pygments
Function Pygments.Formatter.format[formatter.py]
changed ->
check <your_app> at colorize[foo.py]:32
64. Information about a library
# Checking info about the library
$ pip show tornado
Name: tornado
Version: 5.0
Summary: Tornado is a Python web framework ...
Home-page: http://www.tornadoweb.org/
Author: Facebook
Author-email: ...
License: http://www.apache.org/licenses/
LICENSE-2.0
Location: ...
Requires: backports-abc, futures,
singledispatch
Required-by:
Before
65. Information about a library
# Checking info about the library
$ pip show tornado
Name: tornado
Version: 5.0
Summary: Tornado is a Python web framework ...
Home-page: http://www.tornadoweb.org/
Author: Facebook
Author-email: ...
License: http://www.apache.org/licenses/
LICENSE-2.0
Location: ...
Requires: backports-abc, futures,
singledispatch
Required-by:
Before
# Checking info about the library
$ pip show tornado
Name: tornado
Version: 5.0
License: http://www.apache.org/licenses/
LICENSE-2.0
...
Maintainers: 3
Community size: 15
Used by: 145 on PyPI, 34433 on GitHub
Latest vulnerability: 13 months ago
All known vulnerabilities: 25 (best 10%)
License rating: Compatible
After
67. Who uses my function?
# Check uses of function pkg.list() in dependents
$ pip query --uses pkg.list
depA(v1.2).parse()
depA(v1.2).test()
depB(0.0.2).foo()
depC(1.2.1).calculate()X
68. Who uses my function?
# Check uses of function pkg.list() in dependents
$ pip query --uses pkg.list
depA(v1.2).parse()
depA(v1.2).test()
depB(0.0.2).foo()
depC(1.2.1).calculate()X
# Rank them by importance (aka centrality)
$ pip query --uses --rank pkg.list
depC(1.2.1).calculate()
depB(0.0.2).foo()
depA(v1.2).parse()
depA(v1.2).test()
69. Who uses my function?
# Check uses of function pkg.list() in dependents
$ pip query --uses pkg.list
depA(v1.2).parse()
depA(v1.2).test()
depB(0.0.2).foo()
depC(1.2.1).calculate()X
# Estimate "damage" if pkg.list will be updated
$ pip query —total pkg.list
3 direct and 223 indirect dependencies will be affected)
# Rank them by importance (aka centrality)
$ pip query --uses --rank pkg.list
depC(1.2.1).calculate()
depB(0.0.2).foo()
depA(v1.2).parse()
depA(v1.2).test()
70. Who uses my function?
# Check uses of function pkg.list() in dependents
$ pip query --uses pkg.list
depA(v1.2).parse()
depA(v1.2).test()
depB(0.0.2).foo()
depC(1.2.1).calculate()X
# Estimate "damage" if pkg.list will be updated
$ pip query —total pkg.list
3 direct and 223 indirect dependencies will be affected)
# Notify direct dependencies of upcoming breakage
$ pip query --uses pkg.list |
cut -f 1 -d '(' |
xargs -I {} pip show {} |
grep Author-email: | cut -f 2 -d ':' |
xargs mail -s 'MyProject update will break yours!'
# Rank them by importance (aka centrality)
$ pip query --uses --rank pkg.list
depC(1.2.1).calculate()
depB(0.0.2).foo()
depA(v1.2).parse()
depA(v1.2).test()