research-article

Fine-Grained Network Analysis for Modern Software Ecosystems

Authors:

Georgios GousiosAuthors Info & Claims

ACM Transactions on Internet Technology (TOIT), Volume 21, Issue 1

Article No.: 1, Pages 1 - 14

https://doi.org/10.1145/3418209

Published: 10 December 2020 Publication History

Abstract

Modern software development is increasingly dependent on components, libraries, and frameworks coming from third-party vendors or open-source suppliers and made available through a number of platforms (or forges). This way of writing software puts an emphasis on reuse and on composition, commoditizing the services that modern applications require. On the other hand, bugs and vulnerabilities in a single library living in one such ecosystem can affect, directly or by transitivity, a huge number of other libraries and applications. Currently, only product-level information on library dependencies is used to contain this kind of danger, but this knowledge often reveals itself too imprecise to lead to effective (and possibly automated) handling policies. We will discuss how fine-grained function-level dependencies can greatly improve reliability and reduce the impact of vulnerabilities on the whole software ecosystem.

References

[1]

P. Abate, R. Di Cosmo, G. Gousios, and S. Zacchiroli. 2020. Dependency solving is still hard, but we are getting better at it. In Proceedings of the 27th IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER). 547--551.

[2]

Christopher Bogart, Christian Kästner, James Herbsleb, and Ferdian Thung. 2016. How to break an API: Cost negotiation and community values in three software ecosystems. In Proceedings of the 2016 24th ACM SIGSOFT International Symposium on Foundations of Software Engineering. ACM, 109--120.

Digital Library

[3]

Paolo Boldi, Marco Rosa, Massimo Santini, and Sebastiano Vigna. 2011. Layered label propagation: A multiresolution coordinate-free ordering for compressing social networks. In Proceedings of the 20th International Conference on World Wide Web, WWW 2011, Hyderabad, India, March 28 - April 1, 2011, Sadagopan Srinivasan, Krithi Ramamritham, Arun Kumar, M. P. Ravindra, Elisa Bertino, and Ravi Kumar (Eds.). ACM, 587--596.

Digital Library

[4]

Paolo Boldi and Sebastiano Vigna. 2014. Axioms for centrality. Internet Math. 10, 3--4 (2014), 222--262.

[5]

Paolo Boldi and Sebastiano Vigna. 2019. (Web/social) graph compression. In Encyclopedia of Big Data Technologies., Sherif Sakr and Albert Y. Zomaya (Eds.). Springer.

[6]

Joseph Hejderup, Moritz Beller, and Georgios Gousios. 2018. Building a Unified Call Graph at Ecosystem Level. Technical Report TUD-SERG-2018-002. Delft University of Techology. 20 pages. Retrieved from http://gousios.org/pubs/ucg.pdf.

[7]

Immanuel Kant. 2002 [1785]. Groundwork for the Metaphysics of Morals. Oxford University Press.

[8]

Riivo Kikas, Georgios Gousios, Marlon Dumas, and Dietmar Pfahl. 2017. Structure and evolution of package dependency networks. In Proceedings of the 14th International Conference on Mining Software Repositories, MSR 2017, Buenos Aires, Argentina, May 20-28, 2017. 102--112.

Digital Library

[9]

Jens Knoop, Oliver Rüthing, and Bernhard Steffen. 1994. Partial dead code elimination. ACM SIGPLAN Notices 29, 6 (1994), 147--158.

Digital Library

[10]

Raula Gaikovina Kula, Daniel M. Germán, Ali Ouni, Takashi Ishio, and Katsuro Inoue. 2017. Do developers update their library dependencies? An empirical study on the impact of security advisories on library migration. CoRR abs/1709.04621 (2017). arxiv:1709.04621 http://arxiv.org/abs/1709.04621

[11]

Benjamin Livshits, Manu Sridharan, Yannis Smaragdakis, Ondřej Lhoták, J. Nelson Amaral, Bor-Yuh Evan Chang, Samuel Z. Guyer, Uday P. Khedker, Anders Møller, and Dimitrios Vardoulakis. 2015. In defense of soundiness: A manifesto. Communications of the ACM 58, 2 (2015), 44--46.

Digital Library

[12]

Fabio Mancinelli, Jaap Boender, Roberto Di Cosmo, Jerome Vouillon, Berke Durak, Xavier Leroy, and Ralf Treinen. 2006. Managing the complexity of large free and open source package-based software distributions. In Proceedings of the 21st IEEE/ACM International Conference on Automated Software Engineering (ASE’06). IEEE, 199--208.

Digital Library

[13]

Cassandra Overney, Jens Meinicke, Christian Kästner, and Bogdan Vasilescu. 2020. How to not get rich: An empirical study of donations in open source. In Proceedings of the 2020 42th International Conference on Software Engineering.

Digital Library

[14]

David L. Parnas. 1972. On the criteria to be used in decomposing systems into modules. In Pioneers and Their Contributions to Software Engineering. Springer, 479--498.

[15]

Tom Preston-Werner. [n.d.]. Semantic Versioning 2.0.0. Retrieved from https://semver.org.

[16]

Steven Raemaekers, Arie van Deursen, and Joost Visser. 2017. Semantic versioning and impact of breaking changes in the Maven repository. Journal of Systems and Software 129 (2017), 140--158.

Digital Library

[17]

Xiaoxia Ren, Fenil Shah, Frank Tip, Barbara G. Ryder, and Ophelia Chesley. 2004. Chianti: A tool for change impact analysis of java programs. In Proceedings of the 19th Annual ACM SIGPLAN Conference on Object-Oriented Programming, Systems, Languages, and Applications. 432--448.

Digital Library

[18]

Anand Ashok Sawant, Romain Robbes, and Alberto Bacchelli. 2018. On the reaction to deprecation of clients of 4+ 1 popular Java APIs and the JDK. Empirical Software Engineering 23, 4 (2018), 2158--2197.

Digital Library

[19]

Jeffrey Xu Yu and Jiefeng Cheng. 2010. Graph Reachability Queries: A Survey. Springer US, Boston, MA, 181--215.

[20]

Markus Zimmermann, Cristian-Alexandru Staicu, Cam Tenny, and Michael Pradel. 2019. Small world with high risks: A study of security threats in the npm ecosystem. In Proceedings of the 28th {USENIX} Security Symposium ({USENIX} Security 19). 995--1010.

[21]

Maven Central Repository. https://search.maven.org/.

[22]

Nacho Portion Monitor. https://www.npmjs.com/.

[23]

GitHub.com platform. https://github.com/.

[24]

The Complete Open-Source and Business Software Platform. https://sourceforge.net/.

[25]

The State of Open-Source Security Report. https://bit.ly/SoOSS2019.

[26]

The FASTEN project website. https://www.fasten-project.eu/.

Cited By

Butler AFilkov VRay BZhou M(2024)Software Supply Chain Risk: Characterization, Measurement & AttenuationProceedings of the 39th IEEE/ACM International Conference on Automated Software Engineering10.1145/3691620.3695608(2506-2509)Online publication date: 27-Oct-2024
https://dl.acm.org/doi/10.1145/3691620.3695608
Drosos GSotiropoulos TSpinellis DMitropoulos D(2024)Bloat beneath Python’s Scales: A Fine-Grained Inter-Project Dependency AnalysisProceedings of the ACM on Software Engineering10.1145/36608211:FSE(2584-2607)Online publication date: 12-Jul-2024
https://dl.acm.org/doi/10.1145/3660821
Wang ZXiang RLi J(2024)Design of a Classroom Big Data Analysis System Based on Open Source Technology2024 13th International Conference on Educational and Information Technology (ICEIT)10.1109/ICEIT61397.2024.10540683(377-382)Online publication date: 22-Mar-2024
https://doi.org/10.1109/ICEIT61397.2024.10540683
Show More Cited By

Index Terms

Fine-Grained Network Analysis for Modern Software Ecosystems
1. Software and its engineering
  1. Software creation and management
    1. Software development process management
  2. Software notations and tools
    1. Software libraries and repositories

Recommendations

Software Ecosystems: Trends and Impacts on Software Engineering
SBES '12: Proceedings of the 2012 26th Brazilian Symposium on Software Engineering

Economic and social issues are pointed out as Software Engineering (SE) challenges for the next years, since the field needs to treat issues beyond the technical side. These challenges require analyzing the field of SE from another perspective. In this ...
Treating business dimension in software ecosystems
MEDES '11: Proceedings of the International Conference on Management of Emergent Digital EcoSystems

Software Ecosystems (SECOs) have emerged as an approach to improve Software Engineering (SE) in industry considering relations among companies and stakeholders. Companies have opened up their platforms and artifacts to others, including partners and ...
ReuseSEEM: an approach to support the definition, modeling, and analysis of software ecosystems
ICSE Companion 2014: Companion Proceedings of the 36th International Conference on Software Engineering

Software Engineering (SE) community has discussed economic and social issues as a challenge for the next years. Companies and organizations have directly (or not) opened up their software platforms and assets to others, including partners and 3rd party ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Transactions on Internet Technology

ACM Transactions on Internet Technology Volume 21, Issue 1

Visions Paper, Regular Papers, SI: Blockchain in E-Commerce, and SI: Human-Centered Security, Privacy, and Trust in the Internet of Things

February 2021

534 pages

ISSN:1533-5399

EISSN:1557-6051

DOI:10.1145/3441681

Editor:
Ling Liu
Georgia Institute of Technology, USA

Issue’s Table of Contents

Copyright © 2020 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 10 December 2020

Accepted: 01 August 2020

Revised: 01 July 2020

Received: 01 July 2020

Published in TOIT Volume 21, Issue 1

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed

Funding Sources

FASTEN EU Project

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

14
Total Citations
View Citations
354
Total Downloads

Downloads (Last 12 months)43
Downloads (Last 6 weeks)8

Reflects downloads up to 01 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Butler AFilkov VRay BZhou M(2024)Software Supply Chain Risk: Characterization, Measurement & AttenuationProceedings of the 39th IEEE/ACM International Conference on Automated Software Engineering10.1145/3691620.3695608(2506-2509)Online publication date: 27-Oct-2024
https://dl.acm.org/doi/10.1145/3691620.3695608
Drosos GSotiropoulos TSpinellis DMitropoulos D(2024)Bloat beneath Python’s Scales: A Fine-Grained Inter-Project Dependency AnalysisProceedings of the ACM on Software Engineering10.1145/36608211:FSE(2584-2607)Online publication date: 12-Jul-2024
https://dl.acm.org/doi/10.1145/3660821
Wang ZXiang RLi J(2024)Design of a Classroom Big Data Analysis System Based on Open Source Technology2024 13th International Conference on Educational and Information Technology (ICEIT)10.1109/ICEIT61397.2024.10540683(377-382)Online publication date: 22-Mar-2024
https://doi.org/10.1109/ICEIT61397.2024.10540683
Vial G(2023)A Complex Adaptive Systems Perspective of Software Reuse in the Digital AgeInformation Systems Research10.1287/isre.2023.120034:4(1728-1743)Online publication date: 1-Dec-2023
https://dl.acm.org/doi/10.1287/isre.2023.1200
Setó-Rey DSantos-Martín JLópez-Nozal C(2023)Vulnerability of Package Dependency NetworksIEEE Transactions on Network Science and Engineering10.1109/TNSE.2023.3260880(1-13)Online publication date: 2023
https://doi.org/10.1109/TNSE.2023.3260880
Scarlato M(2023)Open Source License Detection in FASTEN2023 IEEE 30th Annual Software Technology Conference (STC)10.1109/STC58598.2023.00008(7-14)Online publication date: 25-Sep-2023
https://doi.org/10.1109/STC58598.2023.00008
Scarlato MNöth L(2023)LCV-CM: a FASTEN Open Source License Compliance Verifier with Compatibility Matrix.2023 17th International Conference on Open Source Systems and Technologies (ICOSST)10.1109/ICOSST60641.2023.10414244(1-7)Online publication date: 20-Dec-2023
https://doi.org/10.1109/ICOSST60641.2023.10414244
Scarlato MNöth L(2023)License compatibility for Python packages: the FASTEN PyPI plugin2023 17th International Conference on Open Source Systems and Technologies (ICOSST)10.1109/ICOSST60641.2023.10414206(1-6)Online publication date: 20-Dec-2023
https://doi.org/10.1109/ICOSST60641.2023.10414206
Kang MLee EUm SKwak D(2023)Development of a method framework to predict network structure dynamics in digital platforms: Empirical experiments based on API networksKnowledge-Based Systems10.1016/j.knosys.2023.110936280(110936)Online publication date: Nov-2023
https://doi.org/10.1016/j.knosys.2023.110936
Keshani MGousios GProksch S(2023)Frankenstein: fast and lightweight call graph generation for software buildsEmpirical Software Engineering10.1007/s10664-023-10388-729:1Online publication date: 16-Nov-2023
https://dl.acm.org/doi/10.1007/s10664-023-10388-7
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

HTML Format

View this article in HTML Format.

Media

Figures

Other

Tables

View Issue’s Table of Contents