Skip to main content
Springer Nature Link
Log in

Characterizing usages, updates and risks of third-party libraries in Java projects

  • Published:
Empirical Software Engineering Aims and scope Submit manuscript

Abstract

Third-party libraries are a key building block in software development as they allow developers to reuse common functionalities instead of reinventing the wheel. However, third-party libraries and client projects are developed and continuously evolving in an asynchronous way. As a result, outdated third-party libraries might be commonly used in client projects, while developers are unaware of the potential risk (e.g., security bugs) in usages. Outdated third-party libraries might be updated in client projects in a delayed way, while developers are less aware of the potential risk (e.g., API incompatibilities) in updates. Developers of third-party libraries may be unaware of how their third-party libraries are used or updated in client projects. Therefore, a quantitative and holistic study on usages, updates and risks of third-party libraries in open-source projects can provide concrete evidence on these problems, and practical insights to improve the ecosystem sustainably. In this paper, we make the first contribution towards such a study in the Java ecosystem. First, using 806 open-source projects and 13,565 third-party libraries, we conduct a library usage analysis (e.g., usage intensity and usage outdatedness), followed by a library update analysis (e.g., update intensity and update delay). The two analyses aim to quantify usage and update practices from the two holistic perspectives of open-source projects and third-party libraries. Then, we carry out a library risk analysis (e.g., usage risk and update risk) on 806 open-source projects and 544 security bugs. This analysis aims to quantify the potential risk of using and updating outdated third-party libraries with respect to security bugs. Our findings suggest practical implications to developers and researchers on problems and potential solutions in maintaining third-party libraries (e.g., smart alerting and automated updating of outdated third-party libraries). To demonstrate the usefulness of our findings, we propose a security bug-driven alerting system, named LibSecurify, for assisting developers to make confident decisions by quantifying risks and effort when updating outdated third-party libraries. 33 open-source projects have confirmed the presence of security bugs after receiving our alerts, and 24 of those 33 have updated their third-party libraries. We have released our dataset to foster valuable applications and improve the Java third-party library ecosystem.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Subscribe and save

Springer+ Basic
€32.70 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Price includes VAT (Bulgaria)

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11
Fig. 12
Fig. 13
Fig. 14
Fig. 15
Fig. 16
Fig. 17
Fig. 18
Fig. 19
Fig. 20
Fig. 21
Fig. 22
Fig. 23
Fig. 24
Fig. 25
Fig. 26

Similar content being viewed by others

Notes

  1. https://owasp.org/www-project-dependency-check/

  2. https://snyk.io

  3. https://dependabot.com

  4. https://github.com/AlDanial/cloc

  5. https://www.surveysystem.com/sscalc.htm

  6. a.k.a. changing versions whose features are under active development but are allowed for developers to integrate before stable versions are released.

  7. The usage count can be obtained from the “Used by” field in the Maven central repository.

  8. https://www.blackducksoftware.com

  9. https://www.veracode.com

References

  • Abdalkareem R, Nourry O, Wehaibi S, Mujahid S, Shihab E (2017) Why do developers use trivial packages? An empirical case study on npm. In: FSE, pp 385–395

  • Backes M, Bugiel S, Derr E (2016) Reliable third-party library detection in android and its security applications. In: CCS, pp 356–367

  • Balaban I, Tip F, Fuhrer R (2005) Refactoring support for class library migration. In: OOPSLA, pp 265–279

  • Bauer V, Heinemann L (2012) Understanding api usage to support informed decision making in software maintenance. In: CSMR, pp 435–440

  • Bauer V, Heinemann L, Deissenboeck F (2012) A structured approach to assess third-party library usage. In: ICSM, pp 483–492

  • Bavota G, Canfora G, Di Penta M, Oliveto R, Panichella S (2013) The evolution of project inter-dependencies in a software ecosystem: the case of apache. In: ICSM, pp 280–289

  • Bavota G, Canfora G, Di Penta M, Oliveto R, Panichella S (2015) How the apache community upgrades dependencies: an evolutionary study. Empir Softw Eng 20(5):1275–1317

    Article  Google Scholar 

  • Bogart C, Kästner C, Herbsleb J, Thung F (2016) How to break an api: cost negotiation and community values in three software ecosystems. In: FSE, pp 109–120

  • Cadariu M, Bouwers E, Visser J, van Deursen A (2015) Tracking known security vulnerabilities in proprietary software systems. In: SANER, pp 516–519

  • Chan W K, Cheng H, Lo D (2012) Searching connected api subgraph via text phrases. In: FSE, pp 10:1–10:11

  • Chen C, Xing Z (2016) Similartech: automatically recommend analogical libraries across different programming languages. In: ASE, pp 834–839

  • Chow K, Notkin D (1996) Semi-automatic update of applications in response to library changes. In: ICSM, pp 359–368

  • Cossette B E, Walker R J (2012) Seeking the ground truth: a retroactive study on the evolution and migration of software libraries. In: FSE, p 55

  • Cox J, Bouwers E, van Eekelen M, Visser J (2015) Measuring dependency freshness in software systems. In: ICSE, vol 2, pp 109–118

  • Dagenais B, Robillard M P (2009) Semdiff: Analysis and recommendation support for api evolution. In: ICSE, pp 599–602

  • Dagenais B, Robillard M P (2011) Recommending adaptive changes for framework evolution. ACM Trans Softw Eng Methodol 20(4):19

    Article  Google Scholar 

  • De Roover C, Lammel R, Pek E (2013) Multi-dimensional exploration of api usage. In: ICPC, pp 152–161

  • Decan A, Mens T, Claes M (2017) An empirical comparison of dependency issues in oss packaging ecosystems. In: SANER, pp 2–12

  • Decan A, Mens T, Constantinou E (2018a) On the evolution of technical lag in the npm package dependency network. In: ICSME, pp 404–414

  • Decan A, Mens T, Constantinou E (2018b) On the impact of security vulnerabilities in the npm package dependency network. In: MSR, pp 181–191

  • Derr E, Bugiel S, Fahl S, Acar Y, Backes M (2017) Keep me updated: an empirical study of third-party library updatability on android. In: CCS, pp 2187–2200

  • Dietrich J, Jezek K, Brada P (2014) Broken promises: an empirical study into evolution problems in java programs caused by library upgrades. In: CSMR-WCRE, pp 64–73

  • Dig D, Johnson R (2006) How do apis evolve? A story of refactoring: research articles. J Softw Maint Evol 18(2):83–107

    Article  Google Scholar 

  • Fujibayashi D, Ihara A, Suwa H, Kula R G, Matsumoto K (2017) Does the release cycle of a library project influence when it is adopted by a client project?. In: SANER, pp 569–570

  • Hejderup J, van Deursen A, Gousios G (2018) Software ecosystem call graph for dependency management. In: ICSE-NIER, pp 101–104

  • Henkel J, Diwan A (2005) Catchup! Capturing and replaying refactorings to support api evolution. In: ICSE, pp 274–283

  • Hora A, Valente MT (2015) Apiwave: keeping track of api popularity and migration. In: ICSME, pp 321–323

  • Hora A, Robbes R, Anquetil N, Etien A, Ducasse S, Valente M T (2015) How do developers react to api evolution? The pharo ecosystem case. In: ICSME, pp 251–260

  • Howell DC (2012) Statistical methods for psychology, 8th edn. Cengage Learning

  • Huang K, Chen B, Shi B, Wang Y, Xu C, Peng X (2020) Interactive, effort-aware library version harmonization. In: ESEC/FSE, pp 518–529

  • Huang K, Chen B, Pan L, Wu S, Peng X (2021) Repfinder: finding replacements for missing apis in library update. In: ASE

  • Kabinna S, Bezemer C P, Shang W, Hassan A E (2016) Logging library migrations: a case study for the apache software foundation projects. In: MSR, pp 154–164

  • Khandkar S H (2009) Open coding. Tech. rep. University of Calgary

  • Kim M, Cai D, Kim S (2011) An empirical investigation into the role of api-level refactorings during software evolution. In: ICSE, pp 151–160

  • Kula R G, Roover C D, German D, Ishio T, Inoue K (2014) Visualizing the evolution of systems and their library dependencies. In: VISSOFT, pp 127–136

  • Kula R G, German D M, Ishio T, Inoue K (2015) Trusting a library: a study of the latency to adopt the latest maven release. In: SANER, pp 520–524

  • Kula R G, German D M, Ishio T, Ouni A, Inoue K (2017) An exploratory study on library aging by monitoring client usage in a software ecosystem. In: SANER, pp 407–411

  • Kula R G, De Roover C, German D M, Ishio T, Inoue K (2018a) A generalized model for visualizing library popularity, adoption, and diffusion within a software ecosystem. In: SANER, pp 288–299

  • Kula R G, German D M, Ouni A, Ishio T, Inoue K (2018b) Do developers update their library dependencies? Empir Softw Eng 23(1):384–417

    Article  Google Scholar 

  • Kula R G, Ouni A, German D M, Inoue K (2018c) An empirical study on the impact of refactoring activities on evolving client-used apis. Inf Softw Technol 93(C):186–199

    Article  Google Scholar 

  • Lämmel R, Pek E, Starek J (2011) Large-scale, ast-based api-usage analysis of open-source java projects. In: SAC, pp 1317–1324

  • Lauinger T, Chaabane A, Arshad S, Robertson W, Wilson C, Kirda E (2017) Thou shalt not depend on me: analysing the use of outdated javascript libraries on the web. In: NDSS

  • Li L, Bissyandé T F, Klein J, Le Traon Y (2016) An investigation into the use of common libraries in android apps. In: SANER, pp 403–414

  • Li M, Wang W, Wang P, Wang S, Wu D, Liu J, Xue R, Huo W (2017) Libd: Scalable and precise third-party library detection in android markets. In: ICSE, pp 335–346

  • Linares-Vásquez M, Bavota G, Bernal-Cárdenas C, Di Penta M, Oliveto R, Poshyvanyk D (2013) Api change and fault proneness: a threat to the success of android apps. In: ESEC/FSE, pp 477–487

  • Liu C, Chen S, Fan L, Chen B, Liu Y, Peng X (2021) Demystifying the vulnerability propagation and its evolution via dependency trees in the npm ecosystem. In: ICSE

  • Ma Z, Wang H, Guo Y, Chen X (2016) Libradar: fast and accurate detection of third-party libraries in android apps. In: ICSE, pp 653–656

  • Matos A S, Filho J B F, Rocha L S (2019) Splitting apis: an exploratory study of software unbundling. In: MSR, pp 360–370

  • McDonnell T, Ray B, Kim M (2013) An empirical study of api stability and adoption in the android ecosystem. In: ICSM, pp 70–79

  • Mileva Y M, Dallmeier V, Burger M, Zeller A (2009) Mining trends of library usage. In: IWPSE-Evol, pp 57–62

  • Mileva Y M, Dallmeier V, Zeller A (2010) Mining api popularity. In: Testing—practice and research techniques, pp 173–180

  • Mirhosseini S, Parnin C (2017) Can automated pull requests encourage software developers to upgrade out-of-date dependencies?. In: ASE, pp 84–94

  • Nguyen H A, Nguyen T T, Wilson JrG, Nguyen A T, Kim M, Nguyen T N (2010) A graph-based approach to api usage adaptation. In: OOPSLA, pp 302–321

  • Nguyen D C, Derr E, Backes M, Bugiel S (2020) Up2dep: android tool support to fix insecure code dependencies. In: ACSAC, pp 263–276

  • Ouni A, Kula R G, Kessentini M, Ishio T, German D M, Inoue K (2017) Search-based software library recommendation using multi-objective optimization. Inf Softw Technol 83(C):55–75

    Article  Google Scholar 

  • Patra J, Dixit P N, Pradel M (2018) Conflictjs: finding and understanding conflicts between javascript libraries. In: ICSE, pp 741–751

  • Plate H, Ponta S E, Sabetta A (2015) Impact assessment for vulnerabilities in open-source software libraries. In: ICSME, pp 411–420

  • Ponta S E, Plate H, Sabetta A (2018) Beyond metadata: code-centric and usage-based analysis of known vulnerabilities in open-source software. In: ICSME, pp 449–460

  • Preston-Werner T (2013) Semantic versioning 2.0.0. http://semver.org

  • Qiu D, Li B, Leung H (2016) Understanding the api usage in java. Inf Softw Technol 73:81–100

    Article  Google Scholar 

  • Quach A, Prakash A, Yan L K (2018) Debloating software through piece-wise compilation and loading. In: USENIX Security

  • Raemaekers S, van Deursen A, Visser J (2012) Measuring software library stability through historical version analysis. In: ICSM, pp 378–387

  • Raemaekers S, Van Deursen A, Visser J (2014) Semantic versioning versus breaking changes: a study of the maven repository. In: SCAM, pp 215–224

  • Robbes R, Lungu M, Röthlisberger D (2012) How do developers react to api deprecation?: the case of a smalltalk ecosystem. In: FSE, pp 56:1–56:11

  • Salza P, Palomba F, Di Nucci D, D’Uva C, De Lucia A, Ferrucci F (2018) Do developers update third-party libraries in mobile apps?. In: ICPC, pp 255–265

  • Sawant A A, Robbes R, Bacchelli A (2016) On the reaction to deprecation of 25,357 clients of 4 + 1 popular java apis. In: ICSME, pp 400–410

  • Schäfer T, Jonas J, Mezini M (2008) Mining framework usage changes from instantiation code. In: ICSE, pp 471–480

  • Sharif H, Abubakar M, Gehani A, Zaffar F (2018) Trimmer: application specialization for code debloating. In: ASE, pp 329–339

  • Smith N, van Bruggen D, Tomassetti F (2017) Javaparser: visited. Leanpub, oct de

  • Soto-Valero C, Harrand N, Monperrus M, Baudry B (2020) A comprehensive study of bloated dependencies in the maven ecosystem. CoRR arXiv:2001.07808

  • Teyton C, Falleri J R, Blanc X (2012) Mining library migration graphs. In: WCRE, pp 289–298

  • Teyton C, Falleri J R, Blanc X (2013) Automatic discovery of function mappings between similar libraries. In: WCRE, pp 192–201

  • Teyton C, Falleri J R, Palyart M, Blanc X (2014) A study of library migrations in java. J Softw: Evol Process 26(11):1030–1052

    Google Scholar 

  • Thung F, Lo D, Lawall J (2013a) Automated library recommendation. In: WCRE, pp 182–191

  • Thung F, Wang S, Lo D, Lawall J (2013b) Automatic recommendation of api methods from feature requests. In: ASE, pp 290–300

  • Vallée-Rai R, Co P, Gagnon E, Hendren L, Lam P, Sundaresan V (1999) Soot: a java bytecode optimization framework. In: CASCON, p 13

  • Wang Y, Wen M, Liu Z, Wu R, Wang R, Yang B, Yu H, Zhu Z, Cheung S C (2018) Do the dependency conflicts in my project matter?. In: ESEC/FSE, pp 319–330

  • Wang C, Chen B, Liu Y, Wu H (2019a) Layered object-oriented programming: advanced vtable reuse attacks on binary-level defense. IEEE Trans Inf Forensics Secur 14(3):693–708

    Article  Google Scholar 

  • Wang Y, Wen M, Wu R, Liu Z, Tan S H, Zhu Z, Yu H, Cheung S C (2019b) Could I have a stack trace to examine the dependency conflict issue. In: ICSE, pp 572–583

  • Wang Y, Chen B, Huang K, Shi B, Xu C, Peng X, Wu Y, Liu Y (2020) An empirical study of usages, updates and risks of third-party libraries in java projects. In: ICSME, pp 35–45

  • Wittern E, Suter P, Rajagopalan S (2016) A look at the dynamics of the javascript package ecosystem. In: MSR, pp 351–361

  • Wu W, Guéhéneuc Y G, Antoniol G, Kim M (2010) Aura: a hybrid approach to identify framework evolution. In: ICSE, pp 325–334

  • Wu W, Serveaux A, Guéhéneuc Y G, Antoniol G (2015) The impact of imperfect change rules on framework api evolution identification: an empirical study. Empir Softw Eng 20(4):1126–1158

    Article  Google Scholar 

  • Wu W, Khomh F, Adams B, Guéhéneuc Y G, Antoniol G (2016) An exploratory study of api changes and usages based on apache and eclipse ecosystems. Empir Softw Eng 21(6):2366–2412

    Article  Google Scholar 

  • Xing Z, Stroulia E (2007) Api-evolution support with diff-catchup. IEEE Trans Softw Eng 33(12):818–836

    Article  Google Scholar 

  • Xu G, Mitchell N, Arnold M, Rountev A, Sevitsky G (2010) Software bloat analysis: finding, removing, and preventing performance problems in modern large-scale object-oriented applications. In: FoSER, pp 421–426

  • Zaimi A, Ampatzoglou A, Triantafyllidou N, Chatzigeorgiou A, Mavridis A, Chaikalis T, Deligiannis I, Sfetsos P, Stamelos I (2015) An empirical study on the reuse of third-party libraries in open-source software development. In: BCIC, pp 4:1–4:8

  • Zapata R E, Kula R G, Chinthanet B, Ishio T, Matsumoto K, Ihara A (2018) Towards smoother library migrations: a look at vulnerable dependency migrations at function level for npm javascript packages. In: ICSME, pp 559–563

  • Zerouali A, Constantinou E, Mens T, Robles G, González-Barahona J (2018) An empirical analysis of technical lag in npm package dependencies. In: ICSR, pp 95–110

  • Zhang Y, Dai J, Zhang X, Huang S, Yang Z, Yang M, Chen H (2018) Detecting third-party libraries in android applications with high precision and recall. In: SANER, pp 141–152

  • Zheng W, Zhang Q, Lyu M (2011) Cross-library api recommendation using web search engines. In: ESEC/FSE, pp 480–483

  • Zimmermann M, Staicu C A, Tenny C, Pradel M (2019) Small world with high risks: a study of security threats in the npm ecosystem. In: USENIX Security, pp 995–1010

Download references

Acknowledgements

This work was supported by the National Natural Science Foundation of China (Grant No. 61802067). Bihuan Chen is the corresponding author of this paper.

Author information

Authors and Affiliations

  1. School of Computer Science, Fudan University, D2023, Interdisciplinary Building No. 2, Songhu Road No. 2005, Yangpu District, Shanghai, 201203, China

    Kaifeng Huang, Bihuan Chen, Congying Xu, Ying Wang, Bowen Shi, Xin Peng & Yijian Wu

  2. School of Computer Science and Engineering, Nanyang Technological University, 02C-84, Block N4, 50 Nanyang Avenue, Singapore, 639798, Singapore

    Yang Liu

Authors
  1. Kaifeng Huang
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Bihuan Chen
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Congying Xu
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Ying Wang
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Bowen Shi
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Xin Peng
    View author publications

    You can also search for this author in PubMed Google Scholar

  7. Yijian Wu
    View author publications

    You can also search for this author in PubMed Google Scholar

  8. Yang Liu
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Bihuan Chen.

Ethics declarations

Conflict of Interest

The authors have no competing interests to declare that are relevant to the content of this article.

Additional information

Communicated by: Zhenchang Xing and Kelly Blincoe

Publisher’s note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

This article belongs to the Topical Collection: Software Maintenance and Evolution (ICSME)

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Huang, K., Chen, B., Xu, C. et al. Characterizing usages, updates and risks of third-party libraries in Java projects. Empir Software Eng 27, 90 (2022). https://doi.org/10.1007/s10664-022-10131-8

Download citation

  • Accepted:

  • Published:

  • DOI: https://doi.org/10.1007/s10664-022-10131-8

Keywords

Search

Navigation