Morioh
Login
Cyril Parisian

Cyril Parisian

2 years ago

In order to help developers tracking dependencies, FASTEN provides a new intelligent package management framework, on top of existing dependency management tools. The FASTEN European research project wants to support DevOps teams by helping them managing and mastering dependencies, at a finer grain level compare to what they are currently doing.

The FASTEN consortium is preparing an intelligent dependency management solution that will bring innovation such as a more accurate evaluation of the impact of dependencies, security vulnerabilities, license compliance, risk management, and evaluation of the consequences of library API changes on users.

FASTEN tracks the dependencies in components down to a very fine-grained level — the function, or method.

The project is led by a team of researchers from the Dutch University TU Delft associated with academics in Milan and Athens, industry engineers from SMEs Endocode, SIG, XWiki, and OW2 open source community. This article evokes the first results obtained after more than 2 years of cooperation started in January 2019 and funded by the European Commission for three years.

Software produced as part of FASTEN project is open source. As a result, any developer team can provide feedback and help improve the tools.

FASTEN Wants To Tame Dependencies

FASTEN addresses a fundamental problem of developers—the way they manage the dependencies of their projects. Reusing existing dependencies (usually opened source) is quite easy thanks to automation build tools and package managers. However, several risks should be identified and assessed beforehand.

Indeed, when a developer re-uses existing third-party tools or libraries to save time, he or she lowers the control over the code that will be part of his application. Software systems may depend on multiple external libraries and components that evolve separately, without centralized coordination. Therefore, several questions arise, in relation to the integrated functionalities. Such questions relate to trust, security, or missing notifications regarding the evolution of a software component.

How do you verify that the functions provided by a dependency correspond to what is expected, without any security implications?

How one can guarantee that a dependency update won’t prevent the end-user application from running?

Costly Consequences

In recent years, we have witnessed several spectacular ecosystem failures with severe implications on client programs, end-users, and the further adoption of OSS:

  • A dispute over a library name in the NPM ecosystem led to the removal of a library called left-pad. The package removal led to the collapse of thousands of libraries that directly or transitively depended on left-pad, and hence a major disruption for client programs. Even after the left-pad incident, a study estimated that libraries exist whose removal can affect more than 30% of the core components of the network.
  • A company named Equifax leaked over 100,000 credit card records due to a dependency that was not updated. The compromised systems included a vulnerable version of the Apache Struts library, whose update was postponed as the Equifax security team erroneously underestimated the impact of the bug on their codebase.
  • Malicious developers uploaded to the Python package manager repository (PyPI) libraries whose name was deliberately misspelled, being almost identical to the original libraries (e.g.,urllib instead of urllib3). The intention was to steal information from client applications of developers who had accidentally mistyped the library name in the dependency file.

Development teams should guard against such technical issues or legal problems including incompatible open source licenses. In particular, the consequences of the slightest code change should be known by the team in charge of maintaining the applications in operational condition and by the IT cybersecurity team, which is not easily done today.

A better way to manage dependencies is therefore necessary and this is precisely the goal of the FASTEN project (Fine-Grained Analysis of Software Ecosystems as Networks).

An Analysis of Dependent Functions

FASTEN’s goal is to strengthen software ecosystems through smarter application dependencies analysis. The implementation of its analysis tools is under development for popular programming languages such as Java, Python, and C.

#java #security #python #c #graph #pip

Solving Modern Software Dependency Management Issues

dzone.com

Solving Modern Software Dependency Management Issues

In order to help developers tracking dependencies, FASTEN provides a new intelligent package management framework, on top of existing dependency management tools. The FASTEN European research project wants to support DevOps teams by helping them...

1.80 GEEK