In order to help developers tracking dependencies, FASTEN provides a new intelligent package management framework, on top of existing dependency management tools. The FASTEN European research project wants to support DevOps teams by helping them managing and mastering dependencies, at a finer grain level compare to what they are currently doing.
The FASTEN consortium is preparing an intelligent dependency management solution that will bring innovation such as a more accurate evaluation of the impact of dependencies, security vulnerabilities, license compliance, risk management, and evaluation of the consequences of library API changes on users.
FASTEN tracks the dependencies in components down to a very fine-grained level — the function, or method.
The project is led by a team of researchers from the Dutch University TU Delft associated with academics in Milan and Athens, industry engineers from SMEs Endocode, SIG, XWiki, and OW2 open source community. This article evokes the first results obtained after more than 2 years of cooperation started in January 2019 and funded by the European Commission for three years.
Software produced as part of FASTEN project is open source. As a result, any developer team can provide feedback and help improve the tools.
FASTEN addresses a fundamental problem of developers—the way they manage the dependencies of their projects. Reusing existing dependencies (usually opened source) is quite easy thanks to automation build tools and package managers. However, several risks should be identified and assessed beforehand.
Indeed, when a developer re-uses existing third-party tools or libraries to save time, he or she lowers the control over the code that will be part of his application. Software systems may depend on multiple external libraries and components that evolve separately, without centralized coordination. Therefore, several questions arise, in relation to the integrated functionalities. Such questions relate to trust, security, or missing notifications regarding the evolution of a software component.
How do you verify that the functions provided by a dependency correspond to what is expected, without any security implications?
How one can guarantee that a dependency update won’t prevent the end-user application from running?
In recent years, we have witnessed several spectacular ecosystem failures with severe implications on client programs, end-users, and the further adoption of OSS:
Development teams should guard against such technical issues or legal problems including incompatible open source licenses. In particular, the consequences of the slightest code change should be known by the team in charge of maintaining the applications in operational condition and by the IT cybersecurity team, which is not easily done today.
A better way to manage dependencies is therefore necessary and this is precisely the goal of the FASTEN project (Fine-Grained Analysis of Software Ecosystems as Networks).
FASTEN’s goal is to strengthen software ecosystems through smarter application dependencies analysis. The implementation of its analysis tools is under development for popular programming languages such as Java, Python, and C.
#java #security #python #c #graph #pip