Standard

Software Ecosystem Call Graph for Dependency Management. / Hejderup, Joseph; van Deursen, Arie; Gousios, Georgios.

Proceedings of 40th International Conference on Software Engineering: New Ideas and Emerging Results Track. 2018.

Research output: Scientific - peer-reviewConference contribution

Harvard

Hejderup, J, van Deursen, A & Gousios, G 2018, Software Ecosystem Call Graph for Dependency Management. in Proceedings of 40th International Conference on Software Engineering: New Ideas and Emerging Results Track. ICSE 2018, Gothenburg, Sweden, 27/05/18. DOI: 10.1145/3183399.3183417

APA

Hejderup, J., van Deursen, A., & Gousios, G. (2018). Software Ecosystem Call Graph for Dependency Management. In Proceedings of 40th International Conference on Software Engineering: New Ideas and Emerging Results Track DOI: 10.1145/3183399.3183417

Vancouver

Hejderup J, van Deursen A, Gousios G. Software Ecosystem Call Graph for Dependency Management. In Proceedings of 40th International Conference on Software Engineering: New Ideas and Emerging Results Track. 2018. Available from, DOI: 10.1145/3183399.3183417

Author

Hejderup, Joseph ; van Deursen, Arie ; Gousios, Georgios. / Software Ecosystem Call Graph for Dependency Management. Proceedings of 40th International Conference on Software Engineering: New Ideas and Emerging Results Track. 2018.

BibTeX

@inbook{6f088b70bccb476eb092395078dec39b,
title = "Software Ecosystem Call Graph for Dependency Management",
abstract = "A popular form of software reuse is the use of open source software libraries hosted on centralized code repositories, such as Maven or npm. Developers only need to declare dependencies to external libraries, and automated tools make them available to the workspace of the project. Recent incidents, such as the Equifax data breach and the leftpad package removal, demonstrate the difficulty in assessing the severity, impact and spread of bugs in dependency networks. While dependency checkers are being adapted as a counter measure, they only provide indicative information. To remedy this situation, we propose a fine-grained dependency network that goes beyond packages and into call graphs. The result is a versioned ecosystem-level call graph. In this paper, we outline the process to construct the proposed graph and present a preliminary evaluation of a security issue from a core package to an affected client application.",
keywords = "dependency management, software ecosystem, dependencies, call graph, program analysis",
author = "Joseph Hejderup and {van Deursen}, Arie and Georgios Gousios",
note = "R2 - Software Engineering in Other Domains",
year = "2018",
doi = "10.1145/3183399.3183417",
booktitle = "Proceedings of 40th International Conference on Software Engineering",

}

RIS

TY - CHAP

T1 - Software Ecosystem Call Graph for Dependency Management

AU - Hejderup,Joseph

AU - van Deursen,Arie

AU - Gousios,Georgios

N1 - R2 - Software Engineering in Other Domains

PY - 2018

Y1 - 2018

N2 - A popular form of software reuse is the use of open source software libraries hosted on centralized code repositories, such as Maven or npm. Developers only need to declare dependencies to external libraries, and automated tools make them available to the workspace of the project. Recent incidents, such as the Equifax data breach and the leftpad package removal, demonstrate the difficulty in assessing the severity, impact and spread of bugs in dependency networks. While dependency checkers are being adapted as a counter measure, they only provide indicative information. To remedy this situation, we propose a fine-grained dependency network that goes beyond packages and into call graphs. The result is a versioned ecosystem-level call graph. In this paper, we outline the process to construct the proposed graph and present a preliminary evaluation of a security issue from a core package to an affected client application.

AB - A popular form of software reuse is the use of open source software libraries hosted on centralized code repositories, such as Maven or npm. Developers only need to declare dependencies to external libraries, and automated tools make them available to the workspace of the project. Recent incidents, such as the Equifax data breach and the leftpad package removal, demonstrate the difficulty in assessing the severity, impact and spread of bugs in dependency networks. While dependency checkers are being adapted as a counter measure, they only provide indicative information. To remedy this situation, we propose a fine-grained dependency network that goes beyond packages and into call graphs. The result is a versioned ecosystem-level call graph. In this paper, we outline the process to construct the proposed graph and present a preliminary evaluation of a security issue from a core package to an affected client application.

KW - dependency management

KW - software ecosystem

KW - dependencies

KW - call graph

KW - program analysis

U2 - 10.1145/3183399.3183417

DO - 10.1145/3183399.3183417

M3 - Conference contribution

BT - Proceedings of 40th International Conference on Software Engineering

ER -

ID: 38776307