Joseph Hejderup scite author profile

Deursen

Gousios

2018

A popular form of software reuse is the use of open source software libraries hosted on centralized code repositories, such as Maven or npm. Developers only need to declare dependencies to external libraries, and automated tools make them available to the workspace of the project. Recent incidents, such as the Equifax data breach and the leftpad package removal, demonstrate the difficulty in assessing the severity, impact and spread of bugs in dependency networks. While dependency checkers are being adapted as a counter measure, they only provide indicative information. To remedy this situation, we propose a fine-grained dependency network that goes beyond packages and into call graphs. The result is a versioned ecosystemlevel call graph. In this paper, we outline the process to construct the proposed graph and present a preliminary evaluation of a security issue from a core package to an affected client application.

Blockchain-Based Software Engineering

Beller

2019

Blockchain technology has found a great number of applications, from the banking sector to the Internet of Things (IoT). However, it has not yet been envisioned which problems in Software Engineering Blockchain technology could solve. In this paper, we coin this field "Blockchain-based Software Engineering" and exemplify how Blockchain technology can be applied to two core Software Engineering problems: Continuous Integration Services such as Travis CI and Package Managers such as apt-get. We believe that Blockchain technology could help (1) democratize and professionalize Software Engineering infrastructure that currently relies on free work done by few volunteers, (2) improve the quality of released artifacts, and (3) increase trust in ubiquitously used infrastructure such as GitHub Travis CI.

Enabling real-time feedback in software engineering

Vargas

Kechagia

et al. 2018

Modern software projects consist of more than just code: teams follow development processes, the code runs on servers or mobile phones and produces run time logs and users talk about the software in forums like StackOverflow and Twitter and rate it on app stores. Insights stemming from the real-time analysis of combined software engineering data can help software practitioners to conduct faster decision-making. With the development of CodeFeedr, a Real-time Software Analytics Platform , we aim to make software analytics a core feedback loop for software engineering projects. CodeFeedr's vision entails: (1) The ability to unify archival and current software analytics data under a single query language, and (2) The feasibility to apply new techniques and methods for high-level aggregation and summarization of near real-time information on software development. In this paper, we outline three use cases where our platform is expected to have a significant impact on the quality and speed of decision making; dependency management, productivity analytics, and run-time error feedback.

Präzi: from package-based to call-based dependency networks

et al. 2022

Modern programming languages such as Java, JavaScript, and Rust encourage software reuse by hosting diverse and fast-growing repositories of highly interdependent packages (i.e., reusable libraries) for their users. The standard way to study the interdependence between software packages is to infer a package dependency network by parsing manifest data. Such networks help answer questions such as "How many packages have dependencies to packages with known security issues?" or "What are the most used packages?". However, an overlooked aspect in existing studies is that manifest-inferred relationships do not necessarily examine the actual usage of these dependencies in source code. To better model dependencies between packages, we developed PR ÄZI, an approach combining manifests and call graphs of packages. PR ÄZI constructs a dependency network at the more finegrained function-level, instead of at the manifest level. This paper discusses a prototypical PR ÄZI implementation for the popular system programming language Rust. We use PR ÄZI to characterize Rust's package repository, CRATES.IO, at the function level and perform a comparative study with metadata-based networks. Our results show that metadata-based networks generalize how packages use their dependencies. Using PR ÄZI, we find packages call only 40% of their resolved dependencies, and that manual analysis of 34 cases reveals that not all packages use a dependency the same way. We argue that researchers and practitioners interested in understanding how developers or programs use dependencies should account for its context-not the sum of all resolved dependencies.

Can we trust tests to automate dependency updates? A case study of Java Projects

Journal of Systems and Software

Gousios

2022