A comprehensive study of bloated dependencies in the Maven ecosystem

Soto-Valero, César; Harrand, Nicolas; Monperrus, Martin; Baudry, Benoît

doi:10.1007/s10664-020-09914-8

Cited by 64 publications

(27 citation statements)

References 39 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…While this DSL-first workflow has yielded impressive results, the DSL itself is also a single point of failure. A key challenge for designing any DSL is determining its scope: a good DSL should make it easy to construct programs for the domain, without bloating the language with redundant concepts [27][28][29]. For systems that seek to understand human natural language, extensive effort is often necessary to ensure that the DSL aligns reasonably to human instructions [30,31].…”

Section: Communication Using Natural and Computer Programsmentioning

confidence: 99%

Communicating Natural Programs to Humans and Machines

Acquaviva¹,

Pu²,

Kryven³

et al. 2021

Preprint

View full text Add to dashboard Cite

The Abstraction and Reasoning Corpus (ARC) is a set of tasks that tests an agent's ability to flexibly solve novel problems. While most ARC tasks are easy for humans, they are challenging for state-of-the-art AI. How do we build intelligent systems that can generalize to novel situations and understand human instructions in domains such as ARC? We posit that the answer may be found by studying how humans communicate to each other in solving these tasks. We present LARC, the Language-annotated ARC: a collection of natural language descriptions by a group of human participants, unfamiliar both with ARC and with each other, who instruct each other on how to solve ARC tasks. LARC contains successful instructions for 88% of the ARC tasks. We analyze the collected instructions as 'natural programs', finding that most natural program concepts have analogies in typical computer programs. However, unlike how one precisely programs a computer, we find that humans both anticipate and exploit ambiguities to communicate effectively. We demonstrate that a state-of-the-art program synthesis technique, which leverages the additional language annotations, outperforms its language-free counterpart. * and † denote equal contributions Preprint. Under review.

show abstract

Section: Communication Using Natural and Computer Programsmentioning

confidence: 99%

Communicating Natural Programs to Humans and Machines

Acquaviva¹,

Pu²,

Kryven³

et al. 2021

Preprint

View full text Add to dashboard Cite

show abstract

“…Many other configuration options enable and fine-tune additional ProGuard features, (such as, field or method removal, obfuscation, method inlining, class merging). DepClean [1] identifies and removes bloated dependencies that are part of the dependency tree of the project under analysis, but whose code is not used (neither directly nor indirectly) by the application. Differently from Maven Shade and ProGuard, the focus of DepClean is not to produce a compact Java archive for use at runtime, but rather to simplify the dependency tree at development time.…”

Section: Debloating Toolsmentioning

confidence: 99%

“…The effect of software reuse on security is investigated by Gkortzis et al in [2], who show empirical evidence of the relation between the size of a code base and its likelihood to contain some vulnerabilities. Recently, Soto-Valero et al conducted a large-scale study to assess the prevalence of bloated dependencies in the Maven ecosystem [1]. In the same paper, they presented DepClean, one of the tools we used in our case study.…”

Section: Related Workmentioning

confidence: 99%

“…Automated package management tools allow developers to find and integrate third-party components in their projects with minimal effort. While automated dependency management simplifies software reuse, it may contribute to the phenomenon of software bloat [1]. As Gkortzis et al put it "code reuse cuts both ways", since "a system can become more secure by relying on mature dependencies, or more insecure by exposing a larger attack surface via exploitable dependencies" [2].…”

Section: Introductionmentioning

confidence: 99%

“…In practice, only a fraction of the functionality (and code) of a dependency may actually be needed, and entire components could be redundant. Even if some dependency code is not reachable when included in a given application (and thus it can be considered dead code in that context), it can still contribute to extending the attack surface of that application, e.g., because it includes gadget classes leading to deserialization vulnerabilities 1 .…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

The Used, the Bloated, and the Vulnerable: Reducing the Attack Surface of an Industrial Application

Ponta¹,

Fischer²,

Plate³

et al. 2021

Preprint

View full text Add to dashboard Cite

Software reuse may result in software bloat when significant portions of application dependencies are effectively unused. Several tools exist to remove unused (byte)code from an application or its dependencies, thus producing smaller artifacts and, potentially, reducing the overall attack surface. In this paper we evaluate the ability of three debloating tools to distinguish which dependency classes are necessary for an application to function correctly from those that could be safely removed. To do so, we conduct a case study on a real-world commercial Java application.Our study shows that the tools we used were able to correctly identify a considerable amount of redundant code, which could be removed without altering the results of the existing application tests. One of the redundant classes turned out to be (formerly) vulnerable, confirming that this technique has the potential to be applied for hardening purposes. However, by manually reviewing the results of our experiments, we observed that none of the tools can handle a widely used default mechanism for dynamic class loading.

show abstract