Can we trust tests to automate dependency updates? A case study of Java Projects

Hejderup, Joseph; Gousios, Georgios

doi:10.1016/j.jss.2021.111097

Cited by 16 publications

(3 citation statements)

References 16 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…However, as the number of dependencies in a project increases, so does the complexity of managing and maintaining them, and ensuring the security and stability of software systems becomes challenging [27]. Researchers have proposed different approaches to prevent dependency conflicts and reduce the potential for errors when automatically downloading and installing dependencies [28,29]. However, automated dependency updates can still lead to build failures, and developers have been found to use dependency downgrades to react to or prevent these issues [30].…”

Section: Package Dependency Ecosystemsmentioning

confidence: 99%

Who makes open source code? The hybridisation of commercial and open source practices

Mehler,

Otto,

Sapienza

2024

EPJ Data Sci.

View full text Add to dashboard Cite

While Free and Open Source (F/OSS) coding has traditionally been described as a separate commons linked to values of openness and sharing, recent research suggests an increasing integration of private corporations into F/OSS practices, blurring the boundaries between F/OSS and commodified coding. However, there is a dearth of empirical, and especially quantitative studies exploring this phenomenon. To address this gap, we model the power dynamics and infrastructural aspects of software production within GitHub, a central hub for F/OSS development, using a large-scale, directed network. Using various network statistics, we detect the ecosystem’s most impactful actors and find a nuanced picture of the influence of individuals, open source organizations, and private corporations in F/OSS practices. We find that the majority of public repositories on GitHub depend on a small core of specialized repositories and users. In accordance with expectations, individuals and open source organizations are more prevalent in this core of elite GitHub users, however, we also find a significant amount of private organizations with an indirect, yet consistent influence within GitHub. In addition, we find that directly influential individuals tend to facilitate sponsorship methods more often than indirectly or non-influential individuals. Our research highlights a hybridization of F/OSS and sheds light on the complex interplay between influence, power, and code production in the multi-language dependency ecosystem of GitHub.

show abstract

Section: Package Dependency Ecosystemsmentioning

confidence: 99%

Who makes open source code? The hybridisation of commercial and open source practices

Mehler,

Otto,

Sapienza

2024

EPJ Data Sci.

View full text Add to dashboard Cite

show abstract

“…As an added cost-cutting measure, it is important to prioritize paths with the expectation that the majority of errors will be found in the preliminary phases of the process, and to identify appropriate paths and test data from among the many possible options. Path testing is a very useful technique for finding bugs in software components [25], [26].…”

Section: Related Workmentioning

confidence: 99%

Enhanced Multi-Verse Optimizer (TMVO) and Applying it in Test Data Generation for Path Testing

Ryalat¹,

Fakhouri²,

Zraqou³

et al. 2023

IJACSA

View full text Add to dashboard Cite

Data testing is a vital part of the software development process, and there are various approaches available to improve the exploration of all possible software code paths. This study introduces two contributions. Firstly, an improved version of the Multi-verse Optimizer called Testing Multi-Verse Optimizer (TMVO) is proposed, which takes into account the movement of the swarm and the mean of the two best solutions in the universe. The particles move towards the optimal solution by using a mean-based algorithm model, which guarantees efficient exploration and exploitation. Secondly, TMVO is applied to automatically develop test cases for structural data testing, particularly path testing. Instead of automating the entire testing process, the focus is on centralizing automated procedures for collecting testing data. Automation for generating testing data is becoming increasingly popular due to the high cost of manual data generation. To evaluate the effectiveness of TMVO, it was tested on various well-known functions as well as five programs that presented unique challenges in testing. The test results indicated that TMVO performed better than the original MVO algorithm on the majority of the tested functions.

show abstract

“…In recent years, researchers have been studied the potential impact of security vulnerabilities in evolving software ecosystems. One of the earliest works is the master thesis of Hejderup [20]. By considering 19 NPM packages, he studied how many dependent packages are infected by a vulnerability and how long it takes to release a fix after the publication of a security bug.…”

Section: Impact Of Vulnerabilities On Software Ecosystemsmentioning

confidence: 99%

On the Effect of Transitivity and Granularity on Vulnerability Propagation in the Maven Ecosystem

Mir

Keshani

Proksch

2023

2023 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER)

View full text Add to dashboard Cite

Reusing software libraries is a pillar of modern software engineering. In 2022, the average Java application depends on 40 third-party libraries. Relying on such libraries exposes a project to potential vulnerabilities and may put an application and its users at risk. Unfortunately, research on software ecosystems has shown that the number of projects that are affected by such vulnerabilities is rising. Previous investigations usually reason about dependencies on the dependency level, but we believe that this highly inflates the actual number of affected projects. In this work, we study the effect of transitivity and granularity on vulnerability propagation in the Maven ecosystem. In our research methodology, we gather a large dataset of 3M recent Maven packages. We obtain the full transitive set of dependencies for this dataset, construct wholeprogram call graphs, and perform reachability analysis. This approach allows us to identify Maven packages that are actually affected by using vulnerable dependencies. Our empirical results show that: (1) about 1/3 of packages in our dataset are identified as vulnerable if and only if all the transitive dependencies are considered. (2) less than 1% of packages have a reachable call path to vulnerable code in their dependencies, which is far lower than that of a naive dependency-based analysis. (3) limiting the depth of the resolved dependency tree might be a useful technique to reduce computation time for expensive fine-grained (vulnerability) analysis. We discuss the implications of our work and provide actionable insights for researchers and practitioners.

show abstract

Can we trust tests to automate dependency updates? A case study of Java Projects

Cited by 16 publications

References 16 publications

Who makes open source code? The hybridisation of commercial and open source practices

Who makes open source code? The hybridisation of commercial and open source practices

Enhanced Multi-Verse Optimizer (TMVO) and Applying it in Test Data Generation for Path Testing

On the Effect of Transitivity and Granularity on Vulnerability Propagation in the Maven Ecosystem

Contact Info

Product

Resources

About