Presentation by Amir Mir, TUDelft. As recent events, such as the leftpad incident and the Equifax data breach, have demonstrated, dependencies on networks of external libraries can introduce projects to significant operational and compliance risks as well as difficult to assess security implications. FASTEN introduces fine-grained, method-level, tracking of dependencies on top of existing dependency management networks. In our talk, we will present how FASTEN works on top of the Rust/Cargo and Java/Maven ecosystems.

1. FASTEN
Intelligent Software Package Management
Amir Mir
s.a.m.mir@tudelft.nl
OW2Con, June 2020

2. Content
● Open Source Software (OSS)
● Package Management
● Package Dependency Networks (PDNs)
○ Issues with PDNs
○ Existing Solutions
○ The Root Cause
● The FASTEN Project
○ Solution
○ The FASTEN Architecture
○ The Metadata Database
○ Current State
○ Examples of FASTEN Workflow

3. Open Source Software (OSS)
● Allows to reuse code to reduce development and maintenance costs
● Hosted on centralized repositories (Maven, PyPI, ....)
● Made the dream of collaborative development feasible

4. Package Management
● Open-source libraries as a building block for creating new software
● Package managers resolve dependencies and download required libraries

5. Package Management

6. Package Dependency Networks (PDNs)
● Packages versions and their dependencies from huge and complex dependency
networks
● Version constraints make these networks more complicated

7. Recent Failures with PDNs
● Leftpad in 2016

8. Recent Failures with PDNs
● In 2017, affected 147 millions of people

9. Issues with PDNs
From a developer’s perspective
● The observability problem
● The update problem
● The compliance problem
● The trust problem
From a maintainer’s perspective
● The update problem
● The deprecation problem
● The unlawful use problem
● The lack of incentive problem

10. Existing Solutions to the Issues of PDNs
● Services like GitHub, Dependabot
● Problems:
○ No support for assessing updates
○ No help with impact assessment
○ False positives

11. The Root Cause of the Issues of PDNs
Current Solutions
Call Dependency
Networks (CDNs)

12. The FASTEN Project
● Fine-Grained Analysis of Software Ecosystems as Network
● Aims at solving the issues of PDNs by making package management robust and
intelligent
● A centralized service to host the graphs and serve the analyses
● Consortium:

13. The FASTEN Solution
● More precise license compliance
○ Am I linking to GPL code?
● More precise risk profiling
○ Does this vulnerability affect my package?
● More precise change impact analysis
○ How many packages will I break if I change this function?
○ Can I safely update the dependencies of my package?
● Integration with package managers

14. Overview of the FASTEN Architecture
Data streams
Package repositories
Vulnerability information
FASTEN server
Call graph generators
Analysis layer
Security Change impact
Compliance Quality and Risk
Storage layer
RESTAPIWebUI
Continuous
Integration
servers

15. The Metadata Database

16. Current Status of the Project
● Alpha version of the project in May
● Generated 1.2M Java call graphs
● Generated 80K Rust call graphs
● Generating call graphs for Debian packages
● Deployment of the FASTEN server on Kubernetes clusters
● Initial implementation of the storage layer
○ The metadata database
○ Graph database

17. Examples of FASTEN Workflow
Updating with confidence
Before FASTEN After FASTEN

18. Examples of FASTEN Workflow
Deciding to use a library
Before FASTEN After FASTEN

19. https://www.fasten-project.eu/
https://github.com/fasten-project
https://twitter.com/fastenproject

20. The FASTEN project has received funding from the European Union’s Horizon 2020
research and innovation programme under grant agreement No 825328.