FASTEN Intelligent Package Management is an H2020 project funded by the European Commission. It was presented at Paris Open Source Summit in December 2019.

1. Fine-Grained Analysis of Software Ecosystems as Networks
The FASTEN project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No 825328.
FASTEN:
Intelligent Package Management
Giasemi Seisa

2. Dec 10, 2019 22019
1. Risks on using Open Source Software (OSS)1. Risks on using Open Source Software (OSS)
2. Ecosystem Failures2. Ecosystem Failures
3. FASTEN project3. FASTEN project
3.1 Introduction3.1 Introduction
3.2 Integration into package management tools3.2 Integration into package management tools
3.3 Build your project!3.3 Build your project!

3. Dec 10, 2019 32019
Risks on using Open
Source Software
Anyone who uses the internet benefits
from the existence of OSS
Why?
→ Data are open and accessible by
anyone
What is the risk of using OSS?

4. Dec 10, 2019 42019
Risks on using Open
Source Software How the risk is created:
By the use of OSS libraries. Why?
Programs and libraries can have
dependencies on other libraries and those
dependencies co-evolve without centralized
coordination.
Increasingly, libraries are being used as
building blocks for creating other libraries.

5. Dec 10, 2019 52019
Risks on using Open Source Software

6. Dec 10, 2019 62019
Risks on using Open Source Software

7. Dec 10, 2019 72019
Risks on using OSS
Including arbitrary code from an online repository can introduce:
Trust issues
Does the code perform the expected functionality? How can I trust code I download from the Internet
with my valuable data?
Security issues
How can developers ensure the imported code contains no security holes? How can we know when a
security issue discovered in a transitive dependency requires an update?
The observability problem:
How can I know that one of my dependencies is outdated?
The update problem:
How can I check if an updated dependency breaks my code?

8. Dec 10, 2019 82019
Risks on using OSS (2)
Including arbitrary code from an online repository can introduce:
Compliance implications
How do I know that I am not violating anyone’s copyrights or that I am not linking against code featuring
incompatible licenses?
Creates challenges to library maintainers:
●
How can I assess the (direct or transitive) impact of my changes? How can I deprecate features
(e.g., remove functionality) without knowing who is using them?
●
Why should I use my (free!) time to maintain a library that large corporations depend upon?
●
How can I spot instances of my code being distributed without permission?

9. Dec 10, 2019 92019
Ecosystem Failures
The left-pad incident
The left-pad library was removed from NPM ecosystem
Outcome: Thousands of libraries which directly or transitively
depended on left-pad collapsed. Thousands of the most popular
Javascript libraries (e.g., babel, and React), used by millions of
web sites, stopped working.
Even after the left-pad incident, a study estimated that
libraries exist whose removal can affect more that 30% of the
core components of the network.

10. Dec 10, 2019 102019
Ecosystem Failures
Equifax data breach
A company named Equifax leaked over 100.000 credit card
records due to a dependency that was not updated.
A vulnerable version of the Apache Struts library was used,
whose update was postponed as the Equifax security team
erroneously underestimated the impact of the bug on their
codebase.
The breach has costed Equifax an unprecedented $4 billion.

11. Dec 10, 2019 112019
Risks overview
The dream of code reuse is a reality, but this reality is not
without problems.
Package users need to invest significant resources into
shielding themselves from software security, legal compliance
and source code incompatibility issues.
On the other hand, package providers have no reasonable
means of evolving their offerings in an systematic way, which
leads to incompatibility problems with upstream projects.

12. Dec 10, 2019 122019
FASTEN

13. Dec 10, 2019 132019
The FASTEN Project
➢
A European Union’s H2020 research and innovation programme led by TU Delft
➢
Team:
●
Technische Universiteit Delt (TUDelft)
●
Athens University of Economics and Business (AUEB)
●
Universita degli Studi di Milano
●
Endocode AG
●
OW2
●
Software Improvement Group B.V. (SIG)
●
XWIKI SAS

14. Dec 10, 2019 142019
The FASTEN Project
Our goal is to make software ecosystems more robust by making package managementOur goal is to make software ecosystems more robust by making package management
more intelligentmore intelligent

15. Dec 10, 2019 152019
The FASTEN Project
HOW?
Creation of an ecosystem-wide Fine-Grained Call Graph (FGCG), at the function levelCreation of an ecosystem-wide Fine-Grained Call Graph (FGCG), at the function level

16. Dec 10, 2019 162019
The FASTEN Project
1. Current status

17. Dec 10, 2019 172019
The FASTEN Project
1. Current status
2. Fine-Grained
Call Graph (FGCG)

18. Dec 10, 2019 182019
Promises of Call-based
Dependency Networks
Fully precise usage analysis
Does this vulnerability affect my code?
Am I linking to GPL code?
Fully precise impact analysis
How many clients will I break if I change
this?
Can I safely update?

19. Dec 10, 2019 192019
The FASTEN Project

20. Dec 10, 2019 202019
Example of FASTEN workflow

21. Dec 10, 2019 212019
Example of FASTEN workflow

22. Dec 10, 2019 222019
Example of FASTEN workflow

23. Dec 10, 2019 232019
Example of FASTEN workflow
Deciding to use a library

24. Dec 10, 2019 242019
Example of FASTEN workflow
Deciding to use a library

25. Dec 10, 2019 252019
Example of FASTEN workflow
Maintaining a library

26. Dec 10, 2019 262019
Example of FASTEN workflow
Maintaining a library

27. Dec 10, 2019 272019
Example of FASTEN workflow
Maintaining a library

28. Dec 10, 2019 282019
Example of FASTEN workflow
Maintaining a library

29. Dec 10, 2019 292019
Example of FASTEN workflow
Maintaining a library

30. Dec 10, 2019 302019
●
By using a package management tool you connect to the FASTEN knowledge base:
➢
Static call graph generation – dependency network
➢
Fasten analysis [security,compliance, quality and risk]
➢
Risk overview of the application
Build your project!

31. Dec 10, 2019 312019
Risk Analyzer:
●
Evaluation of application-level risk regarding:
1. The claimed dependencies by the application and
2. The detected transitive dependencies
●
Evaluation of the actual usage of the libraries
→ Reports risk profile (about security, code quality, library freshness, etc.)
●
Continuous risk evaluation on the library dependencies of an application
→ Fasten analysis [security, quality and risk]

32. Dec 10, 2019 322019
Detection of License Compliance:
●
License metadata:
– License information, copyrights etc.
– License obligations
→ e.g. requirement to provide the corresponding source code or
that the outgoing software has to be non profitable
●
License compliance:
– Through internal statements and rules we can conclude to license compliance
→ Reports risk profile
→ Fasten analysis [license compliance]

33. Dec 10, 2019 332019
https://www.fasten-project.eu
Contributors:
https://twitter.com/fastenproject
https://github.com/fasten-project

34. Dec 10, 2019 342019
The FASTEN project has received funding from the European Union’s Horizon 2020
research and innovation programme under grant agreement No 825328.
The opinions expressed in this document reflects only the author`s view and in no way reflect the European Commission’s opinions. The European
Commission is not responsible for any use that may be made of the information it contains.