This presentation was given by Paolo Boldi, Milano University, online.
Abstract:The goal of the EU project FASTEN is being able to perform a more sophisticated analysis of security-vulnerability propagation, licensing compliance, and dependency risk profiles (among others) by relying on the call-level dependency network of the whole software ecosystem. We outline the purpose and structure of the project, and present some preliminary results.
"A re-usable Ansible role to deploy projects".
Ansible is a provisioning tool rapidly growing in popularity, mainly due to it’s simplicity. But it’s capable of more than just provisioning! In this talk, I’ll walk you through an Ansible role that can be used to deploy your projects. Those familiar with Capistrano wil recognize the method, but I’ll explain it step by step and in the end I’ll show a real-world example from a Symfony2 project: the SweetlakePHP website. (this talk assumes some knowledge of how Ansible works)
The Yocto Project is a collaborative open source project that provides prototypes, tools and methods that let you create personalized Linux-based systems for embedded products independent from the hardware architecture. The project was born in 2010 as a partnership of many different hardware manufacturers, open-source operative systems providers and electronic companies, to bring some order to the chaos that was the development of Linux Embedded. Why use Project Yocto? Because it's a development environment for Linux embedded complete with tools, meta-data and documentation - everything that one needs. The free of charge tools that Yocto makes available are powerful and easy to generate (included emulation environments, debuggers, a tool-kit to generate applications and others) and they let you create and continue projects, without causing you a loss of optimizations and investments made in the prototyping phase. Project Yocto supports the adoption of this technology by the open-source community letting users concentrate on the characteristics and development of their product.
Open Source, Sourceforge Projects, & Apache FoundationMohammad Kotb
This presentation is made by my group in our Computer and Increasing Productivity Course in 2nd term - 1st year - Computer and Systems Engineering Department - Faculty of Engineering - Alexandria University...
GOST TEAM
"A re-usable Ansible role to deploy projects".
Ansible is a provisioning tool rapidly growing in popularity, mainly due to it’s simplicity. But it’s capable of more than just provisioning! In this talk, I’ll walk you through an Ansible role that can be used to deploy your projects. Those familiar with Capistrano wil recognize the method, but I’ll explain it step by step and in the end I’ll show a real-world example from a Symfony2 project: the SweetlakePHP website. (this talk assumes some knowledge of how Ansible works)
The Yocto Project is a collaborative open source project that provides prototypes, tools and methods that let you create personalized Linux-based systems for embedded products independent from the hardware architecture. The project was born in 2010 as a partnership of many different hardware manufacturers, open-source operative systems providers and electronic companies, to bring some order to the chaos that was the development of Linux Embedded. Why use Project Yocto? Because it's a development environment for Linux embedded complete with tools, meta-data and documentation - everything that one needs. The free of charge tools that Yocto makes available are powerful and easy to generate (included emulation environments, debuggers, a tool-kit to generate applications and others) and they let you create and continue projects, without causing you a loss of optimizations and investments made in the prototyping phase. Project Yocto supports the adoption of this technology by the open-source community letting users concentrate on the characteristics and development of their product.
Open Source, Sourceforge Projects, & Apache FoundationMohammad Kotb
This presentation is made by my group in our Computer and Increasing Productivity Course in 2nd term - 1st year - Computer and Systems Engineering Department - Faculty of Engineering - Alexandria University...
GOST TEAM
The goal of the EU project FASTEN is being able to perform a more sophisticated analysis of security-vulnerability propagation, licensing compliance, and dependency risk profiles (among others) by relying on the call-level dependency network of the whole software ecosystem. We outline the purpose and structure of the project, and present some preliminary results.
A popular form of software reuse involves linking open source software (OSS) libraries hosted on centralized code repositories, such as Maven or PyPI. The size of such repositories keeps increasing at an astonishing speed, and the network of dependencies among the libraries they host is only a very crude way to reflect the real impact of those dependencies, especially for what concerns bugs and vulnerabilities. It is becoming more and more urgent to develop techniques that aim at analyzing dependencies at a finer level (i.e., at call level). This is precisely the goal of the EU project FASTEN. The purpose is to be able to perform a more sophisticated analysis of security-vulnerability propagation, licensing compliance, and dependency risk profiles (among others) by relying on the call-level dependency network of the whole software ecosystem.
Alfresco DevCon 2018: SDK 3 Multi Module project using Nexus 3 for releases a...Martin Bergljung
In this talk you will learn how to set up an Alfresco SDK 3.0 multi module project that could be used in a larger consulting project context. Extension modules will be standalone and versioned and released independently in the Nexus 3 Repository Manager. The talk also includes a look at defining a Parent POM and an Aggregator POM for your SDK 3 project solution.
SenchaCon 2016: Building Enterprise Ext JS Apps with Mavenized Sencha Cmd - F...Sencha
In this session, we'll show you how CoreMedia's Maven plugin offers the deepest integration of Sencha Cmd into your Maven build process available today and takes modular Ext JS development to the next level.
Introduction to building Flex and AIR applications with Maven through the open source Flexmojos plugin.
All source available: https://github.com/justinjmoses/flexmojos-introduction
Conda is a cross-platform package manager that lets you quickly and easily build environments containing complicated software stacks. It was built to manage the NumPy stack in Python but can be used to manage any complex software dependencies.
A soup to nuts presentation on using Composer and repository servers to manage and leverage shared code libraries for personal projects to the largest enterprise.
Digital Fabrication Studio.02 _Information @ Aalto Media FactoryMassimo Menichinelli
DIGITAL FABRICATION STUDIO (25438)
The course provides a general understanding on how to design and manufacture products and prototypes in a Fab Lab, using digital fabrication technologies and understanding their features and limits.
Students will learn how information shapes design, manufacturing and collaboration processes and artifacts in a Fab Lab. They will learn how to digitally fabricate a project or how to digitally modify an existing project; students will also learn how to manage, embed and retrieve information about a project. Projects and prototypes developed and manufactured in this course will not be interactive.
The course consists of lectures and a group project to be digitally fabricated, be it a project already designed but not yet realized or be it the modification of an existing project. Every lecture (3 hours) includes time for testing the technologies covered (1 hour) and for developing part of the group project and for receiving feedback about it (1 hour).
http://mlab.taik.fi/studies/courses/course?id=1963
The goal of the EU project FASTEN is being able to perform a more sophisticated analysis of security-vulnerability propagation, licensing compliance, and dependency risk profiles (among others) by relying on the call-level dependency network of the whole software ecosystem. We outline the purpose and structure of the project, and present some preliminary results.
A popular form of software reuse involves linking open source software (OSS) libraries hosted on centralized code repositories, such as Maven or PyPI. The size of such repositories keeps increasing at an astonishing speed, and the network of dependencies among the libraries they host is only a very crude way to reflect the real impact of those dependencies, especially for what concerns bugs and vulnerabilities. It is becoming more and more urgent to develop techniques that aim at analyzing dependencies at a finer level (i.e., at call level). This is precisely the goal of the EU project FASTEN. The purpose is to be able to perform a more sophisticated analysis of security-vulnerability propagation, licensing compliance, and dependency risk profiles (among others) by relying on the call-level dependency network of the whole software ecosystem.
Alfresco DevCon 2018: SDK 3 Multi Module project using Nexus 3 for releases a...Martin Bergljung
In this talk you will learn how to set up an Alfresco SDK 3.0 multi module project that could be used in a larger consulting project context. Extension modules will be standalone and versioned and released independently in the Nexus 3 Repository Manager. The talk also includes a look at defining a Parent POM and an Aggregator POM for your SDK 3 project solution.
SenchaCon 2016: Building Enterprise Ext JS Apps with Mavenized Sencha Cmd - F...Sencha
In this session, we'll show you how CoreMedia's Maven plugin offers the deepest integration of Sencha Cmd into your Maven build process available today and takes modular Ext JS development to the next level.
Introduction to building Flex and AIR applications with Maven through the open source Flexmojos plugin.
All source available: https://github.com/justinjmoses/flexmojos-introduction
Conda is a cross-platform package manager that lets you quickly and easily build environments containing complicated software stacks. It was built to manage the NumPy stack in Python but can be used to manage any complex software dependencies.
A soup to nuts presentation on using Composer and repository servers to manage and leverage shared code libraries for personal projects to the largest enterprise.
Digital Fabrication Studio.02 _Information @ Aalto Media FactoryMassimo Menichinelli
DIGITAL FABRICATION STUDIO (25438)
The course provides a general understanding on how to design and manufacture products and prototypes in a Fab Lab, using digital fabrication technologies and understanding their features and limits.
Students will learn how information shapes design, manufacturing and collaboration processes and artifacts in a Fab Lab. They will learn how to digitally fabricate a project or how to digitally modify an existing project; students will also learn how to manage, embed and retrieve information about a project. Projects and prototypes developed and manufactured in this course will not be interactive.
The course consists of lectures and a group project to be digitally fabricated, be it a project already designed but not yet realized or be it the modification of an existing project. Every lecture (3 hours) includes time for testing the technologies covered (1 hour) and for developing part of the group project and for receiving feedback about it (1 hour).
http://mlab.taik.fi/studies/courses/course?id=1963
Software dependencies can be viewed as graph that only get bigger as software evolved. This lead to multiple challenging situations related to security, quality, licensing and more. Today tools are great but more accurate tools such as FASTEN are under development. Join me to learn how the current dependency management tool are evolving to cope with the growing complexity of software development. Discover the presentation by Antoine Mottier, OW2 CTO.
FASTEN presentation at OSS2021, by Michele Scarlato, Endocode, May 12, 2021, ...Fasten Project
The FASTEN project wants to support DevOps teams and help developers tracking, managing and mastering dependencies. FASTEN’s goal is to develop a toolchain that is provisioning and collecting project information, security alerts, and repositories from well-known and widely used services. It merges this information into a data stream, performs analysis, stores it, and, consequently, builds a call-graph for each analyzed project. The gathered information is made available through a REST API and Web UI and performs continuous integration to provide developers with updated and sanitized versions of their dependencies. One part of this toolchain will be an Open Source license analysis. This analysis should perform a verification and compatibility check on licenses used in Open Source projects and facilitate development from a user perspective as well as create industry-relevant information on license infringements. This functionality shall be presented in this talk.
FASTEN has received funding from the European Union's Horizon 2020 research and innovation programme. It is carried out by a Consortium composed of AUEB, TUDelft, University of Milan-Bicocca, Endocode, OW2, SIG, and XWIKI.
FASTEN user experience from a software vendor perspective : The future of ext...Fasten Project
After a quick introduction of XWiki project, this presentation explains the benefits that XWiki expects to derive from FASTEN through three Use Cases and showcase how its Extension Manager has been improved to integrate FASTEN.
Eclipse sw360 Web Application for managing software Bill-Of-Material, FASTEN ...Fasten Project
The Eclipse SW360 project provides a server application for the management of used software components in an organization. The catalogue can then be used to create Software Bill-of-Materials (SBOM) for products and projects. SBOM management is essential for a number of important aspects when delivering products: for understanding if vulnerabilities are relevant, for reviewing the licensing situation, for covering trade compliance and last but not least for the generation of compliance documentation.
SW360 itself focusses only on SBOM management and the support of the approval processes, it does not scan for licenses nor for dependencies. For these tasks, integration with other OSS tools, for example, FOSSology for license scanning is provided. To automate the SBOM management, SW360 provides a REST API which allows CI infrastructure to call SW360 directly for checks, downloads or uploads. SW360 is a project hosted by the Eclipse Foundation licensed under the EPL-2.0; thus it is available for everyone as Open Source software.
Demonstration of FASTEN Dependency Management tools on top of Maven, FASTEN v...Fasten Project
The final goal of the FASTEN project is to be able to perform a more sophisticated analysis of security-vulnerability propagation, licensing compliance, and dependency risk profiles by relying on the call-level dependency network of the whole software ecosystem. In this talk, we will present some first results of the project and demonstrates how FASTEN works on top of Java/Maven ecosystem.
Highlight on FASTEN's Software Composition Analysis Market Background, Virtua...Fasten Project
This presentation looks at the market background that determines the adoption rate of the FASTEN technology. It provides key figures, useful for everyone to have in mind, illustrating the growth of FASTEN’s market, its drivers and will look at the competitive environment.
Software Ecosystems as Networks - Advances on the FASTEN project, Paolo Boldi...Fasten Project
FASTEN was presented in the Devroom on Dependency Management at FOSDEM 2021. Presentation Abstract: The goal of the EU project FASTEN is being able to perform a more sophisticated analysis of security-vulnerability propagation, licensing compliance, and dependency risk profiles (among others) by relying on the call-level dependency network of the whole software ecosystem. We outline the purpose and structure of the project, and present some preliminary results.
FOSDEM 2020 Presentation - There's no sustainability problem in FOSS, Except ...Fasten Project
This talk "There's no sustainability problem in FOSS, Except that there is", was presented by Carol Smith, Senior Program Manager in the Open Source Programs Office, Microsoft and Duane O'Brie, Head of Open Source at Indeed.com, at FOSDEM 2020 in the Devroom Session "Dependency Management".
FOSDEM 2020 Presentation: Comparing dependency management issues across packa...Fasten Project
This talk "Comparing dependency management issues across packaging ecosystems" was presented by Tom Mens, from Software Engineering Lab, University of Mons, Belgium, at FOSDEM 2020 during the Devroom Session "Dependency Management".
This talk "Precise, cross-project code navigation at GitHub scale", was presented at FOSDEM 2020 by Douglas Creager, Manager of Semantic Code team at GitHub, in the Devroom Session "Dependency Management"
FASTEN H2020 project presentation at Paris Open Source Summit, December 2019. Fasten Project
FASTEN Intelligent Package Management is an H2020 project funded by the European Commission. It was presented at Paris Open Source Summit in December 2019.
Fasten and Quartermaster presentation at FOSSCOMM, October 2019 in Lamia, Gre...Fasten Project
Software engineers reuse code to reduce development and maintenance costs but how safe is it to use open source software (OSS)? By using OSS and dependencies to external libraries they can introduce to projects significant operational and compliance risk as well as difficult to assess security implications. The aim of the FASTEN project (a European Union’s H2020 research and innovation programme led by TU Delft) is to address this situation, by developing an intelligent software package management system that will enhance robustness and security in software ecosystems. Our team in Endocode AG is part of the FASTEN project with our FOSS toolchain Quartermaster, which detects license compliance on softwares.
Fasten Industry Meeting with GitHub about Dependancy ManagementFasten Project
Georgios Gousios, Professor at TUDelft Software Engineering Research Group and FASTEN Project and Scientific Coordinator, offered this Dependancy Management synthesis to 30 GitHub professionals incl. remote attendees on April 17, 2019 before discussing potential collaborations. More: https://www.fasten-project.eu/view/Events/
In the rapidly evolving landscape of technologies, XML continues to play a vital role in structuring, storing, and transporting data across diverse systems. The recent advancements in artificial intelligence (AI) present new methodologies for enhancing XML development workflows, introducing efficiency, automation, and intelligent capabilities. This presentation will outline the scope and perspective of utilizing AI in XML development. The potential benefits and the possible pitfalls will be highlighted, providing a balanced view of the subject.
We will explore the capabilities of AI in understanding XML markup languages and autonomously creating structured XML content. Additionally, we will examine the capacity of AI to enrich plain text with appropriate XML markup. Practical examples and methodological guidelines will be provided to elucidate how AI can be effectively prompted to interpret and generate accurate XML markup.
Further emphasis will be placed on the role of AI in developing XSLT, or schemas such as XSD and Schematron. We will address the techniques and strategies adopted to create prompts for generating code, explaining code, or refactoring the code, and the results achieved.
The discussion will extend to how AI can be used to transform XML content. In particular, the focus will be on the use of AI XPath extension functions in XSLT, Schematron, Schematron Quick Fixes, or for XML content refactoring.
The presentation aims to deliver a comprehensive overview of AI usage in XML development, providing attendees with the necessary knowledge to make informed decisions. Whether you’re at the early stages of adopting AI or considering integrating it in advanced XML development, this presentation will cover all levels of expertise.
By highlighting the potential advantages and challenges of integrating AI with XML development tools and languages, the presentation seeks to inspire thoughtful conversation around the future of XML development. We’ll not only delve into the technical aspects of AI-powered XML development but also discuss practical implications and possible future directions.
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...SOFTTECHHUB
The choice of an operating system plays a pivotal role in shaping our computing experience. For decades, Microsoft's Windows has dominated the market, offering a familiar and widely adopted platform for personal and professional use. However, as technological advancements continue to push the boundaries of innovation, alternative operating systems have emerged, challenging the status quo and offering users a fresh perspective on computing.
One such alternative that has garnered significant attention and acclaim is Nitrux Linux 3.5.0, a sleek, powerful, and user-friendly Linux distribution that promises to redefine the way we interact with our devices. With its focus on performance, security, and customization, Nitrux Linux presents a compelling case for those seeking to break free from the constraints of proprietary software and embrace the freedom and flexibility of open-source computing.
Pushing the limits of ePRTC: 100ns holdover for 100 daysAdtran
At WSTS 2024, Alon Stern explored the topic of parametric holdover and explained how recent research findings can be implemented in real-world PNT networks to achieve 100 nanoseconds of accuracy for up to 100 days.
UiPath Test Automation using UiPath Test Suite series, part 5DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 5. In this session, we will cover CI/CD with devops.
Topics covered:
CI/CD with in UiPath
End-to-end overview of CI/CD pipeline with Azure devops
Speaker:
Lyndsey Byblow, Test Suite Sales Engineer @ UiPath, Inc.
Communications Mining Series - Zero to Hero - Session 1DianaGray10
This session provides introduction to UiPath Communication Mining, importance and platform overview. You will acquire a good understand of the phases in Communication Mining as we go over the platform with you. Topics covered:
• Communication Mining Overview
• Why is it important?
• How can it help today’s business and the benefits
• Phases in Communication Mining
• Demo on Platform overview
• Q/A
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
How to Get CNIC Information System with Paksim Ga.pptxdanishmna97
Pakdata Cf is a groundbreaking system designed to streamline and facilitate access to CNIC information. This innovative platform leverages advanced technology to provide users with efficient and secure access to their CNIC details.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Maruthi Prithivirajan, Head of ASEAN & IN Solution Architecture, Neo4j
Get an inside look at the latest Neo4j innovations that enable relationship-driven intelligence at scale. Learn more about the newest cloud integrations and product enhancements that make Neo4j an essential choice for developers building apps with interconnected data and generative AI.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Threats to mobile devices are more prevalent and increasing in scope and complexity. Users of mobile devices desire to take full advantage of the features
available on those devices, but many of the features provide convenience and capability but sacrifice security. This best practices guide outlines steps the users can take to better protect personal devices and information.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024Neo4j
Neha Bajwa, Vice President of Product Marketing, Neo4j
Join us as we explore breakthrough innovations enabled by interconnected data and AI. Discover firsthand how organizations use relationships in data to uncover contextual insights and solve our most pressing challenges – from optimizing supply chains, detecting fraud, and improving customer experiences to accelerating drug discoveries.
7. Sharing through software libraries
❖ One form of sharing is providing libraries
❖ Today, libraries are made available in the Internet
8. Sharing through software libraries
❖ One form of sharing is providing libraries
❖ Today, libraries are made available in the Internet
❖ on repositories (SourceForge, GitHub, BitBucket, …)
9. Sharing through software libraries
❖ One form of sharing is providing libraries
❖ Today, libraries are made available in the Internet
❖ on repositories (SourceForge, GitHub, BitBucket, …)
❖ or forges (Maven, PyPi, CPAN, …)
10. Sharing through software libraries
❖ One form of sharing is providing libraries
❖ Today, libraries are made available in the Internet
❖ on repositories (SourceForge, GitHub, BitBucket, …)
❖ or forges (Maven, PyPi, CPAN, …)
❖ Internet made the dream of collaborative development a
reality
12. Industrial revolution
at the harbour of software development
❖ All trades, arts, and handiworks have gained by
division of labour, namely, when, instead of one
man doing everything, each con
fi
nes himself to a
certain kind of work distinct from others in the
treatment it requires, so as to be able to perform it
with greater facility and in the greatest
perfection. Where the different kinds of work are
not distinguished and divided, where everyone is
a jack-of-all-trades, there manufactures remain
still in the greatest barbarism.
Immanuel Kan
t
Groundwork for the Metaphysic
s
of Morals (1785)
24. Dependency graphs
❖ Library+versions and their
dependencies form (complex,
huge) dependency networks
❖ Version constraints make these
networks more complicated
than simple graphs
25. Dependency graphs
❖ Library+versions and their
dependencies form (complex,
huge) dependency networks
❖ Version constraints make these
networks more complicated
than simple graphs
❖ Package manager will
fi
nally
determine which version is
chosen for each library
32. Recent dependency nightmares
❖ The leftpad incident (2016): millions of websites
affected
❖ The Equifax breach (2017): costed 4B$
33. Epidemics in dependency graphs
Lib A, vers 1.0
Lib B, vers 2.5
Lib C, vers 1.5Lib D, vers 3.0
34. Epidemics in dependency graphs
Lib A, vers 1.0
Lib B, vers 2.5
Lib C, vers 1.5Lib D, vers 3.0
A vulnerability aler
t
is issue
d
about Lib D, vers 3.0
35. Epidemics in dependency graphs
Lib A, vers 1.0
Lib B, vers 2.5
Lib C, vers 1.5Lib D, vers 3.0
A vulnerability aler
t
is issue
d
about Lib D, vers 3.0
All libraries in this
graph are infected!
40. Epidemics in dependency graphs
A.f0
A.f2
A.f3
B.f1
B.f2
B.f3
C.f1
C.f2
D.f1
D.f2
D.f3
A vulnerability aler
t
is issue
d
about Lib D, vers 3.0
,
function f3
41. Epidemics in dependency graphs
A.f0
A.f2
A.f3
B.f1
B.f2
B.f3
C.f1
C.f2
D.f1
D.f2
D.f3
A vulnerability aler
t
is issue
d
about Lib D, vers 3.0
,
function f3
42. Epidemics in dependency graphs
A.f0
A.f2
A.f3
B.f1
B.f2
B.f3
C.f1
C.f2
D.f1
D.f2
D.f3
A vulnerability aler
t
is issue
d
about Lib D, vers 3.0
,
function f3
Much more informative!
44. Examples
❖ Fully precise change impact analysis: “How many libraries
are affected if I remove/modify a certain method/interface?”
45. Examples
❖ Fully precise change impact analysis: “How many libraries
are affected if I remove/modify a certain method/interface?”
❖ Fully precise license compliance: “Is my library compliant
with the licenses of the libraries that I depend from (directly or
indirectly)? (e.g., am I linking any GPL code?)”
46. Examples
❖ Fully precise change impact analysis: “How many libraries
are affected if I remove/modify a certain method/interface?”
❖ Fully precise license compliance: “Is my library compliant
with the licenses of the libraries that I depend from (directly or
indirectly)? (e.g., am I linking any GPL code?)”
❖ Fully precise risk pro
fi
ling: “Does this vulnerability affect my
code?”
47. Examples
❖ Fully precise change impact analysis: “How many libraries
are affected if I remove/modify a certain method/interface?”
❖ Fully precise license compliance: “Is my library compliant
with the licenses of the libraries that I depend from (directly or
indirectly)? (e.g., am I linking any GPL code?)”
❖ Fully precise risk pro
fi
ling: “Does this vulnerability affect my
code?”
❖ Centrality analysis: “What methods/functions are more central
within a given ecosystem? are there bottlenecks? critical points?”
51. The FASTEN toolchain
Project information
Securit
y
alerts
Repositories
publish
Data stream
FASTE
N
server
publish
publish
52. The FASTEN toolchain
Project information
Securit
y
alerts
Repositories
publish
Data stream
FASTE
N
server
Call-graph
construction
publish
publish
53. The FASTEN toolchain
Project information
Securit
y
alerts
Repositories
publish
Data stream
FASTE
N
server
Call-graph
construction
Storage
layer
publish
publish
54. The FASTEN toolchain
Project information
Securit
y
alerts
Repositories
publish
Data stream
FASTE
N
server
Call-graph
construction
Storage
layer
Analysis
layer
publish
publish
55. The FASTEN toolchain
Project information
Securit
y
alerts
Repositories
publish
Data stream
FASTE
N
server
Call-graph
construction
Storage
layer
Analysis
layer
RESTApi
publish
publish
56. The FASTEN toolchain
Project information
Securit
y
alerts
Repositories
publish
Data stream
FASTE
N
server
Call-graph
construction
Storage
layer
Analysis
layer
RESTApiWebUI
publish
publish
57. The FASTEN toolchain
Project information
Securit
y
alerts
Repositories
publish
Data stream
FASTE
N
server
Call-graph
construction
Storage
layer
Analysis
layer
RESTApiWebUI
publish
publish
Continuous
integration server
58. The FASTEN toolchain
Project information
Securit
y
alerts
Repositories
publish
Data stream
FASTE
N
server
Call-graph
construction
Storage
layer
Analysis
layer
RESTApiWebUI
publish
publish
Continuous
integration server
59. The FASTEN toolchain
Project information
Securit
y
alerts
Repositories
publish
Data stream
FASTE
N
server
Call-graph
construction
Storage
layer
Analysis
layer
RESTApiWebUI
publish
publish
Continuous
integration server
Developer
63. Universal function identifiers
How to uniquely reference a function in a global namespace?
fasten://
/mvn
/org.slf4j.slf4j-api
/1.2.3
/org.slf4j.helpers
/BasicMarkerFactory.getDetachedMarker
(%2Fjava.lang%2FString)
%2Forg.slf4j%2FMarker
scheme
forge
artifact
version
namespace
function
argument(s)
return type
Done
64. Universal function identifiers
How to uniquely reference a function in a global namespace?
fasten://
/mvn
/org.slf4j.slf4j-api
/1.2.3
/org.slf4j.helpers
/BasicMarkerFactory.getDetachedMarker
(%2Fjava.lang%2FString)
%2Forg.slf4j%2FMarker
scheme
forge
artifact
version
namespace
function
argument(s)
return type
Generic format +
Java
Python
C
Done
71. Call graph stitching
❖ Idea: Decouple package resolution from call graph
generation
How to scale call graph processing to 10^6 package versions?
In
progress
72. Call graph stitching
❖ Idea: Decouple package resolution from call graph
generation
❖ Build and store call graphs per package version, incl.:
How to scale call graph processing to 10^6 package versions?
In
progress
73. Call graph stitching
❖ Idea: Decouple package resolution from call graph
generation
❖ Build and store call graphs per package version, incl.:
❖ unresolved calls
How to scale call graph processing to 10^6 package versions?
In
progress
74. Call graph stitching
❖ Idea: Decouple package resolution from call graph
generation
❖ Build and store call graphs per package version, incl.:
❖ unresolved calls
❖ class hierarchies (Java, Python)
How to scale call graph processing to 10^6 package versions?
In
progress
75. Call graph stitching
❖ Idea: Decouple package resolution from call graph
generation
❖ Build and store call graphs per package version, incl.:
❖ unresolved calls
❖ class hierarchies (Java, Python)
❖ Call graph stitching: Resolve unresolved
calls given a dependency tree
How to scale call graph processing to 10^6 package versions?
In
progress
77. Examples of queries:
largest packages (# of functions)
select p.package_name, pv.version, count(*)
from package_versions pv
join packages p on pv.package_id = p.id
join modules m on m.package_version_id = pv.id
join callables c on c.module_id = m.id
group by p.package_name, pv.version
order by count(*) desc
limit 10;
78. Examples of queries:
Packages depending on vulnerable package
SELECT package_version_id, p.package_name, pv.version
FROM dependencies d
JOIN package_versions pv ON pv.id = d.package_version_id
JOIN packages p ON p.id = pv.package_id
WHERE d.dependency_id =
(SELECT id
FROM packages
WHERE package_name = 'com.google.guava:guava')
AND '20.0' = ANY(d.version_range);
80. Graph analytics
(results shown refer to Java CG’s)
❖ Graph stored using WebGraph (UMIL
)
❖ For 1.1M graphs (2.3B nodes, 18B edges)
:
❖ 3.6 bits per edge, plus global ID storage for each node
(9.0 bits per edge overall
)
❖ DB size: 38GB → we can
fi
t the whole of Maven in
RAM
In
progress
83. Vulnerability Plugin
❖ Injecting vulnerability information at
package and callable leve
l
❖ Introducing a normalizing
Vulnerability Object de
fi
nition
among the different sources of
informatio
n
❖ Continuously pulling updates for new
information and storing the results
In
progress
84. REST API
❖ Implementation of endpoints to expose canned queries
from the metadata databas
e
❖ In development
:
❖ Full DB entity suppor
t
❖ Custom extension points
In
progress
85. Analysis plug-ins
RAPID: Risk Analysis and Propagation Inspection for Security and
Maintainability risk
s
❖ Plugin for code maintainability analysis
V1 deployed, processed 126K Maven coordinates to dat
e
❖ Plugin for security vulnerability propagatio
n
❖ User application to model and present risk
s
❖ Vulnerability data integratio
n
❖ Clearly De
fi
ned, NVD,
…
❖ Association at the function and package level
In
progress
86. License and Compliance analysis
❖ QMSTR Plugin consists of 3 steps
:
1. Build graph generation, consisting of information
about all the generated artifacts that will be
distributed together with the source code
;
2. Execution of static analysis tools that augment the
build graph with license and compliance metadata
;
3. Generation of a report with package's relevant license
and authorship metadata that is
fi
nally distributed
In
progress
87. Use cases
❖ Endocod
e
❖ Integration of
fi
rst version of license and compliance analyse
r
❖ Achieved the validation of `SPDX validator` use cas
e
❖ SI
G
❖ Integration of code quality analyser into FASTEN Serve
r
❖ XWIK
I
❖ Risk validation in the dependencies at Maven build tim
e
❖ Risk validation in the installed extensions of an XWiki instanc
e
❖ Filter out available compatible extensions for an XWiki instanc
e
❖ Discoverability of XWiki components in available extensions
In
progress
89. The future
End 2020
Q1 2021
Q2 2021
Q3 2021
REST API,
fi
rst full version of knowledge base, CG enrichment,
build graph integration,
fi
rst public announcement
Impact analysis, integration with MVN / PyPI;
fi
rst external user
Q4 2021
Q1 2022 FASTEN 2?
Industrial use cases integrated;
fi
rst external adoption
Licensing and security fully integrated;
Data-driven API evolution
Project
fi
nished; external integrations