SlideShare a Scribd company logo

FASTEN: Scaling static analyses to ecosystem, presented at FOSDEM 2020 in Brussels

Fasten Project
Fasten Project

The presentation "FASTEN: Scaling static analyses to ecosystem", was given by Georgios Gousios, Researcher at TUDelft.

Technology
1 of 52
Download to read offline
FASTEN: Scaling static analysis to ecosystems Georgios Gousios | @gousiosg TU Delft
Package dependency networks • Dependencies on version ranges with semantic versioning • Online package repositories host all (?) released package versions • Package managers read dependency descriptors and download libraries • Transitive dependencies are downloaded automatically Strongly connected component of the Rust/Cargo packages (Kikas 2016)
Recent issues with PDNs •leftpad • Equifax •eventstream •rest-client •… Strongly connected component of the Rust/Cargo packages (Kikas 2016)
Ecosystems grow at breakneck speeds... • Avg JavaScript project has 54 (Kikas et al. 2017), or 80 (Zimermann et al. 2019) transitive dependencies • 50% of transitive dependency closures different in a period of 6 months on Cargo/Rust (Hejderup et al. 2019) ...and they deteriorate • Packages exist in RubyGems whose removal can bring down 500k (40%) other package versions (Kikas et al. 2017) • 391 highly maintainers affect more than 10k packages (Zimermann et al. 2019). What research tells us
Developers don't update (Kula et al. 2017) • 85% of the dependencies are outdated in 50% of important Maven packages • No updates even in the case of security disclosures (70% were unaware) • "Too difficult!", "No tools!" Vulnerabilities proliferate • 1/4 of library downloads have a vulnerability (Comcast TR 2017) • 1/3 of top 133k sites have a vulnerable dependency (Lauinger et al. 2017) What research tells us
The developers’ perspective • The observability problem: How can I know that one of my dependencies is outdated? • The update problem: How can I check if an updated dependency breaks my code? • The compliance problem: How do I know that I am not violating anyone’s copyrights? • The trust problem: How can I trust code I download from the Internet with my valuable data?
The maintainers’ perspective • The update problem: How can I update my library without breaking clients? How can I notify important clients that I am about to break them? • The deprecation problem: How can I remove features from my library? • The unlawful use problem: How can I spot instances of my code being distributed without permission? • The lack of incentive problem: Why should I use my (free!) time to maintain a library that large corporations depend upon? + the problems that developers have!
State of the art practices • Resolve dependencies and store resolution in repo • Protects against breakage due to updates • Also “protects” against fast distribution of security updates https://www.publicdomainpictures.net/en/view-image.php?image=80963 Dependency version pinning
State of the art practices Monitoring services
State of the art practices • Lots of services (Dependabot, GitHub, …) notify projects when new dependency versions are available • Ripe with false positives • No help with impact assessment Monitoring services
The sorry state of the state of the art • Not much beyond simple package version matches (and a bit of compliance) • No support for assessing updates • No support for making decisions on which libraries to use • No support for maintainers We can do better than that!
Getting to the root cause
Getting to the root cause State of the art tools analyze package relationships… Package Dependency Network (PDN)
Getting to the root cause State of the art tools analyze package relationships… …while actual reuse happens in the code Package Dependency Network (PDN) Call Dependency Network (CDN)
Promises of Call-based Dependency Networks • More precise usage analysis • Does this vulnerability affect my code? • Am I linking to GPL code? • More precise impact analysis • How many clients will I break if I change this method? • Can I safely update? • Effectively, augmenting soundness with precision
RustPräzi: A CDN for Rust • Calls graphs for 70% of Cargo packages • Very precise, but unsound (missing calls) • Rust’s CG generator poor, we are building a new one • A very promising prototype
http://fasten-project.eu
FASTEN in a nutshell • Präzi for Java, C, Python and Rust, incl integration to pkg managers • Analyses on top of it: • Can I safely update? • Security vulnerability propagation • Dependency risk profiling • Compliance monitoring • A centralised service to host the graphs and serve the analyses • Getting the tools to the hands of developers
PyPi Package Repositories Debian Cargo
PyPi Package Repositories Debian Cargo Call graph generators
Graph DB MetadataPyPi Package Repositories Debian Cargo Call graph generators
Graph DB MetadataPyPi Package Repositories Debian Cargo Call graph generators Project information Vulnerability Information
Graph DB MetadataPyPi Package Repositories Debian Cargo Call graph generators Package Builds Project information Vulnerability Information
Graph DB MetadataPyPi Package Repositories Debian Cargo Call graph generators Package Builds Query API Call graph stitching Project information Vulnerability Information
Graph DB MetadataPyPi Package Repositories Debian Cargo Call graph generators Package Builds Query API Call graph stitching Security Compliance Change im‐ pact Quality and Risk Project information Vulnerability Information
Graph DB MetadataPyPi Package Repositories Debian Cargo Call graph generators Package Builds Query API Call graph stitching Security Compliance Change im‐ pact Quality and Risk REST API Project information Vulnerability Information
Graph DB MetadataPyPi Package Repositories Debian Cargo Call graph generators Package Builds Query API Call graph stitching Security Compliance Change im‐ pact Quality and Risk REST API Project information Vulnerability Information All Kafka topics to be made public! Check codefeedr.org soon!
Universal function identifiers How to uniquely reference a function in a global namespace? fasten:// /mvn /org.slf4j.slf4j-api /1.2.3 /org.slf4j.helpers /BasicMarkerFactory.getDetachedMarker (%2Fjava.lang%2FString) %2Forg.slf4j%2FMarker scheme forge artifact version namespace function argument(s) return type
Callgraph stitching • Idea: Decouple package resolution from call graph generation • Build and store call graphs per package version, incl: • unresolved calls • class hierarchies (Java, Python) • Callgraph stitching: Resolve unresolved calls given a dependency tree How to scale callgraph generation to 10^6 package versions?
Call graph info { "product": “org.slf4j.slf4j-api", "version": “1.7.29”, "forge": "mvn", "depset" : […], "cha": { "/org.slf4j/LoggerFactory": { "methods": [ “/org.slf4j/LoggerFactory.bind()%2Fjava.lang%2FVoid", … ], … } }, "graph" : [ [ "/org.slf4j.helpers/BasicMarker.contains(%2Fjava.lang%2FString) %2Fjava.lang%2FBoolean", "///java.util/Iterator.hasNext()%2Fjava.lang%2FBoolean" ] ], "timestamp": 1574072773 }
Dependency updates
Merge with confidence (?)
Are tests enough? Coverage of function calls to dependency functions in 520 Java projects
Uppdatera: approach
Uppdatera bot
Uppdatera bot
Detecting regressions Detection rate for artificial regressions in the dependency set of 388 Maven modules
Example FASTEN workflow # Check outdated dependencies $ pip list --outdated Package Version Latest Type ---------- ------- ------ ----- Pygments 2.2.0 2.3.1 wheel # Update a package $ pip install --upgrade Pygments Collecting Pygments Downloading ... Successfully installed Pygments-2.3.1 # Done, fingers crossed! Updating with confidence Before FASTEN
Example FASTEN workflow # Check outdated dependencies $ pip list --outdated Package Version Latest Type ---------- ------- ------ ----- Pygments 2.2.0 2.3.1 wheel Updating Pygments will affect: foo.py: function colorize bar.py: function parse # Check outdated dependencies $ pip list --outdated Package Version Latest Type ---------- ------- ------ ----- Pygments 2.2.0 2.3.1 wheel # Update a package $ pip install --upgrade Pygments Collecting Pygments Downloading ... Successfully installed Pygments-2.3.1 # Done, fingers crossed! Updating with confidence Before FASTEN After FASTEN
Example FASTEN workflow # Check outdated dependencies $ pip list --outdated Package Version Latest Type ---------- ------- ------ ----- Pygments 2.2.0 2.3.1 wheel Updating Pygments will affect: foo.py: function colorize bar.py: function parse # Check outdated dependencies $ pip list --outdated Package Version Latest Type ---------- ------- ------ ----- Pygments 2.2.0 2.3.1 wheel # Update a package $ pip install --upgrade Pygments Collecting Pygments Downloading ... Successfully installed Pygments-2.3.1 # Done, fingers crossed! Updating with confidence Before FASTEN After FASTEN # Estimate update impact $ pip install --dry-run Pygments Function Pygments.Formatter.format[formatter.py] changed -> check <your_app> at colorize[foo.py]:32 # Developer inspects changed paths # Update can continue $ pip install --upgrade Pygments Collecting Pygments Downloading ... Successfully installed Pygments-2.3.1 # Done
Example FASTEN workflow # Checking info about the library $ pip show tornado Name: tornado Version: 5.0 Summary: Tornado is a Python web framework … Home-page: http://www.tornadoweb.org/ Author: Facebook Author-email: … License: http://www.apache.org/ licenses/LICENSE-2.0 Location: … Requires: backports-abc, futures, singledispatch Required-by: Deciding to use a library Before FASTEN
Example FASTEN workflow # Checking info about the library $ pip show tornado Name: tornado Version: 5.0 License: http://www.apache.org/licenses/ LICENSE-2.0 ... Maintainers: 3 Community size: 15 Used by: 145 on PyPI, 34433 on GitHub Latest vulnerability: 13 months ago (CVE-2012-2374) All known vulnerabilities: 25 (best 10%) License rating: Compatible # Checking info about the library $ pip show tornado Name: tornado Version: 5.0 Summary: Tornado is a Python web framework … Home-page: http://www.tornadoweb.org/ Author: Facebook Author-email: … License: http://www.apache.org/ licenses/LICENSE-2.0 Location: … Requires: backports-abc, futures, singledispatch Required-by: Deciding to use a library Before FASTEN After FASTEN
Example FASTEN workflow Maintaining a library
Example FASTEN workflow Maintaining a library # Check uses of function pkg.list() in dependents $ pip query --uses pkg.list depA(v1.2).parse() depA(v1.2).test() depB(0.0.2).foo() depC(1.2.1).calculate()
Example FASTEN workflow Maintaining a library # Check uses of function pkg.list() in dependents $ pip query --uses pkg.list depA(v1.2).parse() depA(v1.2).test() depB(0.0.2).foo() depC(1.2.1).calculate() # Estimate "damage" if pkg.list will be updated $ pip query —total pkg.list 3 direct and 223 indirect dependencies will be affected
Example FASTEN workflow Maintaining a library # Check uses of function pkg.list() in dependents $ pip query --uses pkg.list depA(v1.2).parse() depA(v1.2).test() depB(0.0.2).foo() depC(1.2.1).calculate() # Estimate "damage" if pkg.list will be updated $ pip query —total pkg.list 3 direct and 223 indirect dependencies will be affected # Notify direct dependencies of upcoming breakage $ pip query --uses pkg.list | cut -f 1 -d '(' | xargs -I {} pip show {} | grep Author-email: | cut -f 2 -d ':' | xargs mail -s 'MyProject update will break yours!'
Example FASTEN workflow Maintaining a library # Check uses of function pkg.list() in dependents $ pip query --uses pkg.list depA(v1.2).parse() depA(v1.2).test() depB(0.0.2).foo() depC(1.2.1).calculate() # Estimate "damage" if pkg.list will be updated $ pip query —total pkg.list 3 direct and 223 indirect dependencies will be affected # Notify direct dependencies of upcoming breakage $ pip query --uses pkg.list | cut -f 1 -d '(' | xargs -I {} pip show {} | grep Author-email: | cut -f 2 -d ':' | xargs mail -s 'MyProject update will break yours!' # Which dependencies should I notify first? $ pip query --uses --rank pkg.list depC(1.2.1).calculate() depB(0.0.2).foo() depA(v1.2).parse() depA(v1.2).test()
Current status • Working on storage • Working on CG generation for Python / Rust • Working on the REST API • Working on build graph integration • Alpha release in May 2020, stay tuned!
http://fasten-project.eu @FastenProject http://dep.management
The FASTEN project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No 825328. The opinions expressed in this document reflects only the author`s view and in no way reflect the European Commission’s opinions. The European Commission is not responsible for any use that may be made of the information it contains.

Recommended

Software Ecosystems as Networks - Advances on the FASTEN project, Paolo Boldi...
Software Ecosystems as Networks - Advances on the FASTEN project, Paolo Boldi...Software Ecosystems as Networks - Advances on the FASTEN project, Paolo Boldi...
Software Ecosystems as Networks - Advances on the FASTEN project, Paolo Boldi...Fasten Project
 
Distributions and package management in the containers era
Distributions and package management in the containers eraDistributions and package management in the containers era
Distributions and package management in the containers eranussbauml
 
Fasten Industry Meeting with GitHub about Dependancy Management
Fasten Industry Meeting with GitHub about Dependancy ManagementFasten Industry Meeting with GitHub about Dependancy Management
Fasten Industry Meeting with GitHub about Dependancy ManagementFasten Project
 
Frontend Performance: Beginner to Expert to Crazy Person
Frontend Performance: Beginner to Expert to Crazy PersonFrontend Performance: Beginner to Expert to Crazy Person
Frontend Performance: Beginner to Expert to Crazy PersonPhilip Tellis
 
Frontend Performance: Expert to Crazy Person
Frontend Performance: Expert to Crazy PersonFrontend Performance: Expert to Crazy Person
Frontend Performance: Expert to Crazy PersonPhilip Tellis
 
PuppetConf 2016: Enjoying the Journey from Puppet 3.x to 4.x – Rob Nelson, AT&T
PuppetConf 2016: Enjoying the Journey from Puppet 3.x to 4.x – Rob Nelson, AT&T PuppetConf 2016: Enjoying the Journey from Puppet 3.x to 4.x – Rob Nelson, AT&T
PuppetConf 2016: Enjoying the Journey from Puppet 3.x to 4.x – Rob Nelson, AT&T Puppet
 
Perforce Helix Never Dies: DevOps at Bandai Namco Studios
Perforce Helix Never Dies: DevOps at Bandai Namco StudiosPerforce Helix Never Dies: DevOps at Bandai Namco Studios
Perforce Helix Never Dies: DevOps at Bandai Namco StudiosPerforce
 
OSCON 2004: A Developer's Tour of Chandler
OSCON 2004: A Developer's Tour of ChandlerOSCON 2004: A Developer's Tour of Chandler
OSCON 2004: A Developer's Tour of ChandlerTed Leung
 

Recommended

Software Ecosystems as Networks - Advances on the FASTEN project, Paolo Boldi...
Software Ecosystems as Networks - Advances on the FASTEN project, Paolo Boldi...Software Ecosystems as Networks - Advances on the FASTEN project, Paolo Boldi...
Software Ecosystems as Networks - Advances on the FASTEN project, Paolo Boldi...Fasten Project
 
Distributions and package management in the containers era
Distributions and package management in the containers eraDistributions and package management in the containers era
Distributions and package management in the containers eranussbauml
 
Fasten Industry Meeting with GitHub about Dependancy Management
Fasten Industry Meeting with GitHub about Dependancy ManagementFasten Industry Meeting with GitHub about Dependancy Management
Fasten Industry Meeting with GitHub about Dependancy ManagementFasten Project
 
Frontend Performance: Beginner to Expert to Crazy Person
Frontend Performance: Beginner to Expert to Crazy PersonFrontend Performance: Beginner to Expert to Crazy Person
Frontend Performance: Beginner to Expert to Crazy PersonPhilip Tellis
 
Frontend Performance: Expert to Crazy Person
Frontend Performance: Expert to Crazy PersonFrontend Performance: Expert to Crazy Person
Frontend Performance: Expert to Crazy PersonPhilip Tellis
 
PuppetConf 2016: Enjoying the Journey from Puppet 3.x to 4.x – Rob Nelson, AT&T
PuppetConf 2016: Enjoying the Journey from Puppet 3.x to 4.x – Rob Nelson, AT&T PuppetConf 2016: Enjoying the Journey from Puppet 3.x to 4.x – Rob Nelson, AT&T
PuppetConf 2016: Enjoying the Journey from Puppet 3.x to 4.x – Rob Nelson, AT&T Puppet
 
Perforce Helix Never Dies: DevOps at Bandai Namco Studios
Perforce Helix Never Dies: DevOps at Bandai Namco StudiosPerforce Helix Never Dies: DevOps at Bandai Namco Studios
Perforce Helix Never Dies: DevOps at Bandai Namco StudiosPerforce
 
OSCON 2004: A Developer's Tour of Chandler
OSCON 2004: A Developer's Tour of ChandlerOSCON 2004: A Developer's Tour of Chandler
OSCON 2004: A Developer's Tour of ChandlerTed Leung
 
How to Reduce Database Load with Sparse Branches
How to Reduce Database Load with Sparse BranchesHow to Reduce Database Load with Sparse Branches
How to Reduce Database Load with Sparse BranchesPerforce
 
Мониторинг облачной CI-системы на примере Jenkins / Александр Акбашев (HERE T...
Мониторинг облачной CI-системы на примере Jenkins / Александр Акбашев (HERE T...Мониторинг облачной CI-системы на примере Jenkins / Александр Акбашев (HERE T...
Мониторинг облачной CI-системы на примере Jenkins / Александр Акбашев (HERE T...Ontico
 
OpenStack documentation & translation management 2012_summit
OpenStack documentation & translation management 2012_summitOpenStack documentation & translation management 2012_summit
OpenStack documentation & translation management 2012_summitAnne Gentle
 
Step-by-Step Introduction to Apache Flink
Step-by-Step Introduction to Apache Flink Step-by-Step Introduction to Apache Flink
Step-by-Step Introduction to Apache Flink Slim Baltagi
 
Nobody Knows What It’s Like To Be the Bad Man: The Development Process for th...
Nobody Knows What It’s Like To Be the Bad Man: The Development Process for th...Nobody Knows What It’s Like To Be the Bad Man: The Development Process for th...
Nobody Knows What It’s Like To Be the Bad Man: The Development Process for th...Work-Bench
 
Reproducibility with Checkpoint & RRO
Reproducibility with Checkpoint & RROReproducibility with Checkpoint & RRO
Reproducibility with Checkpoint & RROWork-Bench
 
Outsmarting Merge Edge Cases in Component Based Design
Outsmarting Merge Edge Cases in Component Based DesignOutsmarting Merge Edge Cases in Component Based Design
Outsmarting Merge Edge Cases in Component Based DesignPerforce
 
An introduction to git
An introduction to gitAn introduction to git
An introduction to gitolberger
 
Monitoring Akka with Kamon 1.0
Monitoring Akka with Kamon 1.0Monitoring Akka with Kamon 1.0
Monitoring Akka with Kamon 1.0Steffen Gebert
 
Apache Flink Hands On
Apache Flink Hands OnApache Flink Hands On
Apache Flink Hands OnRobert Metzger
 
Conda: A Cross-Platform Package Manager for Any Binary Distribution (SciPy 2014)
Conda: A Cross-Platform Package Manager for Any Binary Distribution (SciPy 2014)Conda: A Cross-Platform Package Manager for Any Binary Distribution (SciPy 2014)
Conda: A Cross-Platform Package Manager for Any Binary Distribution (SciPy 2014)Aaron Meurer
 
Through the firewall with miniCRAN
Through the firewall with miniCRANThrough the firewall with miniCRAN
Through the firewall with miniCRANRevolution Analytics
 
Simon Laws – Apache Flink Cluster Deployment on Docker and Docker-Compose
Simon Laws – Apache Flink Cluster Deployment on Docker and Docker-ComposeSimon Laws – Apache Flink Cluster Deployment on Docker and Docker-Compose
Simon Laws – Apache Flink Cluster Deployment on Docker and Docker-ComposeFlink Forward
 
HTTP/2: What's new?
HTTP/2: What's new? HTTP/2: What's new?
HTTP/2: What's new? Piet van Dongen
 
MPL: modular pipeline library - Dynamic Talks Milwaukee 4/11/2019
MPL: modular pipeline library - Dynamic Talks Milwaukee 4/11/2019MPL: modular pipeline library - Dynamic Talks Milwaukee 4/11/2019
MPL: modular pipeline library - Dynamic Talks Milwaukee 4/11/2019Grid Dynamics
 
Reproducibility with Revolution R Open and the Checkpoint Package
Reproducibility with Revolution R Open and the Checkpoint PackageReproducibility with Revolution R Open and the Checkpoint Package
Reproducibility with Revolution R Open and the Checkpoint PackageRevolution Analytics
 
HTTP/2: What no one is telling you
HTTP/2: What no one is telling youHTTP/2: What no one is telling you
HTTP/2: What no one is telling youFastly
 
Analyzing Packages in Docker images hosted On DockerHub
Analyzing Packages in Docker images hosted On DockerHubAnalyzing Packages in Docker images hosted On DockerHub
Analyzing Packages in Docker images hosted On DockerHubAhmed Zerouali
 
Testing Rolling Roots
Testing Rolling RootsTesting Rolling Roots
Testing Rolling RootsAPNIC
 
PuppetConf 2016: Implementing Puppet within a Complex Enterprise – Jerry Caup...
PuppetConf 2016: Implementing Puppet within a Complex Enterprise – Jerry Caup...PuppetConf 2016: Implementing Puppet within a Complex Enterprise – Jerry Caup...
PuppetConf 2016: Implementing Puppet within a Complex Enterprise – Jerry Caup...Puppet
 
On the fragility of open source software packaging ecosystems
On the fragility of open source software packaging ecosystemsOn the fragility of open source software packaging ecosystems
On the fragility of open source software packaging ecosystemsTom Mens
 
Reproducibility with Checkpoint & RRO - NYC R Conference
Reproducibility with Checkpoint & RRO - NYC R ConferenceReproducibility with Checkpoint & RRO - NYC R Conference
Reproducibility with Checkpoint & RRO - NYC R ConferenceRevolution Analytics
 

More Related Content

What's hot

How to Reduce Database Load with Sparse Branches
How to Reduce Database Load with Sparse BranchesHow to Reduce Database Load with Sparse Branches
How to Reduce Database Load with Sparse BranchesPerforce
 
Мониторинг облачной CI-системы на примере Jenkins / Александр Акбашев (HERE T...
Мониторинг облачной CI-системы на примере Jenkins / Александр Акбашев (HERE T...Мониторинг облачной CI-системы на примере Jenkins / Александр Акбашев (HERE T...
Мониторинг облачной CI-системы на примере Jenkins / Александр Акбашев (HERE T...Ontico
 
OpenStack documentation & translation management 2012_summit
OpenStack documentation & translation management 2012_summitOpenStack documentation & translation management 2012_summit
OpenStack documentation & translation management 2012_summitAnne Gentle
 
Step-by-Step Introduction to Apache Flink
Step-by-Step Introduction to Apache Flink Step-by-Step Introduction to Apache Flink
Step-by-Step Introduction to Apache Flink Slim Baltagi
 
Nobody Knows What It’s Like To Be the Bad Man: The Development Process for th...
Nobody Knows What It’s Like To Be the Bad Man: The Development Process for th...Nobody Knows What It’s Like To Be the Bad Man: The Development Process for th...
Nobody Knows What It’s Like To Be the Bad Man: The Development Process for th...Work-Bench
 
Reproducibility with Checkpoint & RRO
Reproducibility with Checkpoint & RROReproducibility with Checkpoint & RRO
Reproducibility with Checkpoint & RROWork-Bench
 
Outsmarting Merge Edge Cases in Component Based Design
Outsmarting Merge Edge Cases in Component Based DesignOutsmarting Merge Edge Cases in Component Based Design
Outsmarting Merge Edge Cases in Component Based DesignPerforce
 
An introduction to git
An introduction to gitAn introduction to git
An introduction to gitolberger
 
Monitoring Akka with Kamon 1.0
Monitoring Akka with Kamon 1.0Monitoring Akka with Kamon 1.0
Monitoring Akka with Kamon 1.0Steffen Gebert
 
Conda: A Cross-Platform Package Manager for Any Binary Distribution (SciPy 2014)
Conda: A Cross-Platform Package Manager for Any Binary Distribution (SciPy 2014)Conda: A Cross-Platform Package Manager for Any Binary Distribution (SciPy 2014)
Conda: A Cross-Platform Package Manager for Any Binary Distribution (SciPy 2014)Aaron Meurer
 
Through the firewall with miniCRAN
Through the firewall with miniCRANThrough the firewall with miniCRAN
Through the firewall with miniCRANRevolution Analytics
 
Simon Laws – Apache Flink Cluster Deployment on Docker and Docker-Compose
Simon Laws – Apache Flink Cluster Deployment on Docker and Docker-ComposeSimon Laws – Apache Flink Cluster Deployment on Docker and Docker-Compose
Simon Laws – Apache Flink Cluster Deployment on Docker and Docker-ComposeFlink Forward
 
MPL: modular pipeline library - Dynamic Talks Milwaukee 4/11/2019
MPL: modular pipeline library - Dynamic Talks Milwaukee 4/11/2019MPL: modular pipeline library - Dynamic Talks Milwaukee 4/11/2019
MPL: modular pipeline library - Dynamic Talks Milwaukee 4/11/2019Grid Dynamics
 
Reproducibility with Revolution R Open and the Checkpoint Package
Reproducibility with Revolution R Open and the Checkpoint PackageReproducibility with Revolution R Open and the Checkpoint Package
Reproducibility with Revolution R Open and the Checkpoint PackageRevolution Analytics
 
HTTP/2: What no one is telling you
HTTP/2: What no one is telling youHTTP/2: What no one is telling you
HTTP/2: What no one is telling youFastly
 
Analyzing Packages in Docker images hosted On DockerHub
Analyzing Packages in Docker images hosted On DockerHubAnalyzing Packages in Docker images hosted On DockerHub
Analyzing Packages in Docker images hosted On DockerHubAhmed Zerouali
 
Testing Rolling Roots
Testing Rolling RootsTesting Rolling Roots
Testing Rolling RootsAPNIC
 
PuppetConf 2016: Implementing Puppet within a Complex Enterprise – Jerry Caup...
PuppetConf 2016: Implementing Puppet within a Complex Enterprise – Jerry Caup...PuppetConf 2016: Implementing Puppet within a Complex Enterprise – Jerry Caup...
PuppetConf 2016: Implementing Puppet within a Complex Enterprise – Jerry Caup...Puppet
 

What's hot (20)

How to Reduce Database Load with Sparse Branches
How to Reduce Database Load with Sparse BranchesHow to Reduce Database Load with Sparse Branches
How to Reduce Database Load with Sparse Branches
 
Мониторинг облачной CI-системы на примере Jenkins / Александр Акбашев (HERE T...
Мониторинг облачной CI-системы на примере Jenkins / Александр Акбашев (HERE T...Мониторинг облачной CI-системы на примере Jenkins / Александр Акбашев (HERE T...
Мониторинг облачной CI-системы на примере Jenkins / Александр Акбашев (HERE T...
 
OpenStack documentation & translation management 2012_summit
OpenStack documentation & translation management 2012_summitOpenStack documentation & translation management 2012_summit
OpenStack documentation & translation management 2012_summit
 
Step-by-Step Introduction to Apache Flink
Step-by-Step Introduction to Apache Flink Step-by-Step Introduction to Apache Flink
Step-by-Step Introduction to Apache Flink
 
Nobody Knows What It’s Like To Be the Bad Man: The Development Process for th...
Nobody Knows What It’s Like To Be the Bad Man: The Development Process for th...Nobody Knows What It’s Like To Be the Bad Man: The Development Process for th...
Nobody Knows What It’s Like To Be the Bad Man: The Development Process for th...
 
Reproducibility with Checkpoint & RRO
Reproducibility with Checkpoint & RROReproducibility with Checkpoint & RRO
Reproducibility with Checkpoint & RRO
 
Outsmarting Merge Edge Cases in Component Based Design
Outsmarting Merge Edge Cases in Component Based DesignOutsmarting Merge Edge Cases in Component Based Design
Outsmarting Merge Edge Cases in Component Based Design
 
An introduction to git
An introduction to gitAn introduction to git
An introduction to git
 
Monitoring Akka with Kamon 1.0
Monitoring Akka with Kamon 1.0Monitoring Akka with Kamon 1.0
Monitoring Akka with Kamon 1.0
 
Apache Flink Hands On
Apache Flink Hands OnApache Flink Hands On
Apache Flink Hands On
 
Conda: A Cross-Platform Package Manager for Any Binary Distribution (SciPy 2014)
Conda: A Cross-Platform Package Manager for Any Binary Distribution (SciPy 2014)Conda: A Cross-Platform Package Manager for Any Binary Distribution (SciPy 2014)
Conda: A Cross-Platform Package Manager for Any Binary Distribution (SciPy 2014)
 
Through the firewall with miniCRAN
Through the firewall with miniCRANThrough the firewall with miniCRAN
Through the firewall with miniCRAN
 
Simon Laws – Apache Flink Cluster Deployment on Docker and Docker-Compose
Simon Laws – Apache Flink Cluster Deployment on Docker and Docker-ComposeSimon Laws – Apache Flink Cluster Deployment on Docker and Docker-Compose
Simon Laws – Apache Flink Cluster Deployment on Docker and Docker-Compose
 
HTTP/2: What's new?
HTTP/2: What's new? HTTP/2: What's new?
HTTP/2: What's new?
 
MPL: modular pipeline library - Dynamic Talks Milwaukee 4/11/2019
MPL: modular pipeline library - Dynamic Talks Milwaukee 4/11/2019MPL: modular pipeline library - Dynamic Talks Milwaukee 4/11/2019
MPL: modular pipeline library - Dynamic Talks Milwaukee 4/11/2019
 
Reproducibility with Revolution R Open and the Checkpoint Package
Reproducibility with Revolution R Open and the Checkpoint PackageReproducibility with Revolution R Open and the Checkpoint Package
Reproducibility with Revolution R Open and the Checkpoint Package
 
HTTP/2: What no one is telling you
HTTP/2: What no one is telling youHTTP/2: What no one is telling you
HTTP/2: What no one is telling you
 
Analyzing Packages in Docker images hosted On DockerHub
Analyzing Packages in Docker images hosted On DockerHubAnalyzing Packages in Docker images hosted On DockerHub
Analyzing Packages in Docker images hosted On DockerHub
 
Testing Rolling Roots
Testing Rolling RootsTesting Rolling Roots
Testing Rolling Roots
 
PuppetConf 2016: Implementing Puppet within a Complex Enterprise – Jerry Caup...
PuppetConf 2016: Implementing Puppet within a Complex Enterprise – Jerry Caup...PuppetConf 2016: Implementing Puppet within a Complex Enterprise – Jerry Caup...
PuppetConf 2016: Implementing Puppet within a Complex Enterprise – Jerry Caup...
 

Similar to FASTEN: Scaling static analyses to ecosystem, presented at FOSDEM 2020 in Brussels

On the fragility of open source software packaging ecosystems
On the fragility of open source software packaging ecosystemsOn the fragility of open source software packaging ecosystems
On the fragility of open source software packaging ecosystemsTom Mens
 
Reproducibility with Checkpoint & RRO - NYC R Conference
Reproducibility with Checkpoint & RRO - NYC R ConferenceReproducibility with Checkpoint & RRO - NYC R Conference
Reproducibility with Checkpoint & RRO - NYC R ConferenceRevolution Analytics
 
SymfonyCon Madrid 2014 - Rock Solid Deployment of Symfony Apps
SymfonyCon Madrid 2014 - Rock Solid Deployment of Symfony AppsSymfonyCon Madrid 2014 - Rock Solid Deployment of Symfony Apps
SymfonyCon Madrid 2014 - Rock Solid Deployment of Symfony AppsPablo Godel
 
Analysis of-quality-of-pkgs-in-packagist-univ-20171024
Analysis of-quality-of-pkgs-in-packagist-univ-20171024Analysis of-quality-of-pkgs-in-packagist-univ-20171024
Analysis of-quality-of-pkgs-in-packagist-univ-20171024Clark Everetts
 
Leveraging Gradle @ Netflix (Madrid GUG Feb 2, 2021)
Leveraging Gradle @ Netflix (Madrid GUG Feb 2, 2021)Leveraging Gradle @ Netflix (Madrid GUG Feb 2, 2021)
Leveraging Gradle @ Netflix (Madrid GUG Feb 2, 2021)Roberto Pérez Alcolea
 
Introduction Apache Kafka
Introduction Apache KafkaIntroduction Apache Kafka
Introduction Apache KafkaJoe Stein
 
Managing Open Source Software in the GitHub Era
Managing Open Source Software in the GitHub EraManaging Open Source Software in the GitHub Era
Managing Open Source Software in the GitHub EranexB Inc.
 
SFScon 2020 - Paolo Boldi - Software Ecosystems as Networks Advances on the F...
SFScon 2020 - Paolo Boldi - Software Ecosystems as Networks Advances on the F...SFScon 2020 - Paolo Boldi - Software Ecosystems as Networks Advances on the F...
SFScon 2020 - Paolo Boldi - Software Ecosystems as Networks Advances on the F...South Tyrol Free Software Conference
 
Being Ready for Apache Kafka - Apache: Big Data Europe 2015
Being Ready for Apache Kafka - Apache: Big Data Europe 2015Being Ready for Apache Kafka - Apache: Big Data Europe 2015
Being Ready for Apache Kafka - Apache: Big Data Europe 2015Michael Noll
 
Tuscany : Applying OSGi After The Fact
Tuscany : Applying OSGi After The FactTuscany : Applying OSGi After The Fact
Tuscany : Applying OSGi After The FactLuciano Resende
 
Apache Bigtop and ARM64 / AArch64 - Empowering Big Data Everywhere
Apache Bigtop and ARM64 / AArch64 - Empowering Big Data EverywhereApache Bigtop and ARM64 / AArch64 - Empowering Big Data Everywhere
Apache Bigtop and ARM64 / AArch64 - Empowering Big Data EverywhereGanesh Raju
 
The journey to GitOps
The journey to GitOpsThe journey to GitOps
The journey to GitOpsNicola Baldi
 
Trend Micro Big Data Platform and Apache Bigtop
Trend Micro Big Data Platform and Apache BigtopTrend Micro Big Data Platform and Apache Bigtop
Trend Micro Big Data Platform and Apache BigtopEvans Ye
 
Generating Linked Data descriptions of Debian packages in the Debian PTS
Generating Linked Data descriptions of Debian packages in the Debian PTSGenerating Linked Data descriptions of Debian packages in the Debian PTS
Generating Linked Data descriptions of Debian packages in the Debian PTSolberger
 
Presentation of the FASTEN project, Conference SFScon, Bolzano, Italy
Presentation of the FASTEN project, Conference SFScon, Bolzano, Italy Presentation of the FASTEN project, Conference SFScon, Bolzano, Italy
Presentation of the FASTEN project, Conference SFScon, Bolzano, Italy Fasten Project
 
SFScon19 - Paolo Boldi - Software Ecosystems as Networks the FASTEN project
SFScon19 - Paolo Boldi - Software Ecosystems as Networks the FASTEN projectSFScon19 - Paolo Boldi - Software Ecosystems as Networks the FASTEN project
SFScon19 - Paolo Boldi - Software Ecosystems as Networks the FASTEN projectSouth Tyrol Free Software Conference
 
Rustam Aliyev and Ivan Martynov - From monolith web app to micro-frontends – ...
Rustam Aliyev and Ivan Martynov - From monolith web app to micro-frontends – ...Rustam Aliyev and Ivan Martynov - From monolith web app to micro-frontends – ...
Rustam Aliyev and Ivan Martynov - From monolith web app to micro-frontends – ...OdessaJS Conf
 
From monolith web app to micro-frontends
From monolith web app to micro-frontendsFrom monolith web app to micro-frontends
From monolith web app to micro-frontendsRustam Aliyev
 
What is the Secure Supply Chain and the Current State of the PHP Ecosystem
What is the Secure Supply Chain and the Current State of the PHP EcosystemWhat is the Secure Supply Chain and the Current State of the PHP Ecosystem
What is the Secure Supply Chain and the Current State of the PHP Ecosystemsparkfabrik
 

Similar to FASTEN: Scaling static analyses to ecosystem, presented at FOSDEM 2020 in Brussels (20)

On the fragility of open source software packaging ecosystems
On the fragility of open source software packaging ecosystemsOn the fragility of open source software packaging ecosystems
On the fragility of open source software packaging ecosystems
 
Reproducibility with Checkpoint & RRO - NYC R Conference
Reproducibility with Checkpoint & RRO - NYC R ConferenceReproducibility with Checkpoint & RRO - NYC R Conference
Reproducibility with Checkpoint & RRO - NYC R Conference
 
SymfonyCon Madrid 2014 - Rock Solid Deployment of Symfony Apps
SymfonyCon Madrid 2014 - Rock Solid Deployment of Symfony AppsSymfonyCon Madrid 2014 - Rock Solid Deployment of Symfony Apps
SymfonyCon Madrid 2014 - Rock Solid Deployment of Symfony Apps
 
Sas 2015 event_driven
Sas 2015 event_drivenSas 2015 event_driven
Sas 2015 event_driven
 
Analysis of-quality-of-pkgs-in-packagist-univ-20171024
Analysis of-quality-of-pkgs-in-packagist-univ-20171024Analysis of-quality-of-pkgs-in-packagist-univ-20171024
Analysis of-quality-of-pkgs-in-packagist-univ-20171024
 
Leveraging Gradle @ Netflix (Madrid GUG Feb 2, 2021)
Leveraging Gradle @ Netflix (Madrid GUG Feb 2, 2021)Leveraging Gradle @ Netflix (Madrid GUG Feb 2, 2021)
Leveraging Gradle @ Netflix (Madrid GUG Feb 2, 2021)
 
Introduction Apache Kafka
Introduction Apache KafkaIntroduction Apache Kafka
Introduction Apache Kafka
 
Managing Open Source Software in the GitHub Era
Managing Open Source Software in the GitHub EraManaging Open Source Software in the GitHub Era
Managing Open Source Software in the GitHub Era
 
SFScon 2020 - Paolo Boldi - Software Ecosystems as Networks Advances on the F...
SFScon 2020 - Paolo Boldi - Software Ecosystems as Networks Advances on the F...SFScon 2020 - Paolo Boldi - Software Ecosystems as Networks Advances on the F...
SFScon 2020 - Paolo Boldi - Software Ecosystems as Networks Advances on the F...
 
Being Ready for Apache Kafka - Apache: Big Data Europe 2015
Being Ready for Apache Kafka - Apache: Big Data Europe 2015Being Ready for Apache Kafka - Apache: Big Data Europe 2015
Being Ready for Apache Kafka - Apache: Big Data Europe 2015
 
Tuscany : Applying OSGi After The Fact
Tuscany : Applying OSGi After The FactTuscany : Applying OSGi After The Fact
Tuscany : Applying OSGi After The Fact
 
Apache Bigtop and ARM64 / AArch64 - Empowering Big Data Everywhere
Apache Bigtop and ARM64 / AArch64 - Empowering Big Data EverywhereApache Bigtop and ARM64 / AArch64 - Empowering Big Data Everywhere
Apache Bigtop and ARM64 / AArch64 - Empowering Big Data Everywhere
 
The journey to GitOps
The journey to GitOpsThe journey to GitOps
The journey to GitOps
 
Trend Micro Big Data Platform and Apache Bigtop
Trend Micro Big Data Platform and Apache BigtopTrend Micro Big Data Platform and Apache Bigtop
Trend Micro Big Data Platform and Apache Bigtop
 
Generating Linked Data descriptions of Debian packages in the Debian PTS
Generating Linked Data descriptions of Debian packages in the Debian PTSGenerating Linked Data descriptions of Debian packages in the Debian PTS
Generating Linked Data descriptions of Debian packages in the Debian PTS
 
Presentation of the FASTEN project, Conference SFScon, Bolzano, Italy
Presentation of the FASTEN project, Conference SFScon, Bolzano, Italy Presentation of the FASTEN project, Conference SFScon, Bolzano, Italy
Presentation of the FASTEN project, Conference SFScon, Bolzano, Italy
 
SFScon19 - Paolo Boldi - Software Ecosystems as Networks the FASTEN project
SFScon19 - Paolo Boldi - Software Ecosystems as Networks the FASTEN projectSFScon19 - Paolo Boldi - Software Ecosystems as Networks the FASTEN project
SFScon19 - Paolo Boldi - Software Ecosystems as Networks the FASTEN project
 
Rustam Aliyev and Ivan Martynov - From monolith web app to micro-frontends – ...
Rustam Aliyev and Ivan Martynov - From monolith web app to micro-frontends – ...Rustam Aliyev and Ivan Martynov - From monolith web app to micro-frontends – ...
Rustam Aliyev and Ivan Martynov - From monolith web app to micro-frontends – ...
 
From monolith web app to micro-frontends
From monolith web app to micro-frontendsFrom monolith web app to micro-frontends
From monolith web app to micro-frontends
 
What is the Secure Supply Chain and the Current State of the PHP Ecosystem
What is the Secure Supply Chain and the Current State of the PHP EcosystemWhat is the Secure Supply Chain and the Current State of the PHP Ecosystem
What is the Secure Supply Chain and the Current State of the PHP Ecosystem
 

More from Fasten Project

FASTEN presentation at FOSDEM 2022 : Making Dependency Management Intelligent
FASTEN presentation at FOSDEM 2022 : Making Dependency Management IntelligentFASTEN presentation at FOSDEM 2022 : Making Dependency Management Intelligent
FASTEN presentation at FOSDEM 2022 : Making Dependency Management IntelligentFasten Project
 
FASTEN presentation at OW2con'22
FASTEN presentation at OW2con'22FASTEN presentation at OW2con'22
FASTEN presentation at OW2con'22Fasten Project
 
FASTEN presentation at OW2con 2021
FASTEN presentation at OW2con 2021FASTEN presentation at OW2con 2021
FASTEN presentation at OW2con 2021Fasten Project
 
FASTEN Introduction, at EclipseCon 2021
FASTEN Introduction, at EclipseCon 2021 FASTEN Introduction, at EclipseCon 2021
FASTEN Introduction, at EclipseCon 2021 Fasten Project
 
FASTEN presentation at OSS2021, by Michele Scarlato, Endocode, May 12, 2021, ...
FASTEN presentation at OSS2021, by Michele Scarlato, Endocode, May 12, 2021, ...FASTEN presentation at OSS2021, by Michele Scarlato, Endocode, May 12, 2021, ...
FASTEN presentation at OSS2021, by Michele Scarlato, Endocode, May 12, 2021, ...Fasten Project
 
FASTEN user experience from a software vendor perspective : The future of ext...
FASTEN user experience from a software vendor perspective : The future of ext...FASTEN user experience from a software vendor perspective : The future of ext...
FASTEN user experience from a software vendor perspective : The future of ext...Fasten Project
 
Eclipse sw360 Web Application for managing software Bill-Of-Material, FASTEN ...
Eclipse sw360 Web Application for managing software Bill-Of-Material, FASTEN ...Eclipse sw360 Web Application for managing software Bill-Of-Material, FASTEN ...
Eclipse sw360 Web Application for managing software Bill-Of-Material, FASTEN ...Fasten Project
 
Demonstration of FASTEN Dependency Management tools on top of Maven, FASTEN v...
Demonstration of FASTEN Dependency Management tools on top of Maven, FASTEN v...Demonstration of FASTEN Dependency Management tools on top of Maven, FASTEN v...
Demonstration of FASTEN Dependency Management tools on top of Maven, FASTEN v...Fasten Project
 
Highlight on FASTEN's Software Composition Analysis Market Background, Virtua...
Highlight on FASTEN's Software Composition Analysis Market Background, Virtua...Highlight on FASTEN's Software Composition Analysis Market Background, Virtua...
Highlight on FASTEN's Software Composition Analysis Market Background, Virtua...Fasten Project
 
FASTEN presentation at SFScon, November 2020
FASTEN presentation at SFScon, November 2020FASTEN presentation at SFScon, November 2020
FASTEN presentation at SFScon, November 2020Fasten Project
 
FOSDEM 2020 Presentation - There's no sustainability problem in FOSS, Except ...
FOSDEM 2020 Presentation - There's no sustainability problem in FOSS, Except ...FOSDEM 2020 Presentation - There's no sustainability problem in FOSS, Except ...
FOSDEM 2020 Presentation - There's no sustainability problem in FOSS, Except ...Fasten Project
 
FOSDEM 2020 Presentation: Comparing dependency management issues across packa...
FOSDEM 2020 Presentation: Comparing dependency management issues across packa...FOSDEM 2020 Presentation: Comparing dependency management issues across packa...
FOSDEM 2020 Presentation: Comparing dependency management issues across packa...Fasten Project
 
FOSDEM 2020 Presentation : Precise, cross-project code navigation at GitHub s...
FOSDEM 2020 Presentation : Precise, cross-project code navigation at GitHub s...FOSDEM 2020 Presentation : Precise, cross-project code navigation at GitHub s...
FOSDEM 2020 Presentation : Precise, cross-project code navigation at GitHub s...Fasten Project
 
FASTEN H2020 project presentation at Paris Open Source Summit, December 2019.
FASTEN H2020 project presentation at Paris Open Source Summit, December 2019. FASTEN H2020 project presentation at Paris Open Source Summit, December 2019.
FASTEN H2020 project presentation at Paris Open Source Summit, December 2019. Fasten Project
 
Fasten and Quartermaster presentation at FOSSCOMM, October 2019 in Lamia, Gre...
Fasten and Quartermaster presentation at FOSSCOMM, October 2019 in Lamia, Gre...Fasten and Quartermaster presentation at FOSSCOMM, October 2019 in Lamia, Gre...
Fasten and Quartermaster presentation at FOSSCOMM, October 2019 in Lamia, Gre...Fasten Project
 

More from Fasten Project (15)

FASTEN presentation at FOSDEM 2022 : Making Dependency Management Intelligent
FASTEN presentation at FOSDEM 2022 : Making Dependency Management IntelligentFASTEN presentation at FOSDEM 2022 : Making Dependency Management Intelligent
FASTEN presentation at FOSDEM 2022 : Making Dependency Management Intelligent
 
FASTEN presentation at OW2con'22
FASTEN presentation at OW2con'22FASTEN presentation at OW2con'22
FASTEN presentation at OW2con'22
 
FASTEN presentation at OW2con 2021
FASTEN presentation at OW2con 2021FASTEN presentation at OW2con 2021
FASTEN presentation at OW2con 2021
 
FASTEN Introduction, at EclipseCon 2021
FASTEN Introduction, at EclipseCon 2021 FASTEN Introduction, at EclipseCon 2021
FASTEN Introduction, at EclipseCon 2021
 
FASTEN presentation at OSS2021, by Michele Scarlato, Endocode, May 12, 2021, ...
FASTEN presentation at OSS2021, by Michele Scarlato, Endocode, May 12, 2021, ...FASTEN presentation at OSS2021, by Michele Scarlato, Endocode, May 12, 2021, ...
FASTEN presentation at OSS2021, by Michele Scarlato, Endocode, May 12, 2021, ...
 
FASTEN user experience from a software vendor perspective : The future of ext...
FASTEN user experience from a software vendor perspective : The future of ext...FASTEN user experience from a software vendor perspective : The future of ext...
FASTEN user experience from a software vendor perspective : The future of ext...
 
Eclipse sw360 Web Application for managing software Bill-Of-Material, FASTEN ...
Eclipse sw360 Web Application for managing software Bill-Of-Material, FASTEN ...Eclipse sw360 Web Application for managing software Bill-Of-Material, FASTEN ...
Eclipse sw360 Web Application for managing software Bill-Of-Material, FASTEN ...
 
Demonstration of FASTEN Dependency Management tools on top of Maven, FASTEN v...
Demonstration of FASTEN Dependency Management tools on top of Maven, FASTEN v...Demonstration of FASTEN Dependency Management tools on top of Maven, FASTEN v...
Demonstration of FASTEN Dependency Management tools on top of Maven, FASTEN v...
 
Highlight on FASTEN's Software Composition Analysis Market Background, Virtua...
Highlight on FASTEN's Software Composition Analysis Market Background, Virtua...Highlight on FASTEN's Software Composition Analysis Market Background, Virtua...
Highlight on FASTEN's Software Composition Analysis Market Background, Virtua...
 
FASTEN presentation at SFScon, November 2020
FASTEN presentation at SFScon, November 2020FASTEN presentation at SFScon, November 2020
FASTEN presentation at SFScon, November 2020
 
FOSDEM 2020 Presentation - There's no sustainability problem in FOSS, Except ...
FOSDEM 2020 Presentation - There's no sustainability problem in FOSS, Except ...FOSDEM 2020 Presentation - There's no sustainability problem in FOSS, Except ...
FOSDEM 2020 Presentation - There's no sustainability problem in FOSS, Except ...
 
FOSDEM 2020 Presentation: Comparing dependency management issues across packa...
FOSDEM 2020 Presentation: Comparing dependency management issues across packa...FOSDEM 2020 Presentation: Comparing dependency management issues across packa...
FOSDEM 2020 Presentation: Comparing dependency management issues across packa...
 
FOSDEM 2020 Presentation : Precise, cross-project code navigation at GitHub s...
FOSDEM 2020 Presentation : Precise, cross-project code navigation at GitHub s...FOSDEM 2020 Presentation : Precise, cross-project code navigation at GitHub s...
FOSDEM 2020 Presentation : Precise, cross-project code navigation at GitHub s...
 
FASTEN H2020 project presentation at Paris Open Source Summit, December 2019.
FASTEN H2020 project presentation at Paris Open Source Summit, December 2019. FASTEN H2020 project presentation at Paris Open Source Summit, December 2019.
FASTEN H2020 project presentation at Paris Open Source Summit, December 2019.
 
Fasten and Quartermaster presentation at FOSSCOMM, October 2019 in Lamia, Gre...
Fasten and Quartermaster presentation at FOSSCOMM, October 2019 in Lamia, Gre...Fasten and Quartermaster presentation at FOSSCOMM, October 2019 in Lamia, Gre...
Fasten and Quartermaster presentation at FOSSCOMM, October 2019 in Lamia, Gre...
 

Recently uploaded

Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetHyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetEnjoy Anytime
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?XfilesPro
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 

Recently uploaded (20)

Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetHyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 

FASTEN: Scaling static analyses to ecosystem, presented at FOSDEM 2020 in Brussels

  • 1. FASTEN: Scaling static analysis to ecosystems Georgios Gousios | @gousiosg TU Delft
  • 2. Package dependency networks • Dependencies on version ranges with semantic versioning • Online package repositories host all (?) released package versions • Package managers read dependency descriptors and download libraries • Transitive dependencies are downloaded automatically Strongly connected component of the Rust/Cargo packages (Kikas 2016)
  • 3. Recent issues with PDNs •leftpad • Equifax •eventstream •rest-client •… Strongly connected component of the Rust/Cargo packages (Kikas 2016)
  • 4. Ecosystems grow at breakneck speeds... • Avg JavaScript project has 54 (Kikas et al. 2017), or 80 (Zimermann et al. 2019) transitive dependencies • 50% of transitive dependency closures different in a period of 6 months on Cargo/Rust (Hejderup et al. 2019) ...and they deteriorate • Packages exist in RubyGems whose removal can bring down 500k (40%) other package versions (Kikas et al. 2017) • 391 highly maintainers affect more than 10k packages (Zimermann et al. 2019). What research tells us
  • 5. Developers don't update (Kula et al. 2017) • 85% of the dependencies are outdated in 50% of important Maven packages • No updates even in the case of security disclosures (70% were unaware) • "Too difficult!", "No tools!" Vulnerabilities proliferate • 1/4 of library downloads have a vulnerability (Comcast TR 2017) • 1/3 of top 133k sites have a vulnerable dependency (Lauinger et al. 2017) What research tells us
  • 6. The developers’ perspective • The observability problem: How can I know that one of my dependencies is outdated? • The update problem: How can I check if an updated dependency breaks my code? • The compliance problem: How do I know that I am not violating anyone’s copyrights? • The trust problem: How can I trust code I download from the Internet with my valuable data?
  • 7. The maintainers’ perspective • The update problem: How can I update my library without breaking clients? How can I notify important clients that I am about to break them? • The deprecation problem: How can I remove features from my library? • The unlawful use problem: How can I spot instances of my code being distributed without permission? • The lack of incentive problem: Why should I use my (free!) time to maintain a library that large corporations depend upon? + the problems that developers have!
  • 8. State of the art practices • Resolve dependencies and store resolution in repo • Protects against breakage due to updates • Also “protects” against fast distribution of security updates https://www.publicdomainpictures.net/en/view-image.php?image=80963 Dependency version pinning
  • 9. State of the art practices Monitoring services
  • 10. State of the art practices • Lots of services (Dependabot, GitHub, …) notify projects when new dependency versions are available • Ripe with false positives • No help with impact assessment Monitoring services
  • 11. The sorry state of the state of the art • Not much beyond simple package version matches (and a bit of compliance) • No support for assessing updates • No support for making decisions on which libraries to use • No support for maintainers We can do better than that!
  • 12. Getting to the root cause
  • 13. Getting to the root cause State of the art tools analyze package relationships… Package Dependency Network (PDN)
  • 14. Getting to the root cause State of the art tools analyze package relationships… …while actual reuse happens in the code Package Dependency Network (PDN) Call Dependency Network (CDN)
  • 15. Promises of Call-based Dependency Networks • More precise usage analysis • Does this vulnerability affect my code? • Am I linking to GPL code? • More precise impact analysis • How many clients will I break if I change this method? • Can I safely update? • Effectively, augmenting soundness with precision
  • 16. RustPräzi: A CDN for Rust • Calls graphs for 70% of Cargo packages • Very precise, but unsound (missing calls) • Rust’s CG generator poor, we are building a new one • A very promising prototype
  • 18. FASTEN in a nutshell • Präzi for Java, C, Python and Rust, incl integration to pkg managers • Analyses on top of it: • Can I safely update? • Security vulnerability propagation • Dependency risk profiling • Compliance monitoring • A centralised service to host the graphs and serve the analyses • Getting the tools to the hands of developers
  • 19.
  • 23. Graph DB MetadataPyPi Package Repositories Debian Cargo Call graph generators Project information Vulnerability Information
  • 24. Graph DB MetadataPyPi Package Repositories Debian Cargo Call graph generators Package Builds Project information Vulnerability Information
  • 25. Graph DB MetadataPyPi Package Repositories Debian Cargo Call graph generators Package Builds Query API Call graph stitching Project information Vulnerability Information
  • 26. Graph DB MetadataPyPi Package Repositories Debian Cargo Call graph generators Package Builds Query API Call graph stitching Security Compliance Change im‐ pact Quality and Risk Project information Vulnerability Information
  • 27. Graph DB MetadataPyPi Package Repositories Debian Cargo Call graph generators Package Builds Query API Call graph stitching Security Compliance Change im‐ pact Quality and Risk REST API Project information Vulnerability Information
  • 28. Graph DB MetadataPyPi Package Repositories Debian Cargo Call graph generators Package Builds Query API Call graph stitching Security Compliance Change im‐ pact Quality and Risk REST API Project information Vulnerability Information All Kafka topics to be made public! Check codefeedr.org soon!
  • 29. Universal function identifiers How to uniquely reference a function in a global namespace? fasten:// /mvn /org.slf4j.slf4j-api /1.2.3 /org.slf4j.helpers /BasicMarkerFactory.getDetachedMarker (%2Fjava.lang%2FString) %2Forg.slf4j%2FMarker scheme forge artifact version namespace function argument(s) return type
  • 30. Callgraph stitching • Idea: Decouple package resolution from call graph generation • Build and store call graphs per package version, incl: • unresolved calls • class hierarchies (Java, Python) • Callgraph stitching: Resolve unresolved calls given a dependency tree How to scale callgraph generation to 10^6 package versions?
  • 31. Call graph info { "product": “org.slf4j.slf4j-api", "version": “1.7.29”, "forge": "mvn", "depset" : […], "cha": { "/org.slf4j/LoggerFactory": { "methods": [ “/org.slf4j/LoggerFactory.bind()%2Fjava.lang%2FVoid", … ], … } }, "graph" : [ [ "/org.slf4j.helpers/BasicMarker.contains(%2Fjava.lang%2FString) %2Fjava.lang%2FBoolean", "///java.util/Iterator.hasNext()%2Fjava.lang%2FBoolean" ] ], "timestamp": 1574072773 }
  • 33.
  • 35. Are tests enough? Coverage of function calls to dependency functions in 520 Java projects
  • 39. Detecting regressions Detection rate for artificial regressions in the dependency set of 388 Maven modules
  • 40. Example FASTEN workflow # Check outdated dependencies $ pip list --outdated Package Version Latest Type ---------- ------- ------ ----- Pygments 2.2.0 2.3.1 wheel # Update a package $ pip install --upgrade Pygments Collecting Pygments Downloading ... Successfully installed Pygments-2.3.1 # Done, fingers crossed! Updating with confidence Before FASTEN
  • 41. Example FASTEN workflow # Check outdated dependencies $ pip list --outdated Package Version Latest Type ---------- ------- ------ ----- Pygments 2.2.0 2.3.1 wheel Updating Pygments will affect: foo.py: function colorize bar.py: function parse # Check outdated dependencies $ pip list --outdated Package Version Latest Type ---------- ------- ------ ----- Pygments 2.2.0 2.3.1 wheel # Update a package $ pip install --upgrade Pygments Collecting Pygments Downloading ... Successfully installed Pygments-2.3.1 # Done, fingers crossed! Updating with confidence Before FASTEN After FASTEN
  • 42. Example FASTEN workflow # Check outdated dependencies $ pip list --outdated Package Version Latest Type ---------- ------- ------ ----- Pygments 2.2.0 2.3.1 wheel Updating Pygments will affect: foo.py: function colorize bar.py: function parse # Check outdated dependencies $ pip list --outdated Package Version Latest Type ---------- ------- ------ ----- Pygments 2.2.0 2.3.1 wheel # Update a package $ pip install --upgrade Pygments Collecting Pygments Downloading ... Successfully installed Pygments-2.3.1 # Done, fingers crossed! Updating with confidence Before FASTEN After FASTEN # Estimate update impact $ pip install --dry-run Pygments Function Pygments.Formatter.format[formatter.py] changed -> check <your_app> at colorize[foo.py]:32 # Developer inspects changed paths # Update can continue $ pip install --upgrade Pygments Collecting Pygments Downloading ... Successfully installed Pygments-2.3.1 # Done
  • 43. Example FASTEN workflow # Checking info about the library $ pip show tornado Name: tornado Version: 5.0 Summary: Tornado is a Python web framework … Home-page: http://www.tornadoweb.org/ Author: Facebook Author-email: … License: http://www.apache.org/ licenses/LICENSE-2.0 Location: … Requires: backports-abc, futures, singledispatch Required-by: Deciding to use a library Before FASTEN
  • 44. Example FASTEN workflow # Checking info about the library $ pip show tornado Name: tornado Version: 5.0 License: http://www.apache.org/licenses/ LICENSE-2.0 ... Maintainers: 3 Community size: 15 Used by: 145 on PyPI, 34433 on GitHub Latest vulnerability: 13 months ago (CVE-2012-2374) All known vulnerabilities: 25 (best 10%) License rating: Compatible # Checking info about the library $ pip show tornado Name: tornado Version: 5.0 Summary: Tornado is a Python web framework … Home-page: http://www.tornadoweb.org/ Author: Facebook Author-email: … License: http://www.apache.org/ licenses/LICENSE-2.0 Location: … Requires: backports-abc, futures, singledispatch Required-by: Deciding to use a library Before FASTEN After FASTEN
  • 46. Example FASTEN workflow Maintaining a library # Check uses of function pkg.list() in dependents $ pip query --uses pkg.list depA(v1.2).parse() depA(v1.2).test() depB(0.0.2).foo() depC(1.2.1).calculate()
  • 47. Example FASTEN workflow Maintaining a library # Check uses of function pkg.list() in dependents $ pip query --uses pkg.list depA(v1.2).parse() depA(v1.2).test() depB(0.0.2).foo() depC(1.2.1).calculate() # Estimate "damage" if pkg.list will be updated $ pip query —total pkg.list 3 direct and 223 indirect dependencies will be affected
  • 48. Example FASTEN workflow Maintaining a library # Check uses of function pkg.list() in dependents $ pip query --uses pkg.list depA(v1.2).parse() depA(v1.2).test() depB(0.0.2).foo() depC(1.2.1).calculate() # Estimate "damage" if pkg.list will be updated $ pip query —total pkg.list 3 direct and 223 indirect dependencies will be affected # Notify direct dependencies of upcoming breakage $ pip query --uses pkg.list | cut -f 1 -d '(' | xargs -I {} pip show {} | grep Author-email: | cut -f 2 -d ':' | xargs mail -s 'MyProject update will break yours!'
  • 49. Example FASTEN workflow Maintaining a library # Check uses of function pkg.list() in dependents $ pip query --uses pkg.list depA(v1.2).parse() depA(v1.2).test() depB(0.0.2).foo() depC(1.2.1).calculate() # Estimate "damage" if pkg.list will be updated $ pip query —total pkg.list 3 direct and 223 indirect dependencies will be affected # Notify direct dependencies of upcoming breakage $ pip query --uses pkg.list | cut -f 1 -d '(' | xargs -I {} pip show {} | grep Author-email: | cut -f 2 -d ':' | xargs mail -s 'MyProject update will break yours!' # Which dependencies should I notify first? $ pip query --uses --rank pkg.list depC(1.2.1).calculate() depB(0.0.2).foo() depA(v1.2).parse() depA(v1.2).test()
  • 50. Current status • Working on storage • Working on CG generation for Python / Rust • Working on the REST API • Working on build graph integration • Alpha release in May 2020, stay tuned!
  • 52. The FASTEN project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No 825328. The opinions expressed in this document reflects only the author`s view and in no way reflect the European Commission’s opinions. The European Commission is not responsible for any use that may be made of the information it contains.