SlideShare a Scribd company logo

FOSDEM 2020 Presentation: Comparing dependency management issues across packaging ecosystems

Fasten Project
Fasten Project

This talk "Comparing dependency management issues across packaging ecosystems" was presented by Tom Mens, from Software Engineering Lab, University of Mons, Belgium, at FOSDEM 2020 during the Devroom Session "Dependency Management".

Technology
1 of 29
Download to read offline
Tom Mens Software Engineering Lab Faculty of Sciences tom.mens@umons.ac.be @tom_mens Comparing dependency issues across software package distributions
SECO-ASSIST "Excellence of Science” Research Project 2018-2021 secoassist.github.io@secoassist
Comparing dependency issues across software package distributions An Empirical Comparison of Dependency Network Evolution in Seven Software Packaging Ecosystems A Decan, T. Mens, Ph. Grosjean (2019) Empirical Software Engineering 24(1) What do package dependencies tell us about semantic versioning? A Decan, T Mens (2019) IEEE Transactions on Software Engineering A formal framework for measuring technical lag in component repositories – and its application to npm A Zerouali, T Mens, et al. (2019) J. Software Evolution and Process On the impact of security vulnerabilities in the npm package dependency network A Decan, T Mens, E Constantinou (2018) Int’l Conf. Mining Software Repositories On the evolution of technical lag in the npm package dependency network A Decan, T Mens, E Constantinou (2018) Int’l Conf. Software Maintenance and Evolution
Dependency issues
Dependency issues “Technical lag” due to outdated dependencies Missed opportunities to benefit from new functionality, or fixes of known bugs and security vulnerabilities “Dependency hell” • Too many direct and transitive dependencies • Broken dependencies due to backward incompatibilities • Co-installability problems Unmaintained packages due to departure of maintainers Nontransparent update policies Incompatible or prohibited licenses
Incompatible licenses https://tidelift.com
Fragility due to transitive dependencies March 2016 November 2010 Unexpected removal of left-pad caused > 2% of all packages to become uninstallable (> 5,400 packages) Release 0.5.0 of i18n broke dependent package ActiveRecord that was transitively required by >5% of all packages
Libraries.io monitors 6,901,989 open source packages across 37 different package managers https://libraries.io (7 January 2020)
Characterising the evolution of package dependency networks Decan & Mens (2019) An Empirical Comparison of Dependency Network Evolution in Seven Software Packaging Ecosystems. Empirical Software Engineering Journal 830K packages – 5.8M package versions – 20.5M dependencies (April 2017)
Continuing Growth Package dependency networks grow exponentially in terms of number of packages and/or dependencies Fastest growth for npm Slowest growth for CRAN
Continuing Change • Number of package updates grows over time • >50% of package releases are updated within 2 months • Required and young packages are updated more frequently 2012 2013 2014 2015 2016 2017 100 101 102 103 104 105 106 number of updates (log) cargo cpan cran npm nuget packagist rubygems Fastest growth for npm Slowest growth for CRAN
2012 2013 2014 2015 2016 2017 0 50 100 150 200 250 300 350 400 cargo cpan cran npm nuget packagist rubygems Increasing level of reuse • Highly connected network, containing 60% to 80% of all packages • Power law behavior: A stable minority (20%) of required packages collect over 80% of all reverse dependencies Reusability index: Maximal value n such that there exist n required packages having at least n dependent packages. Fastest growth for npm
High number of deep transitive dependencies • Fragile packages may have a very high transitive impact • Over 50% of top-level packages have a deep dependency graph 2012 2013 2014 2015 2016 2017 0 50 100 150 200 250 300 number of packages cargo cpan cran npm nuget packagist rubygems Number of packages that are transitively required by at least 5% of all packages. 1 2 3 4 5 6+ 0.0 0.1 0.2 0.3 0.4 0.5 proportion of top­level packages cargo 1 2 3 4 5 6+ cpan 1 2 3 4 5 6+ cran 1 2 3 4 5 6+ npm 1 2 3 4 5 6+ nuget 1 2 3 4 5 6+ packagist 1 2 3 4 5 6+ rubygems Transitive dependency depth of top-level packages
Outdated Dependencies Should package maintainers upgrade their dependencies to more recent versions? 😀 Upgrades benefit from bug and security fixes 😀 Upgrading allows to use new features 😢 Upgrading requires effort 😢 Upgrading may introduce breaking changes OutdatedUp-to-date
Outdated runtime dependencies in npm Outdated Dependencies ht Outdatedness is related to the type of dependency constraint being used Strict (i.e. pinned) constraints represent about 33% of all outdated dependencies
Technical Lag Technical lag measures how outdated a package or dependency is w.r.t. the “ideal” situation where “ideal” = “most recent”; “most secure”; ”least bugs”; “most compatible”; … A Zerouali et al (Feb. 2019) A formal framework for measuring technical lag in component repositories – and its application to npm. Wiley Journal on Software Evolution and Process
~ 2.7.0 - 22-09-2017 2.0.1 - 16-05-2017 Technical Lag Technical lag measures how outdated a package or dependency is w.r.t. the “ideal” situation where “ideal” = “most recent”; “most secure”; ”least bugs”; “most compatible”; …
Need for dependency monitoring tools Example: David Dependency Manager for npm projects https://david-dm.orgMy npm Project
Avoiding breaking changes through Semantic Versioning https://chaoss.community Is semantic versioning respected by software package distributions? What do package dependencies tell us about semantic versioning? A Decan, T Mens (May 2019) IEEE Transactions on Software Engineering major minor patch 3 9 2 Breaking changes Backwards compatible changes Bug fixes Most permissive Most Restrictive
Semantic versioning Different package managers interpret version constraints in different ways: More restrictive than semver More permissive than semver
Semantic versioning • Cargo, npm and Packagist are mostly semver-compliant. All three are more permissive than semver for 0.y.z versions • All considered ecosystems become more compliant over time. • >16% of restrictive constraints in npm, Packagist and Rubygems è prevents adoption of backward compatible upgrades
Security vulnerabilities OWASP Foundation Top 10 Application Security Risks You are likely vulnerable: • If you do not know the versions of all components you use … This includes components you directly use as well as nested dependencies. • If software is vulnerable, unsupported, or out of date. This includes the OS, web/application server, database management system (DBMS), applications, APIs and all components, runtime environments, and libraries. • If you do not scan for vulnerabilities regularly and subscribe to security bulletins related to the components you use. • If you do not fix or upgrade the underlying platform, frameworks, and dependencies in a risk-based, timely fashion. This commonly happens in environments when patching is a monthly or quarterly task under change control, which leaves organizations open to many days or months of unnecessary exposure to fixed vulnerabilities. • If software developers do not test the compatibility of updated, upgraded, or patched libraries. A9 - Using Components with Known Vulnerabilities
Security vulnerabilities in npm On the impact of security vulnerabilities in the npm package dependency network. A Decan, T Mens, E Constantinou (2018) Int’l Conf. Mining Software Repositories Vulnerable packages # vulnerabilities 399 # vulnerable packages 269 # releases of vulnerable packages 14,931 # vulnerable releases 6,752 (45%) # dependent packages 133,602 # dependent packages affected by the vulnerable packages 72,470 (54%)
Security vulnerabilities in npm When are vulnerabilities discovered? >40% of all vulnerabilities are not discovered even 2.5 years after their introduction, regardless of their severity.
Security vulnerabilities in npm When are vulnerabilities fixed? ~20% of vulnerabilities take more than 1 year to be fixed.
Security vulnerabilities in npm When are vulnerabilities fixed in dependent packages? Vulnerable packages # vulnerable packages 269 # releases of vulnerable packages 14,931 # vulnerable releases 6,752 # dependent packages 133,602 # dependent packages affected by the vulnerable packages 72,470 >33% of all affected dependents are not (yet) fixed!
Security vulnerabilities in npm Why do vulnerabilities remain unfixed in dependent packages? Improper or too restrictive use of dependency constraints Maintainers are unaware of the vulnerability or how to fix it Fixed version of the dependency contains incompatible changes Package is no longer actively maintained
Tool support: Monitor and update vulnerable dependencies GitHub Automated security alerts and updates https://help.github.com/en/github/managing-security-vulnerabilities Snyk Continuously find and fix known vulnerabilities in a package’s dependencies https://snyk.io Retire.js Scans for the use of JavaScript libraries with known vulnerabilities http://retirejs.github.io/retire.js/ OWASP Dependency-Check Detects publicly disclosed vulnerabilities contained within a project’s dependencies. https://github.com/jeremylong/DependencyCheck Eclipse Steady Detects known vulnerabilitis in dependencies to open source Java and Python components through combination of static and dynamic analysis techniques https://eclipse.github.io/steady/
Conclusion • Package dependency networks are affected my multiple dependency issues • Many and deep transitive dependencies • Outdated dependencies • Breaking changes • Vulnerable dependencies • Automated tools and policies can help mitigating these issues • Measuring, monitoring and updating outdated and vulnerable dependencies • Supporting semantic versioning • Supporting transitive dependencies • Detecting vulnerabilities that matter (avoid false positives/negatives)

Recommended

Comparing dependency issues across software package distributions (FOSDEM 2020)
Comparing dependency issues across software package distributions (FOSDEM 2020)Comparing dependency issues across software package distributions (FOSDEM 2020)
Comparing dependency issues across software package distributions (FOSDEM 2020)Tom Mens
 
On the health of the npm packaging ecosystem
On the health of the npm packaging ecosystemOn the health of the npm packaging ecosystem
On the health of the npm packaging ecosystemTom Mens
 
On the fragility of open source software packaging ecosystems
On the fragility of open source software packaging ecosystemsOn the fragility of open source software packaging ecosystems
On the fragility of open source software packaging ecosystemsTom Mens
 
Software Ecosystems as Networks - Advances on the FASTEN project, Paolo Boldi...
Software Ecosystems as Networks - Advances on the FASTEN project, Paolo Boldi...Software Ecosystems as Networks - Advances on the FASTEN project, Paolo Boldi...
Software Ecosystems as Networks - Advances on the FASTEN project, Paolo Boldi...Fasten Project
 
Is my software ecosystem healthy? It depends!
Is my software ecosystem healthy? It depends!Is my software ecosystem healthy? It depends!
Is my software ecosystem healthy? It depends!Tom Mens
 
On backporting practices in package dependency networks
On backporting practices in package dependency networksOn backporting practices in package dependency networks
On backporting practices in package dependency networksTom Mens
 
On the evolution of technical lag in the npm package dependency network
On the evolution of technical lag in the npm package dependency networkOn the evolution of technical lag in the npm package dependency network
On the evolution of technical lag in the npm package dependency networkTom Mens
 
AppSec How-To: Achieving Security in DevOps
AppSec How-To: Achieving Security in DevOpsAppSec How-To: Achieving Security in DevOps
AppSec How-To: Achieving Security in DevOpsCheckmarx
 

Recommended

Comparing dependency issues across software package distributions (FOSDEM 2020)
Comparing dependency issues across software package distributions (FOSDEM 2020)Comparing dependency issues across software package distributions (FOSDEM 2020)
Comparing dependency issues across software package distributions (FOSDEM 2020)Tom Mens
 
On the health of the npm packaging ecosystem
On the health of the npm packaging ecosystemOn the health of the npm packaging ecosystem
On the health of the npm packaging ecosystemTom Mens
 
On the fragility of open source software packaging ecosystems
On the fragility of open source software packaging ecosystemsOn the fragility of open source software packaging ecosystems
On the fragility of open source software packaging ecosystemsTom Mens
 
Software Ecosystems as Networks - Advances on the FASTEN project, Paolo Boldi...
Software Ecosystems as Networks - Advances on the FASTEN project, Paolo Boldi...Software Ecosystems as Networks - Advances on the FASTEN project, Paolo Boldi...
Software Ecosystems as Networks - Advances on the FASTEN project, Paolo Boldi...Fasten Project
 
Is my software ecosystem healthy? It depends!
Is my software ecosystem healthy? It depends!Is my software ecosystem healthy? It depends!
Is my software ecosystem healthy? It depends!Tom Mens
 
On backporting practices in package dependency networks
On backporting practices in package dependency networksOn backporting practices in package dependency networks
On backporting practices in package dependency networksTom Mens
 
On the evolution of technical lag in the npm package dependency network
On the evolution of technical lag in the npm package dependency networkOn the evolution of technical lag in the npm package dependency network
On the evolution of technical lag in the npm package dependency networkTom Mens
 
AppSec How-To: Achieving Security in DevOps
AppSec How-To: Achieving Security in DevOpsAppSec How-To: Achieving Security in DevOps
AppSec How-To: Achieving Security in DevOpsCheckmarx
 
Winning open source vulnerabilities without loosing your deveopers - Azure De...
Winning open source vulnerabilities without loosing your deveopers - Azure De...Winning open source vulnerabilities without loosing your deveopers - Azure De...
Winning open source vulnerabilities without loosing your deveopers - Azure De...WhiteSource
 
Lessons learned in implementing test on-commit for mobile devices
Lessons learned in implementing test on-commit for mobile devicesLessons learned in implementing test on-commit for mobile devices
Lessons learned in implementing test on-commit for mobile devicesJohan Hoberg
 
Riscoss models u-qasar meeting
Riscoss models u-qasar meetingRiscoss models u-qasar meeting
Riscoss models u-qasar meetingXavier Franch
 
From Zero to DevSecOps: How to Implement Security at the Speed of DevOps
From Zero to DevSecOps: How to Implement Security at the Speed of DevOpsFrom Zero to DevSecOps: How to Implement Security at the Speed of DevOps
From Zero to DevSecOps: How to Implement Security at the Speed of DevOpsDevOps.com
 
On the impact of security vulnerabilities in the npm package dependency network
On the impact of security vulnerabilities in the npm package dependency networkOn the impact of security vulnerabilities in the npm package dependency network
On the impact of security vulnerabilities in the npm package dependency networkTom Mens
 
You Build It, You Secure It: Higher Velocity and Better Security with DevSecOps
You Build It, You Secure It: Higher Velocity and Better Security with DevSecOpsYou Build It, You Secure It: Higher Velocity and Better Security with DevSecOps
You Build It, You Secure It: Higher Velocity and Better Security with DevSecOpsDevOps.com
 
Antivirus update reaction times of major antivirus vendors
Antivirus update reaction times of major antivirus vendorsAntivirus update reaction times of major antivirus vendors
Antivirus update reaction times of major antivirus vendorsUltraUploader
 
Four things that are almost guaranteed to reduce the reliability of a softwa...
Four things that are almost guaranteed to reduce the reliability of a softwa...Four things that are almost guaranteed to reduce the reliability of a softwa...
Four things that are almost guaranteed to reduce the reliability of a softwa...Ann Marie Neufelder
 
Kim van Wilgen - Continuous security - Codemotion Rome 2019
Kim van Wilgen - Continuous security - Codemotion Rome 2019Kim van Wilgen - Continuous security - Codemotion Rome 2019
Kim van Wilgen - Continuous security - Codemotion Rome 2019Codemotion
 
Testbed For Ids
Testbed For IdsTestbed For Ids
Testbed For Idsamiable_indian
 
Tinysec
TinysecTinysec
TinysecDhara Ladumor
 
Fuzzing101 uvm-reporting-and-mitigation-2011-02-10
Fuzzing101 uvm-reporting-and-mitigation-2011-02-10Fuzzing101 uvm-reporting-and-mitigation-2011-02-10
Fuzzing101 uvm-reporting-and-mitigation-2011-02-10Codenomicon
 
Marc schoenefeld grandma‘s old handbag_draft2
Marc schoenefeld grandma‘s old handbag_draft2Marc schoenefeld grandma‘s old handbag_draft2
Marc schoenefeld grandma‘s old handbag_draft2PacSecJP
 
Measuring Private Cloud Resiliency
Measuring Private Cloud ResiliencyMeasuring Private Cloud Resiliency
Measuring Private Cloud ResiliencyIxia
 
Preventing Known and Unknown Threats
Preventing Known and Unknown ThreatsPreventing Known and Unknown Threats
Preventing Known and Unknown ThreatsOPSWAT
 
Technology auto protection_from_exploit
Technology auto protection_from_exploitTechnology auto protection_from_exploit
Technology auto protection_from_exploitКомсс Файквэе
 
ConPan: A Tool to Analyze Packages in Software Containers
ConPan: A Tool to Analyze Packages in Software ContainersConPan: A Tool to Analyze Packages in Software Containers
ConPan: A Tool to Analyze Packages in Software ContainersAhmed Zerouali
 
Open-Source Security Management and Vulnerability Impact Assessment
Open-Source Security Management and Vulnerability Impact AssessmentOpen-Source Security Management and Vulnerability Impact Assessment
Open-Source Security Management and Vulnerability Impact AssessmentPriyanka Aash
 
Cisco umbrella overview
Cisco umbrella overviewCisco umbrella overview
Cisco umbrella overviewCisco Canada
 
Empirically Analysing the Socio-Technical Health of Software Package Managers
Empirically Analysing the Socio-Technical Health of Software Package ManagersEmpirically Analysing the Socio-Technical Health of Software Package Managers
Empirically Analysing the Socio-Technical Health of Software Package ManagersTom Mens
 
On the Relation between Outdated Docker Containers, Severity Vulnerabilities,...
On the Relation between Outdated Docker Containers, Severity Vulnerabilities,...On the Relation between Outdated Docker Containers, Severity Vulnerabilities,...
On the Relation between Outdated Docker Containers, Severity Vulnerabilities,...Tom Mens
 
On the evolution of technical lag in the npm package dependency network
On the evolution of technical lag in the npm package dependency networkOn the evolution of technical lag in the npm package dependency network
On the evolution of technical lag in the npm package dependency networkeconst
 

More Related Content

What's hot

Winning open source vulnerabilities without loosing your deveopers - Azure De...
Winning open source vulnerabilities without loosing your deveopers - Azure De...Winning open source vulnerabilities without loosing your deveopers - Azure De...
Winning open source vulnerabilities without loosing your deveopers - Azure De...WhiteSource
 
Lessons learned in implementing test on-commit for mobile devices
Lessons learned in implementing test on-commit for mobile devicesLessons learned in implementing test on-commit for mobile devices
Lessons learned in implementing test on-commit for mobile devicesJohan Hoberg
 
Riscoss models u-qasar meeting
Riscoss models u-qasar meetingRiscoss models u-qasar meeting
Riscoss models u-qasar meetingXavier Franch
 
From Zero to DevSecOps: How to Implement Security at the Speed of DevOps
From Zero to DevSecOps: How to Implement Security at the Speed of DevOpsFrom Zero to DevSecOps: How to Implement Security at the Speed of DevOps
From Zero to DevSecOps: How to Implement Security at the Speed of DevOpsDevOps.com
 
On the impact of security vulnerabilities in the npm package dependency network
On the impact of security vulnerabilities in the npm package dependency networkOn the impact of security vulnerabilities in the npm package dependency network
On the impact of security vulnerabilities in the npm package dependency networkTom Mens
 
You Build It, You Secure It: Higher Velocity and Better Security with DevSecOps
You Build It, You Secure It: Higher Velocity and Better Security with DevSecOpsYou Build It, You Secure It: Higher Velocity and Better Security with DevSecOps
You Build It, You Secure It: Higher Velocity and Better Security with DevSecOpsDevOps.com
 
Antivirus update reaction times of major antivirus vendors
Antivirus update reaction times of major antivirus vendorsAntivirus update reaction times of major antivirus vendors
Antivirus update reaction times of major antivirus vendorsUltraUploader
 
Four things that are almost guaranteed to reduce the reliability of a softwa...
Four things that are almost guaranteed to reduce the reliability of a softwa...Four things that are almost guaranteed to reduce the reliability of a softwa...
Four things that are almost guaranteed to reduce the reliability of a softwa...Ann Marie Neufelder
 
Kim van Wilgen - Continuous security - Codemotion Rome 2019
Kim van Wilgen - Continuous security - Codemotion Rome 2019Kim van Wilgen - Continuous security - Codemotion Rome 2019
Kim van Wilgen - Continuous security - Codemotion Rome 2019Codemotion
 
Fuzzing101 uvm-reporting-and-mitigation-2011-02-10
Fuzzing101 uvm-reporting-and-mitigation-2011-02-10Fuzzing101 uvm-reporting-and-mitigation-2011-02-10
Fuzzing101 uvm-reporting-and-mitigation-2011-02-10Codenomicon
 
Marc schoenefeld grandma‘s old handbag_draft2
Marc schoenefeld grandma‘s old handbag_draft2Marc schoenefeld grandma‘s old handbag_draft2
Marc schoenefeld grandma‘s old handbag_draft2PacSecJP
 
Measuring Private Cloud Resiliency
Measuring Private Cloud ResiliencyMeasuring Private Cloud Resiliency
Measuring Private Cloud ResiliencyIxia
 
Preventing Known and Unknown Threats
Preventing Known and Unknown ThreatsPreventing Known and Unknown Threats
Preventing Known and Unknown ThreatsOPSWAT
 
ConPan: A Tool to Analyze Packages in Software Containers
ConPan: A Tool to Analyze Packages in Software ContainersConPan: A Tool to Analyze Packages in Software Containers
ConPan: A Tool to Analyze Packages in Software ContainersAhmed Zerouali
 
Open-Source Security Management and Vulnerability Impact Assessment
Open-Source Security Management and Vulnerability Impact AssessmentOpen-Source Security Management and Vulnerability Impact Assessment
Open-Source Security Management and Vulnerability Impact AssessmentPriyanka Aash
 
Cisco umbrella overview
Cisco umbrella overviewCisco umbrella overview
Cisco umbrella overviewCisco Canada
 

What's hot (19)

Winning open source vulnerabilities without loosing your deveopers - Azure De...
Winning open source vulnerabilities without loosing your deveopers - Azure De...Winning open source vulnerabilities without loosing your deveopers - Azure De...
Winning open source vulnerabilities without loosing your deveopers - Azure De...
 
Lessons learned in implementing test on-commit for mobile devices
Lessons learned in implementing test on-commit for mobile devicesLessons learned in implementing test on-commit for mobile devices
Lessons learned in implementing test on-commit for mobile devices
 
Riscoss models u-qasar meeting
Riscoss models u-qasar meetingRiscoss models u-qasar meeting
Riscoss models u-qasar meeting
 
From Zero to DevSecOps: How to Implement Security at the Speed of DevOps
From Zero to DevSecOps: How to Implement Security at the Speed of DevOpsFrom Zero to DevSecOps: How to Implement Security at the Speed of DevOps
From Zero to DevSecOps: How to Implement Security at the Speed of DevOps
 
On the impact of security vulnerabilities in the npm package dependency network
On the impact of security vulnerabilities in the npm package dependency networkOn the impact of security vulnerabilities in the npm package dependency network
On the impact of security vulnerabilities in the npm package dependency network
 
You Build It, You Secure It: Higher Velocity and Better Security with DevSecOps
You Build It, You Secure It: Higher Velocity and Better Security with DevSecOpsYou Build It, You Secure It: Higher Velocity and Better Security with DevSecOps
You Build It, You Secure It: Higher Velocity and Better Security with DevSecOps
 
Antivirus update reaction times of major antivirus vendors
Antivirus update reaction times of major antivirus vendorsAntivirus update reaction times of major antivirus vendors
Antivirus update reaction times of major antivirus vendors
 
Four things that are almost guaranteed to reduce the reliability of a softwa...
Four things that are almost guaranteed to reduce the reliability of a softwa...Four things that are almost guaranteed to reduce the reliability of a softwa...
Four things that are almost guaranteed to reduce the reliability of a softwa...
 
Kim van Wilgen - Continuous security - Codemotion Rome 2019
Kim van Wilgen - Continuous security - Codemotion Rome 2019Kim van Wilgen - Continuous security - Codemotion Rome 2019
Kim van Wilgen - Continuous security - Codemotion Rome 2019
 
Testbed For Ids
Testbed For IdsTestbed For Ids
Testbed For Ids
 
Tinysec
TinysecTinysec
Tinysec
 
Fuzzing101 uvm-reporting-and-mitigation-2011-02-10
Fuzzing101 uvm-reporting-and-mitigation-2011-02-10Fuzzing101 uvm-reporting-and-mitigation-2011-02-10
Fuzzing101 uvm-reporting-and-mitigation-2011-02-10
 
Marc schoenefeld grandma‘s old handbag_draft2
Marc schoenefeld grandma‘s old handbag_draft2Marc schoenefeld grandma‘s old handbag_draft2
Marc schoenefeld grandma‘s old handbag_draft2
 
Measuring Private Cloud Resiliency
Measuring Private Cloud ResiliencyMeasuring Private Cloud Resiliency
Measuring Private Cloud Resiliency
 
Preventing Known and Unknown Threats
Preventing Known and Unknown ThreatsPreventing Known and Unknown Threats
Preventing Known and Unknown Threats
 
Technology auto protection_from_exploit
Technology auto protection_from_exploitTechnology auto protection_from_exploit
Technology auto protection_from_exploit
 
ConPan: A Tool to Analyze Packages in Software Containers
ConPan: A Tool to Analyze Packages in Software ContainersConPan: A Tool to Analyze Packages in Software Containers
ConPan: A Tool to Analyze Packages in Software Containers
 
Open-Source Security Management and Vulnerability Impact Assessment
Open-Source Security Management and Vulnerability Impact AssessmentOpen-Source Security Management and Vulnerability Impact Assessment
Open-Source Security Management and Vulnerability Impact Assessment
 
Cisco umbrella overview
Cisco umbrella overviewCisco umbrella overview
Cisco umbrella overview
 

Similar to FOSDEM 2020 Presentation: Comparing dependency management issues across packaging ecosystems

Empirically Analysing the Socio-Technical Health of Software Package Managers
Empirically Analysing the Socio-Technical Health of Software Package ManagersEmpirically Analysing the Socio-Technical Health of Software Package Managers
Empirically Analysing the Socio-Technical Health of Software Package ManagersTom Mens
 
On the Relation between Outdated Docker Containers, Severity Vulnerabilities,...
On the Relation between Outdated Docker Containers, Severity Vulnerabilities,...On the Relation between Outdated Docker Containers, Severity Vulnerabilities,...
On the Relation between Outdated Docker Containers, Severity Vulnerabilities,...Tom Mens
 
On the evolution of technical lag in the npm package dependency network
On the evolution of technical lag in the npm package dependency networkOn the evolution of technical lag in the npm package dependency network
On the evolution of technical lag in the npm package dependency networkeconst
 
How to increase the technical health of your software?
How to increase the technical health of your software?How to increase the technical health of your software?
How to increase the technical health of your software?Tom Mens
 
Evolving Software Ecosystems: Health and beyond
Evolving Software Ecosystems: Health and beyondEvolving Software Ecosystems: Health and beyond
Evolving Software Ecosystems: Health and beyondeconst
 
Towards Laws of Software Ecosystem Evolution: An Empirical Comparison of Seve...
Towards Laws of Software Ecosystem Evolution: An Empirical Comparison of Seve...Towards Laws of Software Ecosystem Evolution: An Empirical Comparison of Seve...
Towards Laws of Software Ecosystem Evolution: An Empirical Comparison of Seve...Tom Mens
 
vulnerable and outdated components.pptx
vulnerable and outdated components.pptxvulnerable and outdated components.pptx
vulnerable and outdated components.pptxwaleejhaider1
 
SFSCON23 - Ranindya Paramitha - Technical leverage analysis in the Python eco...
SFSCON23 - Ranindya Paramitha - Technical leverage analysis in the Python eco...SFSCON23 - Ranindya Paramitha - Technical leverage analysis in the Python eco...
SFSCON23 - Ranindya Paramitha - Technical leverage analysis in the Python eco...South Tyrol Free Software Conference
 
Fasten Industry Meeting with GitHub about Dependancy Management
Fasten Industry Meeting with GitHub about Dependancy ManagementFasten Industry Meeting with GitHub about Dependancy Management
Fasten Industry Meeting with GitHub about Dependancy ManagementFasten Project
 
Securing Modern Applications: The Data Behind DevSecOps
Securing Modern Applications: The Data Behind DevSecOpsSecuring Modern Applications: The Data Behind DevSecOps
Securing Modern Applications: The Data Behind DevSecOpsEficode
 
An Empirical Analysis of Technical Lag in npm Package Dependencies
An Empirical Analysis of Technical Lag in npm Package DependenciesAn Empirical Analysis of Technical Lag in npm Package Dependencies
An Empirical Analysis of Technical Lag in npm Package DependenciesAhmed Zerouali
 
Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?
Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?
Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?Sonatype
 
Percezione Vs Realtà: uno sguardo data-driven sull'OS risk management
Percezione Vs Realtà: uno sguardo data-driven sull'OS risk managementPercezione Vs Realtà: uno sguardo data-driven sull'OS risk management
Percezione Vs Realtà: uno sguardo data-driven sull'OS risk managementEmerasoft, solutions to collaborate
 
On the Impact of Security Vulnerabilities in the npm and RubyGems Dependency ...
On the Impact of Security Vulnerabilities in the npm and RubyGems Dependency ...On the Impact of Security Vulnerabilities in the npm and RubyGems Dependency ...
On the Impact of Security Vulnerabilities in the npm and RubyGems Dependency ...Ahmed Zerouali
 
edgescan vulnerability stats report (2018)
edgescan vulnerability stats report (2018) edgescan vulnerability stats report (2018)
edgescan vulnerability stats report (2018) Eoin Keary
 
Towards an empirical analysis of the maintainability of CRAN packages
Towards an empirical analysis of the maintainability of CRAN packagesTowards an empirical analysis of the maintainability of CRAN packages
Towards an empirical analysis of the maintainability of CRAN packagesTom Mens
 
Understanding & Addressing OWASP’s Newest Top Ten Threat: Using Components wi...
Understanding & Addressing OWASP’s Newest Top Ten Threat: Using Components wi...Understanding & Addressing OWASP’s Newest Top Ten Threat: Using Components wi...
Understanding & Addressing OWASP’s Newest Top Ten Threat: Using Components wi...Sonatype
 
INLINE_PATCH_PROXY_FOR_XEN_HYPERVISOR
INLINE_PATCH_PROXY_FOR_XEN_HYPERVISORINLINE_PATCH_PROXY_FOR_XEN_HYPERVISOR
INLINE_PATCH_PROXY_FOR_XEN_HYPERVISORNeha Rana
 

Similar to FOSDEM 2020 Presentation: Comparing dependency management issues across packaging ecosystems (20)

Empirically Analysing the Socio-Technical Health of Software Package Managers
Empirically Analysing the Socio-Technical Health of Software Package ManagersEmpirically Analysing the Socio-Technical Health of Software Package Managers
Empirically Analysing the Socio-Technical Health of Software Package Managers
 
On the Relation between Outdated Docker Containers, Severity Vulnerabilities,...
On the Relation between Outdated Docker Containers, Severity Vulnerabilities,...On the Relation between Outdated Docker Containers, Severity Vulnerabilities,...
On the Relation between Outdated Docker Containers, Severity Vulnerabilities,...
 
On the evolution of technical lag in the npm package dependency network
On the evolution of technical lag in the npm package dependency networkOn the evolution of technical lag in the npm package dependency network
On the evolution of technical lag in the npm package dependency network
 
How to increase the technical health of your software?
How to increase the technical health of your software?How to increase the technical health of your software?
How to increase the technical health of your software?
 
Evolving Software Ecosystems: Health and beyond
Evolving Software Ecosystems: Health and beyondEvolving Software Ecosystems: Health and beyond
Evolving Software Ecosystems: Health and beyond
 
Towards Laws of Software Ecosystem Evolution: An Empirical Comparison of Seve...
Towards Laws of Software Ecosystem Evolution: An Empirical Comparison of Seve...Towards Laws of Software Ecosystem Evolution: An Empirical Comparison of Seve...
Towards Laws of Software Ecosystem Evolution: An Empirical Comparison of Seve...
 
Aliens in Your Apps!
Aliens in Your Apps!Aliens in Your Apps!
Aliens in Your Apps!
 
vulnerable and outdated components.pptx
vulnerable and outdated components.pptxvulnerable and outdated components.pptx
vulnerable and outdated components.pptx
 
SFSCON23 - Ranindya Paramitha - Technical leverage analysis in the Python eco...
SFSCON23 - Ranindya Paramitha - Technical leverage analysis in the Python eco...SFSCON23 - Ranindya Paramitha - Technical leverage analysis in the Python eco...
SFSCON23 - Ranindya Paramitha - Technical leverage analysis in the Python eco...
 
Fasten Industry Meeting with GitHub about Dependancy Management
Fasten Industry Meeting with GitHub about Dependancy ManagementFasten Industry Meeting with GitHub about Dependancy Management
Fasten Industry Meeting with GitHub about Dependancy Management
 
Securing Modern Applications: The Data Behind DevSecOps
Securing Modern Applications: The Data Behind DevSecOpsSecuring Modern Applications: The Data Behind DevSecOps
Securing Modern Applications: The Data Behind DevSecOps
 
An Empirical Analysis of Technical Lag in npm Package Dependencies
An Empirical Analysis of Technical Lag in npm Package DependenciesAn Empirical Analysis of Technical Lag in npm Package Dependencies
An Empirical Analysis of Technical Lag in npm Package Dependencies
 
Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?
Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?
Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?
 
Node.js security tour
Node.js security tourNode.js security tour
Node.js security tour
 
Percezione Vs Realtà: uno sguardo data-driven sull'OS risk management
Percezione Vs Realtà: uno sguardo data-driven sull'OS risk managementPercezione Vs Realtà: uno sguardo data-driven sull'OS risk management
Percezione Vs Realtà: uno sguardo data-driven sull'OS risk management
 
On the Impact of Security Vulnerabilities in the npm and RubyGems Dependency ...
On the Impact of Security Vulnerabilities in the npm and RubyGems Dependency ...On the Impact of Security Vulnerabilities in the npm and RubyGems Dependency ...
On the Impact of Security Vulnerabilities in the npm and RubyGems Dependency ...
 
edgescan vulnerability stats report (2018)
edgescan vulnerability stats report (2018) edgescan vulnerability stats report (2018)
edgescan vulnerability stats report (2018)
 
Towards an empirical analysis of the maintainability of CRAN packages
Towards an empirical analysis of the maintainability of CRAN packagesTowards an empirical analysis of the maintainability of CRAN packages
Towards an empirical analysis of the maintainability of CRAN packages
 
Understanding & Addressing OWASP’s Newest Top Ten Threat: Using Components wi...
Understanding & Addressing OWASP’s Newest Top Ten Threat: Using Components wi...Understanding & Addressing OWASP’s Newest Top Ten Threat: Using Components wi...
Understanding & Addressing OWASP’s Newest Top Ten Threat: Using Components wi...
 
INLINE_PATCH_PROXY_FOR_XEN_HYPERVISOR
INLINE_PATCH_PROXY_FOR_XEN_HYPERVISORINLINE_PATCH_PROXY_FOR_XEN_HYPERVISOR
INLINE_PATCH_PROXY_FOR_XEN_HYPERVISOR
 

More from Fasten Project

FASTEN presentation at FOSDEM 2022 : Making Dependency Management Intelligent
FASTEN presentation at FOSDEM 2022 : Making Dependency Management IntelligentFASTEN presentation at FOSDEM 2022 : Making Dependency Management Intelligent
FASTEN presentation at FOSDEM 2022 : Making Dependency Management IntelligentFasten Project
 
FASTEN presentation at OW2con'22
FASTEN presentation at OW2con'22FASTEN presentation at OW2con'22
FASTEN presentation at OW2con'22Fasten Project
 
FASTEN presentation at OW2con 2021
FASTEN presentation at OW2con 2021FASTEN presentation at OW2con 2021
FASTEN presentation at OW2con 2021Fasten Project
 
FASTEN Introduction, at EclipseCon 2021
FASTEN Introduction, at EclipseCon 2021 FASTEN Introduction, at EclipseCon 2021
FASTEN Introduction, at EclipseCon 2021 Fasten Project
 
FASTEN presentation at OSS2021, by Michele Scarlato, Endocode, May 12, 2021, ...
FASTEN presentation at OSS2021, by Michele Scarlato, Endocode, May 12, 2021, ...FASTEN presentation at OSS2021, by Michele Scarlato, Endocode, May 12, 2021, ...
FASTEN presentation at OSS2021, by Michele Scarlato, Endocode, May 12, 2021, ...Fasten Project
 
FASTEN user experience from a software vendor perspective : The future of ext...
FASTEN user experience from a software vendor perspective : The future of ext...FASTEN user experience from a software vendor perspective : The future of ext...
FASTEN user experience from a software vendor perspective : The future of ext...Fasten Project
 
Eclipse sw360 Web Application for managing software Bill-Of-Material, FASTEN ...
Eclipse sw360 Web Application for managing software Bill-Of-Material, FASTEN ...Eclipse sw360 Web Application for managing software Bill-Of-Material, FASTEN ...
Eclipse sw360 Web Application for managing software Bill-Of-Material, FASTEN ...Fasten Project
 
Demonstration of FASTEN Dependency Management tools on top of Maven, FASTEN v...
Demonstration of FASTEN Dependency Management tools on top of Maven, FASTEN v...Demonstration of FASTEN Dependency Management tools on top of Maven, FASTEN v...
Demonstration of FASTEN Dependency Management tools on top of Maven, FASTEN v...Fasten Project
 
Highlight on FASTEN's Software Composition Analysis Market Background, Virtua...
Highlight on FASTEN's Software Composition Analysis Market Background, Virtua...Highlight on FASTEN's Software Composition Analysis Market Background, Virtua...
Highlight on FASTEN's Software Composition Analysis Market Background, Virtua...Fasten Project
 
FASTEN presentation at SFScon, November 2020
FASTEN presentation at SFScon, November 2020FASTEN presentation at SFScon, November 2020
FASTEN presentation at SFScon, November 2020Fasten Project
 
FASTEN: Scaling static analyses to ecosystem, presented at FOSDEM 2020 in Bru...
FASTEN: Scaling static analyses to ecosystem, presented at FOSDEM 2020 in Bru...FASTEN: Scaling static analyses to ecosystem, presented at FOSDEM 2020 in Bru...
FASTEN: Scaling static analyses to ecosystem, presented at FOSDEM 2020 in Bru...Fasten Project
 
FOSDEM 2020 Presentation - There's no sustainability problem in FOSS, Except ...
FOSDEM 2020 Presentation - There's no sustainability problem in FOSS, Except ...FOSDEM 2020 Presentation - There's no sustainability problem in FOSS, Except ...
FOSDEM 2020 Presentation - There's no sustainability problem in FOSS, Except ...Fasten Project
 
FOSDEM 2020 Presentation : Precise, cross-project code navigation at GitHub s...
FOSDEM 2020 Presentation : Precise, cross-project code navigation at GitHub s...FOSDEM 2020 Presentation : Precise, cross-project code navigation at GitHub s...
FOSDEM 2020 Presentation : Precise, cross-project code navigation at GitHub s...Fasten Project
 
Presentation of the FASTEN project, Conference SFScon, Bolzano, Italy
Presentation of the FASTEN project, Conference SFScon, Bolzano, Italy Presentation of the FASTEN project, Conference SFScon, Bolzano, Italy
Presentation of the FASTEN project, Conference SFScon, Bolzano, Italy Fasten Project
 
FASTEN H2020 project presentation at Paris Open Source Summit, December 2019.
FASTEN H2020 project presentation at Paris Open Source Summit, December 2019. FASTEN H2020 project presentation at Paris Open Source Summit, December 2019.
FASTEN H2020 project presentation at Paris Open Source Summit, December 2019. Fasten Project
 
Fasten and Quartermaster presentation at FOSSCOMM, October 2019 in Lamia, Gre...
Fasten and Quartermaster presentation at FOSSCOMM, October 2019 in Lamia, Gre...Fasten and Quartermaster presentation at FOSSCOMM, October 2019 in Lamia, Gre...
Fasten and Quartermaster presentation at FOSSCOMM, October 2019 in Lamia, Gre...Fasten Project
 

More from Fasten Project (16)

FASTEN presentation at FOSDEM 2022 : Making Dependency Management Intelligent
FASTEN presentation at FOSDEM 2022 : Making Dependency Management IntelligentFASTEN presentation at FOSDEM 2022 : Making Dependency Management Intelligent
FASTEN presentation at FOSDEM 2022 : Making Dependency Management Intelligent
 
FASTEN presentation at OW2con'22
FASTEN presentation at OW2con'22FASTEN presentation at OW2con'22
FASTEN presentation at OW2con'22
 
FASTEN presentation at OW2con 2021
FASTEN presentation at OW2con 2021FASTEN presentation at OW2con 2021
FASTEN presentation at OW2con 2021
 
FASTEN Introduction, at EclipseCon 2021
FASTEN Introduction, at EclipseCon 2021 FASTEN Introduction, at EclipseCon 2021
FASTEN Introduction, at EclipseCon 2021
 
FASTEN presentation at OSS2021, by Michele Scarlato, Endocode, May 12, 2021, ...
FASTEN presentation at OSS2021, by Michele Scarlato, Endocode, May 12, 2021, ...FASTEN presentation at OSS2021, by Michele Scarlato, Endocode, May 12, 2021, ...
FASTEN presentation at OSS2021, by Michele Scarlato, Endocode, May 12, 2021, ...
 
FASTEN user experience from a software vendor perspective : The future of ext...
FASTEN user experience from a software vendor perspective : The future of ext...FASTEN user experience from a software vendor perspective : The future of ext...
FASTEN user experience from a software vendor perspective : The future of ext...
 
Eclipse sw360 Web Application for managing software Bill-Of-Material, FASTEN ...
Eclipse sw360 Web Application for managing software Bill-Of-Material, FASTEN ...Eclipse sw360 Web Application for managing software Bill-Of-Material, FASTEN ...
Eclipse sw360 Web Application for managing software Bill-Of-Material, FASTEN ...
 
Demonstration of FASTEN Dependency Management tools on top of Maven, FASTEN v...
Demonstration of FASTEN Dependency Management tools on top of Maven, FASTEN v...Demonstration of FASTEN Dependency Management tools on top of Maven, FASTEN v...
Demonstration of FASTEN Dependency Management tools on top of Maven, FASTEN v...
 
Highlight on FASTEN's Software Composition Analysis Market Background, Virtua...
Highlight on FASTEN's Software Composition Analysis Market Background, Virtua...Highlight on FASTEN's Software Composition Analysis Market Background, Virtua...
Highlight on FASTEN's Software Composition Analysis Market Background, Virtua...
 
FASTEN presentation at SFScon, November 2020
FASTEN presentation at SFScon, November 2020FASTEN presentation at SFScon, November 2020
FASTEN presentation at SFScon, November 2020
 
FASTEN: Scaling static analyses to ecosystem, presented at FOSDEM 2020 in Bru...
FASTEN: Scaling static analyses to ecosystem, presented at FOSDEM 2020 in Bru...FASTEN: Scaling static analyses to ecosystem, presented at FOSDEM 2020 in Bru...
FASTEN: Scaling static analyses to ecosystem, presented at FOSDEM 2020 in Bru...
 
FOSDEM 2020 Presentation - There's no sustainability problem in FOSS, Except ...
FOSDEM 2020 Presentation - There's no sustainability problem in FOSS, Except ...FOSDEM 2020 Presentation - There's no sustainability problem in FOSS, Except ...
FOSDEM 2020 Presentation - There's no sustainability problem in FOSS, Except ...
 
FOSDEM 2020 Presentation : Precise, cross-project code navigation at GitHub s...
FOSDEM 2020 Presentation : Precise, cross-project code navigation at GitHub s...FOSDEM 2020 Presentation : Precise, cross-project code navigation at GitHub s...
FOSDEM 2020 Presentation : Precise, cross-project code navigation at GitHub s...
 
Presentation of the FASTEN project, Conference SFScon, Bolzano, Italy
Presentation of the FASTEN project, Conference SFScon, Bolzano, Italy Presentation of the FASTEN project, Conference SFScon, Bolzano, Italy
Presentation of the FASTEN project, Conference SFScon, Bolzano, Italy
 
FASTEN H2020 project presentation at Paris Open Source Summit, December 2019.
FASTEN H2020 project presentation at Paris Open Source Summit, December 2019. FASTEN H2020 project presentation at Paris Open Source Summit, December 2019.
FASTEN H2020 project presentation at Paris Open Source Summit, December 2019.
 
Fasten and Quartermaster presentation at FOSSCOMM, October 2019 in Lamia, Gre...
Fasten and Quartermaster presentation at FOSSCOMM, October 2019 in Lamia, Gre...Fasten and Quartermaster presentation at FOSSCOMM, October 2019 in Lamia, Gre...
Fasten and Quartermaster presentation at FOSSCOMM, October 2019 in Lamia, Gre...
 

Recently uploaded

Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsPrecisely
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 

Recently uploaded (20)

Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power Systems
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 

FOSDEM 2020 Presentation: Comparing dependency management issues across packaging ecosystems

  • 1. Tom Mens Software Engineering Lab Faculty of Sciences tom.mens@umons.ac.be @tom_mens Comparing dependency issues across software package distributions
  • 2. SECO-ASSIST "Excellence of Science” Research Project 2018-2021 secoassist.github.io@secoassist
  • 3. Comparing dependency issues across software package distributions An Empirical Comparison of Dependency Network Evolution in Seven Software Packaging Ecosystems A Decan, T. Mens, Ph. Grosjean (2019) Empirical Software Engineering 24(1) What do package dependencies tell us about semantic versioning? A Decan, T Mens (2019) IEEE Transactions on Software Engineering A formal framework for measuring technical lag in component repositories – and its application to npm A Zerouali, T Mens, et al. (2019) J. Software Evolution and Process On the impact of security vulnerabilities in the npm package dependency network A Decan, T Mens, E Constantinou (2018) Int’l Conf. Mining Software Repositories On the evolution of technical lag in the npm package dependency network A Decan, T Mens, E Constantinou (2018) Int’l Conf. Software Maintenance and Evolution
  • 5. Dependency issues “Technical lag” due to outdated dependencies Missed opportunities to benefit from new functionality, or fixes of known bugs and security vulnerabilities “Dependency hell” • Too many direct and transitive dependencies • Broken dependencies due to backward incompatibilities • Co-installability problems Unmaintained packages due to departure of maintainers Nontransparent update policies Incompatible or prohibited licenses
  • 7. Fragility due to transitive dependencies March 2016 November 2010 Unexpected removal of left-pad caused > 2% of all packages to become uninstallable (> 5,400 packages) Release 0.5.0 of i18n broke dependent package ActiveRecord that was transitively required by >5% of all packages
  • 8. Libraries.io monitors 6,901,989 open source packages across 37 different package managers https://libraries.io (7 January 2020)
  • 9. Characterising the evolution of package dependency networks Decan & Mens (2019) An Empirical Comparison of Dependency Network Evolution in Seven Software Packaging Ecosystems. Empirical Software Engineering Journal 830K packages – 5.8M package versions – 20.5M dependencies (April 2017)
  • 10. Continuing Growth Package dependency networks grow exponentially in terms of number of packages and/or dependencies Fastest growth for npm Slowest growth for CRAN
  • 11. Continuing Change • Number of package updates grows over time • >50% of package releases are updated within 2 months • Required and young packages are updated more frequently 2012 2013 2014 2015 2016 2017 100 101 102 103 104 105 106 number of updates (log) cargo cpan cran npm nuget packagist rubygems Fastest growth for npm Slowest growth for CRAN
  • 12. 2012 2013 2014 2015 2016 2017 0 50 100 150 200 250 300 350 400 cargo cpan cran npm nuget packagist rubygems Increasing level of reuse • Highly connected network, containing 60% to 80% of all packages • Power law behavior: A stable minority (20%) of required packages collect over 80% of all reverse dependencies Reusability index: Maximal value n such that there exist n required packages having at least n dependent packages. Fastest growth for npm
  • 13. High number of deep transitive dependencies • Fragile packages may have a very high transitive impact • Over 50% of top-level packages have a deep dependency graph 2012 2013 2014 2015 2016 2017 0 50 100 150 200 250 300 number of packages cargo cpan cran npm nuget packagist rubygems Number of packages that are transitively required by at least 5% of all packages. 1 2 3 4 5 6+ 0.0 0.1 0.2 0.3 0.4 0.5 proportion of top­level packages cargo 1 2 3 4 5 6+ cpan 1 2 3 4 5 6+ cran 1 2 3 4 5 6+ npm 1 2 3 4 5 6+ nuget 1 2 3 4 5 6+ packagist 1 2 3 4 5 6+ rubygems Transitive dependency depth of top-level packages
  • 14. Outdated Dependencies Should package maintainers upgrade their dependencies to more recent versions? 😀 Upgrades benefit from bug and security fixes 😀 Upgrading allows to use new features 😢 Upgrading requires effort 😢 Upgrading may introduce breaking changes OutdatedUp-to-date
  • 15. Outdated runtime dependencies in npm Outdated Dependencies ht Outdatedness is related to the type of dependency constraint being used Strict (i.e. pinned) constraints represent about 33% of all outdated dependencies
  • 16. Technical Lag Technical lag measures how outdated a package or dependency is w.r.t. the “ideal” situation where “ideal” = “most recent”; “most secure”; ”least bugs”; “most compatible”; … A Zerouali et al (Feb. 2019) A formal framework for measuring technical lag in component repositories – and its application to npm. Wiley Journal on Software Evolution and Process
  • 17. ~ 2.7.0 - 22-09-2017 2.0.1 - 16-05-2017 Technical Lag Technical lag measures how outdated a package or dependency is w.r.t. the “ideal” situation where “ideal” = “most recent”; “most secure”; ”least bugs”; “most compatible”; …
  • 18. Need for dependency monitoring tools Example: David Dependency Manager for npm projects https://david-dm.orgMy npm Project
  • 19. Avoiding breaking changes through Semantic Versioning https://chaoss.community Is semantic versioning respected by software package distributions? What do package dependencies tell us about semantic versioning? A Decan, T Mens (May 2019) IEEE Transactions on Software Engineering major minor patch 3 9 2 Breaking changes Backwards compatible changes Bug fixes Most permissive Most Restrictive
  • 20. Semantic versioning Different package managers interpret version constraints in different ways: More restrictive than semver More permissive than semver
  • 21. Semantic versioning • Cargo, npm and Packagist are mostly semver-compliant. All three are more permissive than semver for 0.y.z versions • All considered ecosystems become more compliant over time. • >16% of restrictive constraints in npm, Packagist and Rubygems è prevents adoption of backward compatible upgrades
  • 22. Security vulnerabilities OWASP Foundation Top 10 Application Security Risks You are likely vulnerable: • If you do not know the versions of all components you use … This includes components you directly use as well as nested dependencies. • If software is vulnerable, unsupported, or out of date. This includes the OS, web/application server, database management system (DBMS), applications, APIs and all components, runtime environments, and libraries. • If you do not scan for vulnerabilities regularly and subscribe to security bulletins related to the components you use. • If you do not fix or upgrade the underlying platform, frameworks, and dependencies in a risk-based, timely fashion. This commonly happens in environments when patching is a monthly or quarterly task under change control, which leaves organizations open to many days or months of unnecessary exposure to fixed vulnerabilities. • If software developers do not test the compatibility of updated, upgraded, or patched libraries. A9 - Using Components with Known Vulnerabilities
  • 23. Security vulnerabilities in npm On the impact of security vulnerabilities in the npm package dependency network. A Decan, T Mens, E Constantinou (2018) Int’l Conf. Mining Software Repositories Vulnerable packages # vulnerabilities 399 # vulnerable packages 269 # releases of vulnerable packages 14,931 # vulnerable releases 6,752 (45%) # dependent packages 133,602 # dependent packages affected by the vulnerable packages 72,470 (54%)
  • 24. Security vulnerabilities in npm When are vulnerabilities discovered? >40% of all vulnerabilities are not discovered even 2.5 years after their introduction, regardless of their severity.
  • 25. Security vulnerabilities in npm When are vulnerabilities fixed? ~20% of vulnerabilities take more than 1 year to be fixed.
  • 26. Security vulnerabilities in npm When are vulnerabilities fixed in dependent packages? Vulnerable packages # vulnerable packages 269 # releases of vulnerable packages 14,931 # vulnerable releases 6,752 # dependent packages 133,602 # dependent packages affected by the vulnerable packages 72,470 >33% of all affected dependents are not (yet) fixed!
  • 27. Security vulnerabilities in npm Why do vulnerabilities remain unfixed in dependent packages? Improper or too restrictive use of dependency constraints Maintainers are unaware of the vulnerability or how to fix it Fixed version of the dependency contains incompatible changes Package is no longer actively maintained
  • 28. Tool support: Monitor and update vulnerable dependencies GitHub Automated security alerts and updates https://help.github.com/en/github/managing-security-vulnerabilities Snyk Continuously find and fix known vulnerabilities in a package’s dependencies https://snyk.io Retire.js Scans for the use of JavaScript libraries with known vulnerabilities http://retirejs.github.io/retire.js/ OWASP Dependency-Check Detects publicly disclosed vulnerabilities contained within a project’s dependencies. https://github.com/jeremylong/DependencyCheck Eclipse Steady Detects known vulnerabilitis in dependencies to open source Java and Python components through combination of static and dynamic analysis techniques https://eclipse.github.io/steady/
  • 29. Conclusion • Package dependency networks are affected my multiple dependency issues • Many and deep transitive dependencies • Outdated dependencies • Breaking changes • Vulnerable dependencies • Automated tools and policies can help mitigating these issues • Measuring, monitoring and updating outdated and vulnerable dependencies • Supporting semantic versioning • Supporting transitive dependencies • Detecting vulnerabilities that matter (avoid false positives/negatives)