The document discusses the use of static analysis to improve the automatic resolution of library dependencies in software, highlighting issues such as missing, inconsistent, redundant, and duplicated dependencies. It presents findings from experiments on Java open-source projects, revealing that approximately 20% of modules contained duplicated dependencies leading to various problems. Two specific examples illustrate the issues caused by such duplications, emphasizing the importance of static byte-code analysis in identifying these errors.

1. On the Use of Static Analysis to
Safeguard Recursive Dependency
Resolution
Kamil Jezek
NTIS - New Technologies for Information
Society
University of West Bohemia
Czech Republic, Plzen
kjezek@kiv.zu.cz
Jens Dietrich
Massey University
Palmerston North, New Zealand
j.b.dietrich@massey.ac.nz

2. Agenda
● Problem of automatic library resolution
● Examples from open-source
● Approach to discover problems
● Quantification on experiment

3. Problem: Automatic Library Resolution
Source
code
Automatically resolved libraries = error prone

4. Problem Classification
● Missing dependencies (1)
● Inconsistent dependencies (2)
● Redundant dependencies (3)
● Duplicated dependencies (4)
Source
code
(1)
(2)
(4)
(3)

5. Comparison of Resolution Processes
Problem Manual Automatic
Missing dependencies yes yes
Inconsistent dependencies yes yes
Redundant dependencies rare yes
Duplicated dependencies very rare frequent

6. Research Question
Do these problems occur in practice?

7. Target Platform
Following examples and approach for
Java and Maven

8. Example 1: Apache Roller
Apache Roller links to two httpcore versions

9. Impact on Apache Roller
Method releaseConnection() invoked by
Spring-web missing in httpcore 4.1

10. Example 2: Apache Commons-io
Commons-io is distributed in two packages

11. Impact on Apache Commons-IO
Maven Central Repository
org.apache.commons used by 542 projects
commons-io used by 293 projects

12. Approach: API Reconstruction
API Added in v4.2 API usage
class HttpPost {
void releaseConnection(...) { … }
void reset(...) { … }
}
class HttpComponents...Executor {
private RemoteInvocationResult
doExecuteRequest(...) {
...
postMethod.releaseConnection();
}
}

13. Approach: API Verification
API API usage
?
>≥<≤=≠
Added in v4.2

14. Experiment: Questions
How many programs contain static errors?
How many caused by duplicated libraries?

15. Dataset: Qualitas Corpus
111 Java open-source programs in 661 versions
– Hibernate, Spring, Apache Roller, ...
72 Maven projects versions divided into 1902 Maven modules

16. Methodology
Maven Enforcer Plugin
Byte-code analysis
Duplicities
API incomp.
Result Matching

17. Number of Discovered Problems
367 (about 20%) modules contain duplicated dependencies
Problem Number of
Modules
Missing classes 38
Redundant libraries 213
Incompatible classes 49
Duplicated classes 38

18. Problems Caused by Duplication
Two projects: sitegraph, showcase
Duplicated libraries:
commons-io:1.0 and commons-io:1.3.2

19. Detail of Problem
Problem in class: org.apache.commons.io.IOUtils
Methods not contained in v 1.0
copy, lineIterator, readLines, write, writeLines
But actually invoked

20. Conclusion
• Detected problem with automatic dependency resolution
• Introduced static byte-code analysis
• Performed experiment on Qualita Corpus
• Discovered a lot of problems
• Two examples directly caused by library duplication

21. Thank you for your attention
Contact us
Kamil Jezek: kjezek@kiv.zu.cz
Jens Dietrich: j.b.dietrich@massey.ac.nz