Software engineers reuse code to reduce development and maintenance costs but how safe is it to use open source software (OSS)? By using OSS and dependencies to external libraries they can introduce to projects significant operational and compliance risk as well as difficult to assess security implications. The aim of the FASTEN project (a European Union’s H2020 research and innovation programme led by TU Delft) is to address this situation, by ​developing an intelligent software package management system that will enhance robustness and security in software ecosystems. Our team in Endocode AG is part of the FASTEN project with our FOSS toolchain Quartermaster, which detects license compliance on softwares.

1. Fine-Grained Analysis of Software Ecosystems as Networks
The FASTEN project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No 825328.
An introduction to
Fasten and Quartermaster projects
Giasemi Seisa

2. Oct 11, 2019 22019
1. Risks on using Open Source Software (OSS)1. Risks on using Open Source Software (OSS)
2. FASTEN project2. FASTEN project
3. Quartermaster project3. Quartermaster project
4. Role of Quartermaster in FASTEN Project4. Role of Quartermaster in FASTEN Project

3. Oct 11, 2019 32019
Risks on using Open
Source Software How the risk is created:
By the use of OSS libraries. Why?
Programs and libraries can have
dependencies on other libraries and those
dependencies co-evolve without centralized
coordination.
Increasingly, libraries are being used as
building blocks for creating other libraries.

4. Oct 11, 2019 42019
Risks on using Open Source Software

5. Oct 11, 2019 52019
Risks on using Open Source Software

6. Oct 11, 2019 62019
Risks on using OSS
Including arbitrary code from an online repository can introduce:
Trust issues
Does the code performs the expected functionality? How can I trust code I download from the Internet
with my valuable data?
Security issues
How can developers ensure the imported code contains no security holes? How can we know when a
security issue discovered in a transitive dependency requires an update?
The observability problem:
How can I know that one of my dependencies is outdated?
The update problem:
How can I check if an updated dependency breaks my code?

7. Oct 11, 2019 72019
Risks on using OSS (2)
Including arbitrary code from an online repository can introduce:
Compliance implications
How do I know that I am not violating anyone’s copyrights or that I am not linking against code featuring
incompatible licenses?
Creates challenges to library maintainers:
●
How can I assess the (direct or transitive) impact of my changes? How can I deprecate features
(e.g., remove functionality) without knowing who is using them?
●
Why should I use my (free!) time to maintain a library that large corporations depend upon?
●
How can I spot instances of my code being distributed without permission?

8. Oct 11, 2019 82019
Ecosystem Failures
The leftpad incident
A dispute over a library name in the NPM ecosystem led to the
removal of a library called left-pad. The package removal led to
the collapse of thousands of libraries which directly or transi-
tively depended on leftpad, and hence a major disruption for
client programs. Thousands of the most popular Javascript
libraries (e.g., babel, and React), used by millions of web sites,
stopped working for developers. Even after the leftpad incident,
a study estimated that libraries exist whose removal can affect
more that 30% of the core components of the network.

9. Oct 11, 2019 92019
Ecosystem Failures
Equifax data breach
A company named Equifax leaked over 100.000 credit card
records due to a dependency that was not updated. The
compromised systems included a vulnerable version of the
Apache Struts library, whose update was postponed as the
Equifax security team erroneously underestimated the impact of
the bug on their codebase. The breach has costed Equifax an
unprecedented $4 billion

10. Oct 11, 2019 102019
Risks overview
The dream of code reuse is a reality, but this reality is not
without problems.
Package users need to invest significant resources into
shielding themselves from software security, legal compliance
and source code incompatibility issues.
On the other hand, package providers have no reasonable
means of evolving their offerings in an systematic way, which
leads to incompatibility problems with upstream projects.
To solve those problems, what is needed is a better way to
deal with dependencies.

11. Oct 11, 2019 112019
The FASTEN Project
The aim is to make software ecosystems more robust by making package
management more intelligent

12. Oct 11, 2019 122019
The FASTEN Project
HOW?
●
Creation of an ecosystem-wide Fine-Grained Call Graph (FGCG), at the function level.

13. Oct 11, 2019 132019
The FASTEN Project
1. Current status

14. Oct 11, 2019 142019
The FASTEN Project
1. Current status
2. Fine-Grained
Call Graph (FGCG)

15. Oct 11, 2019 152019
Promises of Call-based
Dependency Networks
Fully precise usage analysis
Does this vulnerability affect my code?
Am I linking to GPL code?
Fully precise impact analysis
How many clients will I break if I change
this?
Can I safely update?

16. Oct 11, 2019 162019
The FASTEN Project

17. Oct 11, 2019 172019
Example of FASTEN workflow

18. Oct 11, 2019 182019
Example of FASTEN workflow

19. Oct 11, 2019 192019
Example of FASTEN workflow

20. Oct 11, 2019 202019
Example of FASTEN workflow
Deciding to use a library

21. Oct 11, 2019 212019
Example of FASTEN workflow
Deciding to use a library

22. Oct 11, 2019 222019
Example of FASTEN workflow
Maintaining a library

23. Oct 11, 2019 232019
Example of FASTEN workflow
Maintaining a library

24. Oct 11, 2019 242019
Example of FASTEN workflow
Maintaining a library

25. Oct 11, 2019 252019
Example of FASTEN workflow
Maintaining a library

26. Oct 11, 2019 262019
Example of FASTEN workflow
Maintaining a library

27. Oct 11, 2019 272019
The Quartermaster Project
What is Quartermaster?
How is it connected to FASTEN?

28. Oct 11, 2019 282019
The Quartermaster Project
What is Quartermaster?
Open source software developed by Endocode AG
Command line tool which integrates into the build system to learn about the software product,
its sources and dependencies and then performs analysis.
Compliance analysis
Developers can run QMSTR locally to verify outcomes, review problems, or integrate it into
test suites.
https://github.com/endocode/qmstr

29. Oct 11, 2019 292019
The Quartermaster Project
The idea behind Quartermaster
Reduce complexity of managing license compliance
No industry standard for FOSS compliance tooling
The understanding and management of software copyright and license compliance in
FOSS needs to improve.

30. Oct 11, 2019 302019
The Quartermaster Project
How is Quartermaster connected to FASTEN?
Detects license compliance
Bidirectional connection
●
Quartermaster gets information about the dependencies from the FASTEN call graph
●
Quartermaster then reports back to the FASTEN knowledge base with the license
Connects FASTEN with the developers

31. Oct 11, 2019 312019
https://www.fasten-project.eu
Contributors:

32. Oct 11, 2019 322019
The FASTEN project has received funding from the European Union’s Horizon 2020
research and innovation programme under grant agreement No 825328.
The opinions expressed in this document reflects only the author`s view and in no way reflect the European Commission’s opinions. The European
Commission is not responsible for any use that may be made of the information it contains.