Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.

Intelligent package management with FASTEN, OW2online, June 2020

126 Aufrufe

Veröffentlicht am

Presentation by Amir Mir, TUDelft.
As recent events, such as the leftpad incident and the Equifax data breach, have demonstrated, dependencies on networks of external libraries can introduce projects to significant operational and compliance risks as well as difficult to assess security implications. FASTEN introduces fine-grained, method-level, tracking of dependencies on top of existing dependency management networks. In our talk, we will present how FASTEN works on top of the Rust/Cargo and Java/Maven ecosystems.

Veröffentlicht in: Technologie
  • Login to see the comments

  • Gehören Sie zu den Ersten, denen das gefällt!

Intelligent package management with FASTEN, OW2online, June 2020

  1. 1. FASTEN Intelligent Software Package Management Amir Mir s.a.m.mir@tudelft.nl OW2Con, June 2020
  2. 2. Content ● Open Source Software (OSS) ● Package Management ● Package Dependency Networks (PDNs) ○ Issues with PDNs ○ Existing Solutions ○ The Root Cause ● The FASTEN Project ○ Solution ○ The FASTEN Architecture ○ The Metadata Database ○ Current State ○ Examples of FASTEN Workflow
  3. 3. Open Source Software (OSS) ● Allows to reuse code to reduce development and maintenance costs ● Hosted on centralized repositories (Maven, PyPI, ....) ● Made the dream of collaborative development feasible
  4. 4. Package Management ● Open-source libraries as a building block for creating new software ● Package managers resolve dependencies and download required libraries
  5. 5. Package Management
  6. 6. Package Dependency Networks (PDNs) ● Packages versions and their dependencies from huge and complex dependency networks ● Version constraints make these networks more complicated
  7. 7. Recent Failures with PDNs ● Leftpad in 2016
  8. 8. Recent Failures with PDNs ● In 2017, affected 147 millions of people
  9. 9. Issues with PDNs From a developer’s perspective ● The observability problem ● The update problem ● The compliance problem ● The trust problem From a maintainer’s perspective ● The update problem ● The deprecation problem ● The unlawful use problem ● The lack of incentive problem
  10. 10. Existing Solutions to the Issues of PDNs ● Services like GitHub, Dependabot ● Problems: ○ No support for assessing updates ○ No help with impact assessment ○ False positives
  11. 11. The Root Cause of the Issues of PDNs Current Solutions Call Dependency Networks (CDNs)
  12. 12. The FASTEN Project ● Fine-Grained Analysis of Software Ecosystems as Network ● Aims at solving the issues of PDNs by making package management robust and intelligent ● A centralized service to host the graphs and serve the analyses ● Consortium:
  13. 13. The FASTEN Solution ● More precise license compliance ○ Am I linking to GPL code? ● More precise risk profiling ○ Does this vulnerability affect my package? ● More precise change impact analysis ○ How many packages will I break if I change this function? ○ Can I safely update the dependencies of my package? ● Integration with package managers
  14. 14. Overview of the FASTEN Architecture Data streams Package repositories Vulnerability information FASTEN server Call graph generators Analysis layer Security Change impact Compliance Quality and Risk Storage layer RESTAPIWebUI Continuous Integration servers
  15. 15. The Metadata Database
  16. 16. Current Status of the Project ● Alpha version of the project in May ● Generated 1.2M Java call graphs ● Generated 80K Rust call graphs ● Generating call graphs for Debian packages ● Deployment of the FASTEN server on Kubernetes clusters ● Initial implementation of the storage layer ○ The metadata database ○ Graph database
  17. 17. Examples of FASTEN Workflow Updating with confidence Before FASTEN After FASTEN
  18. 18. Examples of FASTEN Workflow Deciding to use a library Before FASTEN After FASTEN
  19. 19. https://www.fasten-project.eu/ https://github.com/fasten-project https://twitter.com/fastenproject
  20. 20. The FASTEN project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No 825328.