Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Structure and Evolution of Package Dependency N...

Structure and Evolution of Package Dependency Networks

Presentation given to MSR 2017 about the network characteristics of package managers such as NPM, RubyGems and Cargo

Georgios Gousios

May 20, 2017
Tweet

More Decks by Georgios Gousios

Other Decks in Technology

Transcript

  1. Software reuse • System reuse • Application reuse • Component

    reuse • Libraries • COTS components • OSS packages through dependency management • Object/Function reuse
  2. How do dependency networks look like? How do dependency networks

    evolve? How resilient are dependency networks to attacks?
  3. How do dependency networks look like? How do dependency networks

    evolve? How resilient are dependency networks to attacks?
  4. How do dependency networks look like? How do dependency networks

    evolve? How resilient are dependency networks to attacks?
  5. Dependency network construction No versions A C B D E


    A
 0.1 B
 0.3 C
 0.5 E
 0.1 Latest versions A
 0.1 C
 0.4 B
 0.3 C
 0.5 D
 0.2 E
 0.1 All versions
  6. A
 0.1 C
 0.4 B
 0.3 D
 0.2 E
 0.1

    H
 0.6 G
 0.1 F
 0.1 L
 0.1 J
 0.2.6 K
 0.4 F
 0.2
  7. A
 0.1 C
 0.4 B
 0.3 D
 0.2 E
 0.1

    H
 0.6 G
 0.1 F
 0.1 L
 0.1 J
 0.2.6 K
 0.4 dependents F
 0.2
  8. A
 0.1 C
 0.4 B
 0.3 D
 0.2 E
 0.1

    H
 0.6 G
 0.1 F
 0.1 L
 0.1 J
 0.2.6 K
 0.4 dependents transitive dependents F
 0.2
  9. A
 0.1 C
 0.4 B
 0.3 D
 0.2 E
 0.1

    H
 0.6 G
 0.1 F
 0.1 L
 0.1 J
 0.2.6 K
 0.4 dependents transitive dependents dependencies F
 0.2
  10. A
 0.1 C
 0.4 B
 0.3 D
 0.2 E
 0.1

    H
 0.6 G
 0.1 F
 0.1 L
 0.1 J
 0.2.6 K
 0.4 dependents transitive dependents dependencies transitive dependencies F
 0.2
  11. Vulnerability Fraction of nodes affected by the removal of single

    package / version 2005 2007 2009 2011 2013 2015 0.000 0.002 0.004 0.006 0.008 0.010 0.012 0.014 9ulnerability rate ASSlicatiRn Pean J6 3ackaJe Pean J6 ASSlicatiRn Pean 5uby 3ackaJe Pean 5uby
  12. Targeted attacks Number of transitive dependents for the 5 most

    “vulnerable” packages > 450k > 300k inherits.js, erubis, rack string_decoder, sigmund, is_array
  13. Targeted attacks Number of transitive dependents for the 5 most

    “vulnerable” packages > 450k > 300k string_decoder, sigmund, is_array 30 LOCs! inherits.js, erubis, rack
  14. Targeted attacks Number of transitive dependents for the 5 most

    “vulnerable” packages > 450k > 300k string_decoder, sigmund, is_array Last Commit: 2012 inherits.js, erubis, rack
  15. What can developers do? • Understand the effect of including

    a dependency • For small, inherits.js-like packages just re-implement it • Actively monitor vulnerabilities in the transitive closure • More intelligent, integrated tools • Better governance of dependency management practices
  16. What can researchers do? • Better tools: • increase visibility

    of transitive includes • connect ecosystems to security advisories • dependency health and ecosystem stability ratings • Better analysis: understand which parts of the dependency code are actually used • A semantic versioning system that everybody agrees upon • Qualitative work: How developers approach dependency management? • Replicate in other ecosystems