Measuring dependency freshness
in software systems
Joël Cox, Eric Bouwers, Marko van Eekelen and Joost Visser
1
Slide 2
Slide 2 text
2
Outline
• Introduction
• Dependency freshness at the component-level
• Dependency freshness at the system-level
• Validation
• Conclusion
Slide 3
Slide 3 text
What is dependency freshness?
• Dependency: third-party (Java) software components
• Actual used version vs. ideal version of a dependency
3
Slide 4
Slide 4 text
Why is dependency
freshness relevant?
• Security
• Flexibility
• Stability
• Compatibility
4
Why is dependency freshness
hard?
• Big testing efforts
• Different priorities
• Implicit dependencies
Slide 5
Slide 5 text
Ultimately, updating a dependency is
a trade-off between risk and effort
5
Slide 6
Slide 6 text
Research context
6
Slide 7
Slide 7 text
Research questions
• RQ1 How can we measure the dependency freshness of a single
dependency?
• RQ2 How can we measure the dependency freshness of a system as
a whole?
• Goal To quantify the dependency freshness of a given software
system from the point of view of external quality evaluators.
7
Slide 8
Slide 8 text
Dependency freshness at
the component-level
8
Slide 9
Slide 9 text
Dependencies
9
Slide 10
Slide 10 text
Dependency freshness
10
t t + 1 t + 2
s s s
d
1
d
1
d
1
d
2
d
2
1
1
1
2
2
depends on
succeeded by
0
0
0
Slide 11
Slide 11 text
Dependency freshness
11
t t + 1 t + 2
s s s
d
1
d
1
d
1
d
2
d
2
1
1
1
2
2
depends on
succeeded by
0
0
0
Slide 12
Slide 12 text
Dependency freshness
12
t t + 1 t + 2
s s s
d
1
d
1
d
1
d
2
d
2
1
1
1
2
2
depends on
succeeded by
0
0
0
Slide 13
Slide 13 text
Dependency freshness
13
t t + 1 t + 2
s s s
d
1
d
1
d
1
d
2
d
2
1
1
1
2
2
depends on
succeeded by
0
0
0
Slide 14
Slide 14 text
What makes a good metric given our research context?
• Technology independent
• Ease of implementation
• Simple to understand
• Enable root-cause analysis
14
Slide 15
Slide 15 text
1. Version sequence number
15
Release 1 Release 2 Release 3
2
Slide 16
Slide 16 text
2. Version release date
16
10/03/2014 02/04/2014 30/06/1992
113
Slide 17
Slide 17 text
3. Version number delta
17
1.2.0 1.2.1 1.3.0
(0, 1, 1)
Slide 18
Slide 18 text
Metric overview
18
Version sequence
number
Version release
date
Version number
delta
Technology
independent
+ + -
Ease of
implementation
+ + +
Simple to
understand
+ + -
Enable root-cause
analysis
+ + +
Slide 19
Slide 19 text
Datasets
19
Industry systems
repository
Maven
components
repository
Available
dependencies
Used
dependencies
Tooling Rating
Thresholds
75 systems,
30 clients
3107 dependencies,
8718 versions
23431 additional dependencies
75% release date hit rate
Slide 20
Slide 20 text
Dependency freshness in practice
20
Freshness measured by release date distance
Frequency
0 500 1000 1500 2000 2500 3000
0 200 400 600
Freshness measured by release sequence distance
Frequency
0 20 40 60 80 100 120
0 200 400 600 800 1000 1200
Slide 21
Slide 21 text
Dependency freshness at
the system-level
21
Slide 22
Slide 22 text
• What is good dependency management?
• Use a benchmark approach to compare systems.
Normative vs. descriptive
22
Slide 23
Slide 23 text
Defining a system-level measurement
23
{6, 21, 8, 11, 7, 31, 17, 3}
Component-level
measurements
Risk profile
Star rating
Alves, et. al. Deriving metric thresholds from benchmark data. ICSM 2010
Alves, et. al. Benchmark-based aggregation of metrics to ratings. IWSM-MENSURA 2011
Slide 24
Slide 24 text
Validation
24
Slide 25
Slide 25 text
Three different studies
1. Reported security vulnerabilities in dependencies
2. Interviews with practitioners
3. Longitudinal analysis
25
2. Interviews
27
Qualitative results
• High usefulness
All interviewees considered the
metric useful when assessing
systems
• High reliability
All interviewees were able top
predict the rating ±1 star
• High actionability
Most interviewees would follow up
on the results with clients
Metric ranking
System Subject
# Rating Rank 1 2 3 4 5
1108 5.053 5 5 5 5 5 5
1994 4.105 4 4 2 4 4 4
850 3.248 3 3 3 3 3 3
362 2.188 2 2 4 2 2 2
181 1.427 1 1 1 1 1 1
Summary
• Serves as an indicator for security
• Metric is considered useful in practice
• Allows for monitoring through time
32
Slide 33
Slide 33 text
Conclusion
33
Slide 34
Slide 34 text
Contributions
• Component-level metric for dependency freshness
• Analysis of dependency freshness on industry systems
• System-level metric for dependency freshness, that can help
stakeholders make decisions about dependency management
• Validated for usefulness, reliability and its relation to security
34
Slide 35
Slide 35 text
In practice
• Inspect systems on a case-by-case
• Monitor systems over a time
• Remediate underperforming systems
35