research-article

Open source software: an approach to controlling usage and risk in application ecosystems

Authors:

Diego Elias Costa,

Hafedh MiliAuthors Info & Claims

SPLC '22: Proceedings of the 26th ACM International Systems and Software Product Line Conference - Volume A

Pages 154 - 163

https://doi.org/10.1145/3546932.3547000

Published: 12 September 2022 Publication History

Abstract

The Open Source Software movement has been growing exponentially for a number of years with no signs of slowing. Driving this growth is the wide-spread availability of libraries and frameworks that provide many functionalities. Developers are saving time and money incorporating this functionality into their applications resulting in faster more feature-rich releases. Despite the growing success and the advantages that open source software provides, there is a dark side. Due to its community construction and largely unregulated distribution, the majority of open source software contains bugs, vulnerabilities and other issues making it highly susceptible to exploits. The lack of oversight in general hinders the quality of this software resulting in a trickle down effect in the applications that use it. Additionally, developers who use open source tend to arbitrarily download the software into their build systems but rarely keep track of what they have downloaded resulting in an excessive amount of open source software in their applications and in their ecosystem. This paper discusses processes and practices that users of open source software can implement into their environments that can safely track and control the introduction and usage of open source software into their applications, and report on some preliminary results obtained in an industrial context. We conclude by discussing governance issues related to the disciplined use and reuse of open source and areas for further improvements.

References

[1]

2019. Eight key findings illustrating how to make open source work even better for developers. https://cdn2.hubspot.net/hubfs/4008838/Resources/The-2019-Tidelift-managed-open-source-survey-results.pdf

[2]

Rabe Abdalkareem, Olivier Nourry, Sultan Wehaibi, Suhaib Mujahid, and Emad Shihab. 2017. Why Do Developers Use Trivial Packages? An Empirical Case Study on Npm. In Proceedings of the 2017 11th Joint Meeting on Foundations of Software Engineering (Paderborn, Germany) (ESEC/FSE 2017). Association for Computing Machinery, New York, NY, USA, 385--395.

Digital Library

[3]

Mahmoud Alfadel, Diego Elias Costa, and Emad Shihab. 2021. Empirical Analysis of Security Vulnerabilities in Python Packages. In 2021 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER). 446--457.

[4]

Mahmoud Alfadel, Diego Elias Costa, Emad Shihab, and Mouafak Mkhallalati. 2021. On the Use of Dependabot Security Pull Requests. In 2021 IEEE/ACM 18th International Conference on Mining Software Repositories (MSR). 254--265.

[5]

Apereo. 2019. The Value of Open Source Software. https://www.apereo.org/content/value-open-source-software. (Accessed on 04/20/2022).

[6]

Christopher Bogart, Christian Kästner, James Herbsleb, and Ferdian Thung. 2016. How to break an API: cost negotiation and community values in three software ecosystems. 109--120.

Digital Library

[7]

Jailton Coelho, Marco Tulio Valente, Luciano Milen, and Luciana L. Silva. 2020. Is this GitHub project maintained? Measuring the level of maintenance activity of open-source projects. Information and Software Technology 122 (2020), 106274.

[8]

Diego Elias Costa, Suhaib Mujahid, Rabe Abdalkareem, and Emad Shihab. 2021. Breaking Type-Safety in Go: An Empirical Study on the Usage of the unsafe Package. IEEE Transactions on Software Engineering 01 (feb 2021), 1--1.

[9]

Andreas Dann, Henrik Plate, Ben Hermann, Serena Elisa Ponta, and Eric Bodden. 2021. Identifying Challenges for OSS Vulnerability Scanners - A Study amp; Test Suite. IEEE Transactions on Software Engineering (2021), 1--1.

[10]

Alexandre Decan, Tom Mens, and Eleni Constantinou. 2018. On the Impact of Security Vulnerabilities in the Npm Package Dependency Network. In Proceedings of the 15th International Conference on Mining Software Repositories (Gothenburg, Sweden) (MSR '18). Association for Computing Machinery, New York, NY, USA, 181--191.

Digital Library

[11]

Alexandre Decan, Tom Mens, and Philippe Grosjean. 2019. An Empirical Comparison of Dependency Network Evolution in Seven Software Packaging Ecosystems. Empirical Software Engineering 24 (02 2019).

Digital Library

[12]

Nicole Forsgren, Bas Alberts, Kevin Backhouse, Grey Baker, Greg Cecarelli, Derek Jedamski, Scot Kelly, and Clair Sullivan. 2021. 2020 State of the Octoverse: Securing the World's Software.

[13]

Marco Gerosa, Igor Wiese, Bianca Trinkenreich, Georg Link, Gregorio Robles, Christoph Treude, Igor Steinmacher, and Anita Sarma. 2021. The Shifting Sands of Motivation: Revisiting What Drives Contributors in Open Source. In 2021 IEEE/ACM 43rd International Conference on Software Engineering (ICSE). 1046--1058.

Digital Library

[14]

Nasif Imtiaz, Seaver Thorn, and Laurie Williams. 2021. A comparative study of vulnerability reporting by software composition analysis tools. Proceedings of the 15th ACM/IEEE International Symposium on Empirical Software Engineering and Measurement (ESEM) (10 2021).

Digital Library

[15]

Github Inc. 2017. Open Source Survey. https://opensourcesurvey.org/2017/. (Accessed on 04/20/2022).

[16]

Abbas Javan Jafari, Diego Elias Costa, Rabe Abdalkareem, Emad Shihab, and Nikolaos Tsantalis. 2021. Dependency Smells in JavaScript Projects. IEEE Transactions on Software Engineering (2021), 1--1.

Digital Library

[17]

Eirini Kalliamvakou, Georgios Gousios, Kelly Blincoe, Leif Singer, Daniel M. German, and Daniela Damian. 2014. The Promises and Perils of Mining GitHub. In Proceedings of the 11th Working Conference on Mining Software Repositories (Hyderabad, India) (MSR 2014). Association for Computing Machinery, New York, NY, USA, 92--101.

Digital Library

[18]

Riivo Kikas, Georgios Gousios, Marlon Dumas, and Dietmar Pfahl. 2017. Structure and Evolution of Package Dependency Networks. In Proceedings of the 14th International Conference on Mining Software Repositories (Buenos Aires, Argentina) (MSR '17). IEEE Press, 102--112.

Digital Library

[19]

Raula Kula, Daniel German, Ali Ouni, Takashi Ishio, and Katsuro Inoue. 2018. Do developers update their library dependencies? Empirical Software Engineering 23 (02 2018), 1--34.

Digital Library

[20]

Raula Gaikovina Kula, Daniel M German, Ali Ouni, Takashi Ishio, and Katsuro Inoue. 2018. Do developers update their library dependencies? Empirical Software Engineering 23, 1 (2018), 384--417.

Digital Library

[21]

Leonardo Leite, Carla Rocha, Fabio Kon, Dejan Milojicic, and Paulo Meirelles. 2019. A survey of DevOps concepts and challenges. Comput. Surveys 52 (2019). Issue 6.

Digital Library

[22]

MarketsandMarkets. 2021. Open Source Services Market Size, Share and Global Market Forecast to 2026. https://www.marketsandmarkets.com/Market-Reports/open-source-services-market-27852275.html#utm_source=referral&utm_medium=abnewswire&utm_campaign=paidpr. (Accessed on 04/20/2022).

[23]

Suhaib Mujahid, Diego Elias Costa, Rabe Abdalkareem, Emad Shihab, Mohamed Aymen Saied, and Bram Adams. 2021. Towards using package centrality trend to identify packages in decline. IEEE Transactions on Engineering Management Journal (Oct. 2021), 16.

[24]

Pierluigi Paganini. 2022. node-ipc NPM Package sabotage to protest Ukraine invasionSecurity Affairs. https://securityaffairs.co/wordpress/129174/hacking/node-ipc-npm-package-sabotage.html. (Accessed on 04/20/2022).

[25]

Ivan Pashchenko, Henrik Plate, Serena Ponta, Antonino Sabetta, and Fabio Massacci. 2020. Vuln4Real: A Methodology for Counting Actually Vulnerable Dependencies. IEEE Transactions on Software Engineering PP (09 2020), 1--1.

Digital Library

[26]

Ivan Pashchenko, Duc-Ly Vu, and Fabio Massacci. 2020. A Qualitative Study of Dependency Management and Its Security Implications. Association for Computing Machinery, New York, NY, USA, 1513--1531.

Digital Library

[27]

Henrik Plate, Serena Elisa Ponta, and Antonino Sabetta. 2015. Impact assessment for vulnerabilities in open-source software libraries. In 2015 IEEE International Conference on Software Maintenance and Evolution (ICSME). 411--420.

Digital Library

[28]

Serena Elisa Ponta, Wolfram Fischer, Henrik Plate, and Antonino Sabetta. 2021. The Used, the Bloated, and the Vulnerable: Reducing the Attack Surface of an Industrial Application. In 2021 IEEE International Conference on Software Maintenance and Evolution (ICSME). 555--558.

[29]

Eric Raymond. 1999. The cathedral and the bazaar. Knowledge, Technology & Policy 12, 3 (1999), 23--49.

[30]

Filipe Roseiro Côgo, Gustavo Oliva, and Ahmed E. Hassan. 2019. An Empirical Study of Dependency Downgrades in the npm Ecosystem. IEEE Transactions on Software Engineering PP (11 2019), 1--1.

[31]

Ax Sharma. 2022. Dev corrupts NPM libs 'colors' and 'faker' breaking thousands of apps. https://www.bleepingcomputer.com/news/security/dev-corrupts-npm-libs-colors-and-faker-breaking-thousands-of-apps/. (Accessed on 04/20/2022).

[32]

Duc-Ly Vu, Ivan Pashchenko, Fabio Massacci, Henrik Plate, and Antonino Sabetta. 2020. Typosquatting and Combosquatting Attacks on the Python Ecosystem. In 2020 IEEE European Symposium on Security and Privacy Workshops (EuroS PW). 509--514.

[33]

Free Wortley, Chris Thompson, and Forrest Allison. 2021. Log4Shell: RCE 0-day exploit found in log4j 2, a popular Java logging package | LunaSec. https://www.lunasec.io/docs/blog/log4j-zero-day/. (Accessed on 04/19/2022).

[34]

Markus Zimmermann, Cristian-Alexandru Staicu, Cam Tenny, and Michael Pradel. 2019. Smallworld with High Risks: A Study of Security Threats in the Npm Ecosystem. In Proceedings of the 28th USENIX Conference on Security Symposium (Santa Clara, CA, USA) (SEC'19). USENIX Association, USA, 995--1010.

Cited By

Keshani MBot GRungta PIzadi MVan Deursen AProksch S(2024)Maven Unzipped: Exploring the Impact of Library Packaging on the Ecosystem2024 IEEE International Conference on Software Maintenance and Evolution (ICSME)10.1109/ICSME58944.2024.00016(50-62)Online publication date: 6-Oct-2024
https://doi.org/10.1109/ICSME58944.2024.00016
Kim TPark SKim H(2023)Why Johnny Can’t Use Secure Docker Images: Investigating the Usability Challenges in Using Docker Image Vulnerability Scanners through Heuristic EvaluationProceedings of the 26th International Symposium on Research in Attacks, Intrusions and Defenses10.1145/3607199.3607244(669-685)Online publication date: 16-Oct-2023
https://dl.acm.org/doi/10.1145/3607199.3607244
Mujahid SCosta DAbdalkareem RShihab EBissyandé TKlein JBird CSarro F(2023)Where to Go Now? Finding Alternatives for Declining Packages in the npm EcosystemProceedings of the 38th IEEE/ACM International Conference on Automated Software Engineering10.1109/ASE56229.2023.00119(1628-1639)Online publication date: 11-Nov-2023
https://dl.acm.org/doi/10.1109/ASE56229.2023.00119

Index Terms

Open source software: an approach to controlling usage and risk in application ecosystems
1. Software and its engineering
  1. Software creation and management
    1. Software development process management
      1. Risk management

Recommendations

Microsoft, Open Source and the software ecosystem: of predators and prey—the leopard can change its spots

Over the past few years, Microsoft has promoted a project called 'Shared Source Initiative', which allows certain customers (e.g., research institutions and independent software vendors) access to its source code on a restricted basis. As part of this ...
Licenses of Open Source Software and their Economic Values
SAINT-W '05: Proceedings of the 2005 Symposium on Applications and the Internet Workshops

Licenses of open source software (OSS) are quiet various but can be categorised into three. That is GPL (GNU general Public License) like, LGPL (GNU Lesser general Public License) like, or MPL (Mozilla Public License) like. Although there are numbers of ...
Choosing an Open Source Software License in Commercial Context: A Managerial Perspective
SEAA '10: Proceedings of the 2010 36th EUROMICRO Conference on Software Engineering and Advanced Applications

Increasing number of companies conduct their business employing various Open source software (OSS) licenses. The choice of correct license determines the business potential of a given software. When the available OSS stack and licensing options grow, so ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

SPLC '22: Proceedings of the 26th ACM International Systems and Software Product Line Conference - Volume A

September 2022

266 pages

ISBN:9781450394437

DOI:10.1145/3546932

General Chairs:
Alexander Felfernig
Graz University of Technology, Austria
,
Lidia Fuentes
University of Málaga, Spain

Copyright © 2022 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSOFT: ACM Special Interest Group on Software Engineering

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 12 September 2022

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Natural Sciences and Engineering Research Council of Canada

Conference

SPLC '22

Sponsor:

SIGSOFT

SPLC '22: 26th ACM International Systems and Software Product Line Conference

September 12 - 16, 2022

Graz, Austria

Acceptance Rates

SPLC '22 Paper Acceptance Rate 14 of 41 submissions, 34%;

Overall Acceptance Rate 167 of 463 submissions, 36%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

3
Total Citations
View Citations
371
Total Downloads

Downloads (Last 12 months)113
Downloads (Last 6 weeks)8

Reflects downloads up to 26 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Keshani MBot GRungta PIzadi MVan Deursen AProksch S(2024)Maven Unzipped: Exploring the Impact of Library Packaging on the Ecosystem2024 IEEE International Conference on Software Maintenance and Evolution (ICSME)10.1109/ICSME58944.2024.00016(50-62)Online publication date: 6-Oct-2024
https://doi.org/10.1109/ICSME58944.2024.00016
Kim TPark SKim H(2023)Why Johnny Can’t Use Secure Docker Images: Investigating the Usability Challenges in Using Docker Image Vulnerability Scanners through Heuristic EvaluationProceedings of the 26th International Symposium on Research in Attacks, Intrusions and Defenses10.1145/3607199.3607244(669-685)Online publication date: 16-Oct-2023
https://dl.acm.org/doi/10.1145/3607199.3607244
Mujahid SCosta DAbdalkareem RShihab EBissyandé TKlein JBird CSarro F(2023)Where to Go Now? Finding Alternatives for Declining Packages in the npm EcosystemProceedings of the 38th IEEE/ACM International Conference on Automated Software Engineering10.1109/ASE56229.2023.00119(1628-1639)Online publication date: 11-Nov-2023
https://dl.acm.org/doi/10.1109/ASE56229.2023.00119

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten