Xiaoqiong Zhao,Shanping Li,Huan Yu,Ye Wang,Weiwei Qiu

DOI: https://doi.org/10.1587/transinf.2018edp7227

2019-01-01

IEICE Transactions on Information and Systems

Abstract:Background: The applying of third-party libraries is an integral part of many applications. But the libraries choosing is time-onsuming even for experienced developers. The automated recommendation system for libraries recommendation is widely researched to help developers to choose libraries. Aim: from software engineering aspect, our research aims to give developers a reliable recommended list of third-arty libraries at the early phase of software development lifecycle to help them build their development environment faster; and from technical aspect, our research aims to build a generalizable recommendation system framework which combines collaborative filtering and topic modeling techniques, in order to improve the performance of libraries recommendation significantly. Our works on this research: 1) we design a hybrid methodology to combine collaborative filtering and LDA text mining technology; 2) we build a recommendation system framework successfully based on the above hybrid methodology; 3) we make a well-designed experiment to validate the methodology and framework which use the data of 1,013 mobile application projects; 4) we do the evaluation for the result of the experiment. Conclusions: 1) hybrid methodology with collaborative filtering and LDA can improve the performance of libraries recommendation significantly; 2) based on the hybrid methodology, the framework works very well on the libraries recommendation for helping developers' libraries choosing. Further research is necessary to improve the performance of the libraries recommendation including: 1) use more accurate NLP technologies improve the correlation analysis; 2) try other similarity calculation methodology for collaborative filtering to rise the accuracy; 3) on this research, we just bring the time-series approach to the framework and make an experiment as comparative trial, the result shows that the performance improves continuously, so in further research we plan to use time-series data-mining as the basic methodology to update the framework.

Huiyan Wang,Shuguan Liu,Lingyu Zhang,Chang Xu

DOI: https://doi.org/10.1145/3611643.3616264

2023-01-01

Abstract:Python projects grow quickly by code reuse and building automation based on third-party libraries. However, the version constraints associated with these libraries are prone to mal-configuration, and this forms a major obstacle to correct project building (known as dependency-conflict (DC) building failure ). Our empirical findings suggest that such mal-configured version constraints were mainly prepared manually, and could essentially be refined for better quality to improve the chance of successful project building. We propose a LooCo approach to refining Python projects’ library version constraints by automatically loosening them to maximize their solutions, while keeping the libraries to observe their original behaviors. Our experimental results with real-life Python projects report that LooCo could efficiently refine library version constraints (0.4s per version loosening) by effective loosening (5.5 new versions expanded on average) automatically, and transform 54.8% originally unsolvable cases into solvable ones (i.e., successful building) and significantly increase solutions (21 more on average) for originally solvable cases.

Lyuye Zhang,Chengwei Liu,Sen Chen,Zhengzi Xu,Lingling Fan,Lida Zhao,Yiran Zhang,Yang Liu

2023-08-07

Abstract:Vulnerabilities from third-party libraries (TPLs) have been unveiled to threaten the Maven ecosystem. Despite patches being released promptly after vulnerabilities are disclosed, the libraries and applications in the community still use the vulnerable versions, which makes the vulnerabilities persistent in the Maven ecosystem (e.g., the notorious Log4Shell still greatly influences the Maven ecosystem nowadays from 2021). Both academic and industrial researchers have proposed user-oriented standards and solutions to address vulnerabilities, while such solutions fail to tackle the ecosystem-wide persistent vulnerabilities because it requires a collective effort from the community to timely adopt patches without introducing breaking issues. To seek an ecosystem-wide solution, we first carried out an empirical study to examine the prevalence of persistent vulnerabilities in the Maven ecosystem. Then, we identified affected libraries for alerts by implementing an algorithm monitoring downstream dependents of vulnerabilities based on an up-to-date dependency graph. Based on them, we further quantitatively revealed that patches blocked by upstream libraries caused the persistence of vulnerabilities. After reviewing the drawbacks of existing countermeasures, to address them, we proposed a solution for range restoration (Ranger) to automatically restore the compatible and secure version ranges of dependencies for downstream dependents. The automatic restoration requires no manual effort from the community, and the code-centric compatibility assurance ensures smooth upgrades to patched versions. Moreover, Ranger along with the ecosystem monitoring can timely alert developers of blocking libraries and suggest flexible version ranges to rapidly unblock patch versions. By evaluation, Ranger could restore 75.64% of ranges which automatically remediated 90.32% of vulnerable downstream projects.

Software Engineering,Cryptography and Security

Lyuye Zhang,Chengwei Liu,Zhengzi Xu,Sen Chen,Lingling Fan,Lida Zhao,Jiahui Wu,Yang Liu

DOI: https://doi.org/10.48550/arXiv.2301.08434

2023-01-20

Software Engineering

Abstract:With the increasing disclosure of vulnerabilities in open-source software, software composition analysis (SCA) has been widely applied to reveal third-party libraries and the associated vulnerabilities in software projects. Beyond the revelation, SCA tools adopt various remediation strategies to fix vulnerabilities, the quality of which varies substantially. However, ineffective remediation could induce side effects, such as compilation failures, which impede acceptance by users. According to our studies, existing SCA tools could not correctly handle the concerns of users regarding the compatibility of remediated projects. To this end, we propose Compatible Remediation of Third-party libraries (CORAL) for Maven projects to fix vulnerabilities without breaking the projects. The evaluation proved that CORAL not only fixed 87.56% of vulnerabilities which outperformed other tools (best 75.32%) and achieved a 98.67% successful compilation rate and a 92.96% successful unit test rate. Furthermore, we found that 78.45% of vulnerabilities in popular Maven projects could be fixed without breaking the compilation, and the rest of the vulnerabilities (21.55%) could either be fixed by upgrades that break the compilations or even be impossible to fix by upgrading.

Ying Wang,Bihuan Chen,Kaifeng Huang,Bowen Shi,Congying Xu,Xin Peng,Yijian Wu,Yang Liu

DOI: https://doi.org/10.1109/icsme46990.2020.00014

2020-01-01

Abstract:Third-party libraries play a key role in software development as they can relieve developers of the heavy burden of re-implementing common functionalities. However, third-party libraries and client projects evolve asynchronously. As a result, out-dated third-party libraries might be used in client projects while developers are not aware of the potential risk (e.g., security bug). Outdated third-party libraries may be updated in client projects in a delayed way, and developers may be less aware of the potential risk (e.g., API incompatibility) in updates. Developers of third-party libraries may be unaware of how their third-party libraries are used or updated in client projects. Therefore, a quantitative and holistic study on usages, updates and risks of third-party libraries in open-source projects can provide concrete evidences on these problems, and practical insights to improve the ecosystem. In this paper, we contribute such a study in Java ecosystem. In particular, we conduct a library usage analysis (e.g., usage intensity and outdatedness) and library update analysis (e.g., update intensity and delay) on 806 open-source projects and 13,565 third- party libraries. Then, we carry out a library risk analysis (e.g., usage risk and update risk) on 806 open-source projects and 544 security bugs. These analyses aim to quantify the usage and update practices and the potential risk of using and updating outdated third-party libraries with respect to security bugs from two holistic perspectives (i.e., open-source projects and third-party libraries). Our findings suggest practical implications to developers and researchers on problems and potential solutions in maintaining third-party libraries (e.g., smart alerting and automated updating of outdated third-party libraries). To indicate the usefulness of our findings, we design a smart alerting system for assisting developers to make confident decisions when updating third-party libraries. 33 and 24 open-source projects have confirmed and updated third-party libraries after receiving our alerts.

Kunal Taneja,Danny Dig,Tao Xie

DOI: https://doi.org/10.1145/1321631.1321688

2007-01-01

Abstract:Software developers often do not build software from scratch but reuse software libraries. In theory, the APIs of a library should be stable, but in practice they do change and thus require changes in software that reuses the library. Our previous study of five reusable components shows that more than 80% of these API changes are caused by refactorings. If these refactorings could be automatically detected, they could be used to automatically upgrade applications. In this paper, we present a technique and its supporting tool, RefacLib, to automatically detect refactorings in libraries. RefacLib uses syntactic analysis in the first phase to quickly detect refactoring candidates across two versions of a library. In the second phase, RefacLib uses various heuristics to refine the results. We used RefacLib to detect refactorings in five open source libraries and frameworks. The experiments show that RefacLib can process realistic code bases and detects refactorings with practical accuracy

Ying Wang,Bihuan Chen,Kaifeng Huang,Bowen Shi,Congying Xu,Xin Peng,Yang Liu,Yijian Wu

DOI: https://doi.org/10.48550/arxiv.2002.11028

2020-01-01

Abstract:Third-party libraries are a central building block to develop software systems. However, outdated third-party libraries are commonly used, and developers are usually less aware of the potential risks. Therefore, a quantitative and holistic study on usages, updates and risks of third-party libraries can provide practical insights to improve the ecosystem sustainably. In this paper, we conduct such a study in the Java ecosystem. Specifically, we conduct a library usage analysis (e.g., usage intensity and outdatedness) and a library update analysis (e.g., update intensity and delay) using 806 open-source projects. The two analyses aim to quantify usage and update practices holistically from the perspective of both open-source projects and third-party libraries. Then, we conduct a library risk analysis (e.g., potential risk and developer response) in terms of bugs with 15 popularly-used third-party libraries. This analysis aims to quantify the potential risk of using outdated libraries and the developer response to the risk. Our findings from the three analyses provide practical insights to developers and researchers on problems and potential solutions in maintaining third-party libraries (e.g., smart alerting and automated updating of outdated libraries). To demonstrate the usefulness of our findings, we propose a bug-driven alerting system for assisting developers to make confident decisions in updating third-party library versions. We have released our dataset to foster valuable applications and improve the ecosystem.

Lyuye Zhang,Chengwei Liu,Zhengzi Xu,Sen Chen,Lingling Fan,Bihuan Chen,Yang Liu

DOI: https://doi.org/10.1145/3551349.3556956

2022-01-01

Abstract:To enhance the compatibility in the version control of Java Third-party Libraries (TPLs), Maven adopts Semantic Versioning (SemVer) to standardize the underlying meaning of versions, but users could still confront abnormal execution and crash after upgrades even if compilation and linkage succeed. It is caused by semantic breaking (SemB) issues, such that APIs directly used by users have identical signatures but inconsistent semantics across upgrades. To strengthen compliance with SemVer rules, developers and users should be alerted of such issues. Unfortunately, it is challenging to detect them statically, because semantic changes in the internal methods of APIs are difficult to capture. Dynamic testing can confirmingly uncover some, but it is limited by inadequate coverage. To detect SemB issues over compatible upgrades (Patch and Minor) by SemVer rules, we conduct an empirical study on 180 SemB issues to understand the root causes, inspired by which, we propose SEMBID (Semantic Breaking Issue Detector) to statically detect such issues of TPLs for developers and users. Since APIs are directly used by users, SEMBID detects and reports SemB issues based on APIs. For a pair of APIs, SEMBID walks through the call chains originating from the API to locate breaking changes by measuring semantic diff. Then, SEMBID checks if the breaking changes can affect API's output along call chains. The evaluation showed SEMBID achieved 90.26% recall and 81.29% precision and outperformed other API checkers on SemB API detection. We also revealed SEMBID detected over 3 times more SemB APIs with better coverage than unit tests, the commonly used solution. Furthermore, we carried out an empirical study on 1, 629, 589 APIs from 546 version pairs of top Java libraries and found there were 2 similar to 4 times more SemB APIs than those with signature-based issues. Due to various version release strategies, 33.83% of Patch version pairs and 64.42% of Minor version pairs had at least one API affected by any breaking.

Tao Xie,Mithun Acharya,Suresh Thummalapenta,Kunal Taneja

DOI: https://doi.org/10.1109/IPDPS.2008.4536384

2008-01-01

Abstract:A software system interacts with third-party libraries through various APIs. Insufficient documentation and constant refactorings of third-party libraries make API library reuse difficult and error prone. Using these library APIs often needs to follow certain usage patterns. These patterns aid developers in addressing commonly faced programming problems such as what checks should precede or follow API calls, how to use a given set of APIs for a given task, or what API method sequence should be used to obtain one object from another. Ordering rules (specifications) also exist between APIs, and these rules govern the secure and robust operation of the system using these APIs. These patterns and rules may not be well documented by the API developers. Furthermore, usage patterns and specifications might change with library refactorings, requiring changes in the software that reuse the library. To address these issues, we develop novel techniques (and their supporting tools) based on mining source code, assisting developers in productively reusing third party libraries to build reliable and secure software.

Supatsara Wattanakriengkrai,Dong Wang,Raula Gaikovina Kula,Christoph Treude,Patanamon Thongtanunam,Takashi Ishio,Kenichi Matsumoto

DOI: https://doi.org/10.1109/tse.2022.3225197

IF: 7.4

2023-04-21

IEEE Transactions on Software Engineering

Abstract:The widespread adoption of third-party libraries for contemporary software development has led to the creation of large inter-dependency networks, where sustainability issues of a single library can have widespread network effects. Maintainers of these libraries are often overworked, relying on the contributions of volunteers to sustain these libraries. To understand these contributions, in this work, we leverage socio-technical techniques to introduce and formalise dependency-contribution congruence (DC congruence) at both ecosystem and library level, i.e., to understand the degree and origins of contributions congruent to dependency changes, analyze whether they contribute to library dormancy (i.e., a lack of activity), and investigate similarities between these congruent contributions compared to typical contributions. We conduct a large-scale empirical study to measure the DC congruence for the npm ecosystem using 1.7 million issues, 970 thousand pull requests (PRs), and over 5.3 million commits belonging to 107,242 npm libraries. We find that the most congruent contributions originate from contributors who can only submit (not commit) to both a client and a library. At the project level, we find that DC congruence shares an inverse relationship with the likelihood that a library becomes dormant. Specifically, a library is less likely to become dormant if the contributions are congruent with upgrading dependencies. Finally, by comparing the source code of contributions, we find statistical differences in the file path and added lines in the source code of congruent contributions when compared to typical contributions. Our work has implications to encourage dependency contributions, especially to support library maintainers in sustaining their projects.

engineering, electrical & electronic,computer science, software engineering

Huang Kaifeng,Chen Bihuan,Xu Congying,Wang Ying,Shi Bowen,Peng Xin,Wu Yijian,Liu Yang

DOI: https://doi.org/10.1007/s10664-022-10131-8

IF: 3.762

2022-01-01

Empirical Software Engineering

Abstract:Third-party libraries are a key building block in software development as they allow developers to reuse common functionalities instead of reinventing the wheel. However, third-party libraries and client projects are developed and continuously evolving in an asynchronous way. As a result, outdated third-party libraries might be commonly used in client projects, while developers are unaware of the potential risk (e.g., security bugs) in usages. Outdated third-party libraries might be updated in client projects in a delayed way, while developers are less aware of the potential risk (e.g., API incompatibilities) in updates. Developers of third-party libraries may be unaware of how their third-party libraries are used or updated in client projects. Therefore, a quantitative and holistic study on usages, updates and risks of third-party libraries in open-source projects can provide concrete evidence on these problems, and practical insights to improve the ecosystem sustainably. In this paper, we make the first contribution towards such a study in the Java ecosystem. First, using 806 open-source projects and 13,565 third-party libraries, we conduct a library usage analysis (e.g., usage intensity and usage outdatedness), followed by a library update analysis (e.g., update intensity and update delay). The two analyses aim to quantify usage and update practices from the two holistic perspectives of open-source projects and third-party libraries. Then, we carry out a library risk analysis (e.g., usage risk and update risk) on 806 open-source projects and 544 security bugs. This analysis aims to quantify the potential risk of using and updating outdated third-party libraries with respect to security bugs. Our findings suggest practical implications to developers and researchers on problems and potential solutions in maintaining third-party libraries (e.g., smart alerting and automated updating of outdated third-party libraries). To demonstrate the usefulness of our findings, we propose a security bug-driven alerting system, named LibSecurify , for assisting developers to make confident decisions by quantifying risks and effort when updating outdated third-party libraries. 33 open-source projects have confirmed the presence of security bugs after receiving our alerts, and 24 of those 33 have updated their third-party libraries. We have released our dataset to foster valuable applications and improve the Java third-party library ecosystem.

Xiufeng Xu,Chenguang Zhu,Yi Li

DOI: https://doi.org/10.48550/arXiv.2305.08671

2023-05-15

Software Engineering

Abstract:Modern software systems heavily rely on external libraries developed by third-parties to ensure efficient development. However, frequent library upgrades can lead to compatibility issues between the libraries and their client systems. In this paper, we introduce CompSuite, a dataset that includes 123 real-world Java client-library pairs where upgrading the library causes an incompatibility issue in the corresponding client. Each incompatibility issue in CompSuite is associated with a test case authored by the developers, which can be used to reproduce the issue. The dataset also provides a command-line interface that simplifies the execution and validation of each issue. With this infrastructure, users can perform an inspection of any incompatibility issue with the push of a button, or reproduce an issue step-by-step for a more detailed investigation. We make CompSuite publicly available to promote open science. We believe that various software analysis techniques, such as compatibility checking, debugging, and regression test selection, can benefit from CompSuite.

César Soto-Valero,Nicolas Harrand,Martin Monperrus,Benoit Baudry

DOI: https://doi.org/10.1007/s10664-020-09914-8

2020-01-22

Abstract:Build automation tools and package managers have a profound influence on software development. They facilitate the reuse of third-party libraries, support a clear separation between the application's code and its external dependencies, and automate several software development tasks. However, the wide adoption of these tools introduces new challenges related to dependency management. In this paper, we propose an original study of one such challenge: the emergence of bloated dependencies. Bloated dependencies are libraries that the build tool packages with the application's compiled code but that are actually not necessary to build and run the application. This phenomenon artificially grows the size of the built binary and increases maintenance effort. We propose a tool, called DepClean, to analyze the presence of bloated dependencies in Maven artifacts. We analyze 9,639 Java artifacts hosted on Maven Central, which include a total of 723,444 dependency relationships. Our key result is that 75.1% of the analyzed dependency relationships are bloated. In other words, it is feasible to reduce the number of dependencies of Maven artifacts up to 1/4 of its current count. We also perform a qualitative study with 30 notable open-source projects. Our results indicate that developers pay attention to their dependencies and are willing to remove bloated dependencies: 18/21 answered pull requests were accepted and merged by developers, removing 131 dependencies in total.

Software Engineering

Hao He,Yulin Xu,Xiao Cheng,Guangtai Liang,Minghui Zhou

DOI: https://doi.org/10.1109/ICSE-Companion52605.2021.00023

2021-01-01

Abstract:During software maintenance, developers may need to migrate an already in-use library to another library with similar functionalities. However, it is difficult to make the optimal migration decision with limited information, knowledge, or expertise. In this paper, we present MIGRATIONADVISOR, an evidence-based tool to recommend library migration targets through intelligent analysis upon a large number of GitHub repositories and Java libraries. The migration advisories are provided through a search engine style web service where developers can seek migration suggestions for a specific library. We conduct systematic evaluations on the correctness of results, and evaluate the usefulness of the tool by collecting usage feedback from industry developers. Video: https://youtu.be/4I75W22TqwQ.

Bowen Shen,Cihan Xiao,Na Meng,Fei He

DOI: https://doi.org/10.48550/arxiv.2102.11307

2021-01-01

Abstract: Developers create software branches for tentative feature addition and bug fixing, and periodically merge branches to release software with new features or repairing patches. When the program edits from different branches textually overlap (i.e., textual conflicts), or the co-application of those edits lead to compilation or runtime errors (i.e., compiling or dynamic conflicts), it is challenging and time-consuming for developers to eliminate merge conflicts. Prior studies examined %the popularity of merge conflicts and how conflicts were related to code smells or software development process; tools were built to find and solve conflicts. However, some fundamental research questions are still not comprehensively explored, including (1) how conflicts were introduced, (2) how developers manually resolved conflicts, and (3) what conflicts cannot be handled by current tools. For this paper, we took a hybrid approach that combines automatic detection with manual inspection to reveal 204 merge conflicts and their resolutions in 15 open-source repositories. %in the version history of 15 open-source projects. Our data analysis reveals three phenomena. First, compiling and dynamic conflicts are harder to detect, although current tools mainly focus on textual conflicts. Second, in the same merging context, developers usually resolved similar textual conflicts with similar strategies. Third, developers manually fixed most of the inspected compiling and dynamic conflicts by similarly editing the merged version as what they did for one of the branches. Our research reveals the challenges and opportunities for automatic detection and resolution of merge conflicts; it also sheds light on related areas like systematic program editing and change recommendation.

Stan Jarzabek,Shubiao Li

2005-01-01

Abstract:In a previous study, we analyzed similarity patterns in the Java Buffer library, JDK 1.5. We observed many similar classes, methods and yet smaller fragments - elements of class design. We argued that, given the design goals, it was difficult to avoid those repetitions with conventional design techniques. We also argued that the reasons why the problem arises and its symptoms are common. In this paper, we describe a possible solution to the problem: We apply a meta-level method of XVCL on top of Java code, to unify differences among similar buffer classes. In a meta-level Java-XVCL solution, we represent each of the important similarity patterns in a unique generic, but adaptable, form, along with information necessary to obtain its instances - specific classes or class methods. We believe such explication of similarity patterns reduces program complexity as perceived by developers. Non-redundancy achieved in that way also reduces the risk of update anomalies which helps in maintenance. As the meta-level solution does not come for free, we evaluate its strengths and weaknesses in quantitative and qualitative way, and also by conducting a controlled experiment. The presented method is based on synergistic use of a programming language (e.g., Java) and meta-level parameterization and manipulation supported by XVCL, to achieve a non-redundancy of the Java-XVCL meta-level solution. The idea of the solution and the method itself is general, can be applied to any program, independently of an application domain or a programming language. We believe some of the observations from this case study apply to other class libraries, as well as application programs. In the previous study (21)(22), we analyzed similarity patterns in the Java Buffer library, JDK 1.5. We observed many similar classes, methods and yet smaller fragments - elements of class design. We analyzed the reasons why similar structures were spreading through buffer classes, in many variant forms. We argued that, given the design goals, it was difficult to avoid those repetitions with conventional OO design techniques and generics. We also argued that the causes and symptoms of the problem were common.

César Soto-Valero,Amine Benelallam,Nicolas Harrand,Olivier Barais,Benoit Baudry,Cesar Soto-Valero

DOI: https://doi.org/10.1109/msr.2019.00059

2019-05-01

Abstract:Maven artifacts are immutable: an artifact that is uploaded on Maven Central cannot be removed nor modified. The only way for developers to upgrade their library is to release a new version. Consequently, Maven Central accumulates all the versions of all the libraries that are published there, and applications that declare a dependency towards a library can pick any version. In this work, we hypothesize that the immutability of Maven artifacts and the ability to choose any version naturally support the emergence of software diversity within Maven Central. We analyze 1,487,956 artifacts that represent all the versions of 73,653 libraries. We observe that more than 30% of libraries have multiple versions that are actively used by latest artifacts. In the case of popular libraries, more than 50% of their versions are used. We also observe that more than 17% of libraries have several versions that are significantly more used than the other versions. Our results indicate that the immutability of artifacts in Maven Central does support a sustained level of diversity among versions of libraries in the repository.

Nicolas Harrand,Thomas Durieux,David Broman,Benoit Baudry

DOI: https://doi.org/10.48550/arXiv.2111.03154

2021-11-04

Software Engineering

Abstract:Despite its obvious benefits, the increased adoption of package managers to automate the reuse of libraries has opened the door to a new class of hazards: supply chain attacks. By injecting malicious code in one library, an attacker may compromise all instances of all applications that depend on the library. To mitigate the impact of supply chain attacks, we propose the concept of Library Substitution Framework. This novel concept leverages one key observation: when an application depends on a library, it is very likely that there exists other libraries that provide similar features. The key objective of Library Substitution Framework is to enable the developers of an application to harness this diversity of libraries in their supply chain. The framework lets them generate a population of application variants, each depending on a different alternative library that provides similar functionalities. To investigate the relevance of this concept, we develop ARGO, a proof-of-concept implementation of this framework that harnesses the diversity of JSON suppliers. We study the feasibility of library substitution and its impact on a set of 368 clients. Our empirical results show that for 195 of the 368 java applications tested, we can substitute the original JSON library used by the client by at least 15 other JSON libraries without modifying the client's code. These results show the capacity of a Library Substitution Framework to diversify the supply chain of the client applications of the libraries it targets.

Chenguang Zhu,Mengshi Zhang,Xiuheng Wu,Xiufeng Xu,Yi Li

DOI: https://doi.org/10.1145/3582569

IF: 3.685

2023-02-01

ACM Transactions on Software Engineering and Methodology

Abstract:Modern software systems are complex and they heavily rely on external libraries developed by different teams and organizations. Such systems suffer from higher instability due to incompatibility issues caused by library upgrades. In this paper, we address the problem by investigating the impact of a library upgrade on the behaviors of its clients. We developed CompCheck , an automated upgrade compatibility checking framework which generates incompatibility-revealing tests based on previous examples. CompCheck first establishes an offline knowledge base of incompatibility issues by mining from open source projects and their upgrades. It then discovers incompatibilities for a specific client project, by searching for similar library usages in the knowledge base and generating tests to reveal the problems. We evaluated CompCheck on 202 call sites of 37 open-source projects and the results show that CompCheck successfully revealed incompatibility issues on 76 call sites, 72.7% and 94.9% more than two existing techniques, confirming CompCheck ’s applicability and effectiveness.

computer science, software engineering

Hao He,Runzhi He,Haiqiao Gu,Minghui Zhou

DOI: https://doi.org/10.1145/3468264.3468571

2021-01-01

Abstract:With the rise of open-source software and package hosting platforms, reusing 3rd-party libraries has become a common practice. Due to various failures during software evolution, a project may remove a used library and replace it with another library, which we call library migration. Despite substantial research on dependency management, the understanding of how and why library migrations occur is still lacking. Achieving this understanding may help practitioners optimize their library selection criteria, develop automated approaches to monitor dependencies, and provide migration suggestions for their libraries or software projects. In this paper, through a fine-grained commit-level analysis of 19,652 Java GitHub projects, we extract the largest migration dataset to-date (1,194 migration rules, 3,163 migration commits). We show that 8,065 (41.04%) projects having at least one library removal, 1,564 (7.96%, lower-bound) to 5,004 (25.46%, upper-bound) projects have at least one migration, and a median project with migrations has 2 to 4 migrations in total. We discover that library migrations are dominated by several domains (logging, JSON, testing and web service) presenting a long tail distribution. Also, migrations are highly unidirectional in that libraries are either mostly abandoned or mostly chosen in our project corpus. A thematic analysis on related commit messages, issues, and pull requests identifies 14 frequently mentioned migration reasons (e.g., lack of maintenance, usability, integration, etc), 7 of which are not discussed in previous work. Our findings can be operationalized into actionable insights for package hosting platforms, project maintainers, and library developers. We provide a replication package at https://doi.org/10.5281/zenodo.4816752.