Open AccessAssessing the real impact of open-source components in software systems
Author(s) -
Andy Molin,
Andrei Mario Rivis,
Radu Marinescu
Publication year - 2023
Publication title -
ieee access
Language(s) - English
Resource type - Journals
ISSN - 2169-3536
DOI - 10.1109/access.2023.3322362
Subject(s) - aerospace , bioengineering , communication, networking and broadcast technologies , components, circuits, devices and systems , computing and processing , engineered materials, dielectrics and plasmas , engineering profession , fields, waves and electromagnetics , general topics for engineers , geoscience , nuclear engineering , photonics and electrooptics , power, energy and industry applications , robotics and control systems , signal processing and analysis , transportation
Open-source libraries form the backbone of modern software systems, making software composition analysis (SCA) a vital part of the software development cycle. Despite its importance, current SCA methods, primarily focusing on open-source component issues, lack comprehensive analysis of these components’ integration into the software system. This paper proposes an advanced SCA approach that simultaneously considers open-source component issues and their integration into a software system. We introduce a novel meta-model that links a library with its source code dependencies and enables a unified analysis, irrespective of the originating package manager or open-source repository. The proposed approach, instantiated through a code analysis tool and adapters for major package managers and repositories, was applied to over 200 popular GitHub projects. Results confirm that the impact of open-source component issues largely depends on their integration level in the software system, validating our assumption that effective risk management requires understanding of the open-source component use within the system. Our work, therefore, provides an enriched methodology for SCA.