Giasemi Seisa, Software Engineer, Endocode AG, Berlin


How would you present the project?

An intelligent package management.
FASTEN aims to help the developers, the software maintainers/providers, enterprises and users to have a better understanding of their software dependency management network. 

Everyday people are depending more and more on software.
It’s important to understand that almost all software is written on top of other software, which also depends on other software.
The need for a better understanding of what a certain project consists of and what are we linking to our code when we decide to use a library is undeniable.
In recent years, we have witnessed several spectacular ecosystem failures with severe implications on client programs, end-users and the further adoption of Open Source Software. Such well-known examples of ecosystem failures are the left-pad incident, the Equifax data breach etc.
With the FASTEN project, we aim to make software ecosystems more robust by making package management more intelligent.
People will be able to address the FASTEN knowledge base to find information regarding libraries or projects. This information includes:

Fine-grained, method-level, tracking of dependencies on top of existing dependency management networks for projects coming from known centralised repositories such as maven, pypi, git etc. This means that FASTEN will also track transitive dependencies. In other words, the user will be able to have a more concrete overview of the dependencies he will introduce into his code, should he use a specific library.   
Security issues that come with a specific library.
License compliance information about a library or a project as a whole
The library’s/project’s dependency risk profile.

The FASTEN project will be integrated into package managers such as maven and pypi.
Developers will have access to the FASTEN knowledge base by just using their package manager.
The outcome will be a more intelligent package manager. For instance, if a developer wants to update one of his/her dependencies, they will get notified by their package manager about the estimated update impact on their machine, about security vulnerabilities of this update and if they are actually using the piece of code where the vulnerability is spotted. They will get notified about security issues in their transitive dependencies and if an update is required.  

Individuals will also be able to have access to the FASTEN analysis findings by a web interface.

We will be able to answer questions such as:

“Am I linking against code featuring incompatible licenses into my project?”
“Am I violating anyone’s copyrights?”
“Can developers ensure the imported code contains no security holes?”
“Can I trust code I download from the Internet with my valuable data?
“How can I check if an updated dependency breaks my code?
“How can a library maintainer assess the (direct or transitive) impact of his/hers changes?”
 “How can a library maintainer deprecate features (e.g., remove functionality) without knowing who is using them?”
“What is the outgoing license of my project?”
“How can we know when a security issue discovered in a transitive dependency requires an update?”

What is your role in the project?

Endocode is focusing on,“Licensing and Compliance”. License compliance is part of the analysis phase on the FASTEN project. The analysis phase consists of detecting
i) security vulnerability propagation
ii) license compliance, and
iii) dependency risk profiles.
This phase runs after the generation of the fine-grained call graphs for a project and adds the new information it detects into the FASTEN knowledge base. 

Together with my team we are integrating our FOSS compliance tooling Quartermaster into FASTEN to detect licenses, authors, copyrights and license obligations for the projects scanned by the FASTEN server. To conclude to license compatibility and compliance from call graph information, specific statements about obligations and conditions are developed which formulate generic or custom rules. The users will also be able to define a set of generic and custom compliance rules or policies for their products.

Imagine you are developing a java maven project. By building your project with maven, a FASTEN call-graph of your project is created locally, with all the direct and transitive dependencies. Our role in the project is to inform the user about their software license compliance with passed/failed checks, warnings and errors. None of this information about your project will be distributed if you don’t wish so. 

What key innovation do you bring or help to develop?

The key difference from  other tools detecting license compliance is that Quartermaster is FOSS and generates a build graph for a project. When a project is being built, Quartermaster wraps the compiler and tracks the build process from the source code to the formation of the package. That way we identify which parts of a project and which dependencies are part of the package. Then, we can continue with the license detection for a package and the formation of rule-based internal queries, which will lead to the license compliance of the project.

A word about yourself and your organization

I am a software engineer at Endocode AG and the lead developer on the work package 4: “Licensing and Compliance” of the FASTEN project.

Endocode AG is an employee-owned, software engineering company from Berlin. We are engineers, consultants, trainers and active contributors within the Open Source Community. Our international team is actively contributing to the Open Source Community and we have partnered with organizations that improve our community and further our values. We use Open Source tooling and methods to build modern infrastructure set ups for our customers in DACH.