Thomas Mortagne, Lead developer, XWiki, Lyon


How would you present the project?

The software industry is more and more intensively relying on a lot of Open Source components, on which developers don't always have much control or even knowledge. While this is great in terms of innovation, it also comes with increasing security and maintenance costs.

The main benefit of FASTEN is to shed light on the sometime very mysterious world that is now taking an important share of what makes your software and help you avoid traps like security vulnerabilities, poor quality of tools components you are critically relying on, potential license infringements and conflicting dependencies.

While this kind of tools are starting to be common, most of them are suffering from both high number of false positives and very light analysis. FASTEN proposes to drastically improve that with two key aspects: going deeper in the analyzing of each dependency and analyzing transitive dependencies and not only direct ones.

What is your role in the project?

XWiki SAS is the lead of Work Package 6 which is focusing on validating the work done by all the other work packages by implementing use cases relying on the various tools produced as part of the FASTEN project. As part of this Work Package XWiki SAS is implementing several important use cases in the XWiki Open Source product:

  • make the build of the product safer by analyzing the dependencies
  • report risk identified in a running instance of XWiki
  • help the discoverability of features in not yet installed extensions

We are also in charge of bringing the power of FASTEN to the Maven ecosystem through a plugin which analyzes dependencies in search of potential risks (security vulnerabilities, binary incompatibilities, low quality metrics and license incompatibilities).

What key innovation do you bring or help to develop?

The XWiki Open Source project is a construct composed of many packages glued together by dependency relations. We know very well the Maven and Java ecosystem. We also have a long experience with the concept of dependency resolution through our build and the advanced manager we implemented to manipulate the very rich set of XWiki extensions.

A word about yourself and your organization.

I'm a lead developer at XWiki SAS which I joined in 2007 and specifically working on the server side of the XWiki Open Source product. Among other things I was in charge of implementing the XWiki extension manager which allows installed any Maven artifact with its dependencies in a running XWiki instance.

XWiki SAS has been created in 2004 by Ludovic Dubost, and it has 40 employees in France and Romania. It's an independent company - all its shareholders being employees or ex-employees. Moreover, its Open Source software has thousands of organizations using it, all over the world.