Overall Concept

With the FASTEN project, we aim to make software ecosystems more robust by making package management more intelligent. The core idea that FASTEN relies upon is the creation of an ecosystem-wide Fine-Grained Call Graph (FGCG), at the function level. FASTEN will performs sophisticated analyses of i) security vulnerability propagation, ii) licensing compliance, and iii) dependency risk profiles. The result is a versioned, ecosystem-level call graph, that not only solves the issues identified above, but also both opens the doors to advanced applications and challenges the current state of the art in graph storage and processing. To facilitate adoption, FASTEN will bring those analyses to the hands of developers by integrating the analysis service to popular package managers, for the Java, C, and Python programming languages. 

FASTEN_Architecture.png

FASTEN Architecture Overview

Project Scientific and Technical Objectives

    

Development of fine-grained ecosystem analysis for C, Java and Python

https://www.fasten-project.eu/download/Collateral/FASTEN%20Roll-up%20poster/TOTEM-85x200-FASTEN_2019.jpg?width=200

QuestionMark.png

To ensure that FASTEN will be useful to the broadest audience possible, we will apply the FGCG technique on three of the most popular programming languages, Java, C and Python. Using those specific programming languages also serves the purpose of extending the FGCG technique on statically and dynamically compiled environments (the later being more permissive, makes them more difficult to analyze).

Development of method for ecosystem-wide change impact analysis

A common problem that library implementers have is that of breaking downstream applications due to changes in their own methods and interfaces. Using the FGCG, we can precisely identify the ecosystem-wide impact that any API change (direct and transitive) can have.

Development of method for security vulnerability propagation detection

A typical problem with ecosystems is the propagation of security vulnerabilities; when a library is infected, then potentially all upstream dependencies (transitively) are infected as well. While direct dependencies can immediately update to a safe version, indirect ones have to wait until the full chain in between has been updated. With FASTEN developers will be able to precisely analyze whether their applications are calling into vulnerable code and decide whether dependency updates are necessary; moreover, the ecosystem will be able to notify the developers of vulnerable applications in real-time, after a security issue has been disclosed.

Development of method for fine-grained compliance monitoring

A typical issue with commercial software depending on OSS libraries is license compliance. Current compliance solutions either examine software at the library level or involve human inspection. With FASTEN’s fine-grained approach, developers will be able to identify license compatibility constraints and violations at the file level, within their development environment. 

Development of method for dependency risk profiling

Depending on libraries not developed in-house is usually associated with risk, which mostly stems from the inability to control the quality of third-party software components. FASTEN will develop methods to quantify and propagate the risks associated with software components. This risk can consist of multiple components, including software maintainability and security. 

Development of a scalable analysis service

Analyzing whole ecosystems, especially as rich and varied as the Java and Python ones, is a non-trivial algorithmic and data processing problem. To make sure that developers can easily access those analyses, we will develop and host an open-access service that will allow both developers and Continuous Integration servers to rip the benefits of the FASTEN techniques. The service will monitor ecosystems and perform real-time analysis of updates to them, populating an openly accessible knowledge base. 

Integration of FASTEN in Java/Python package managers

FASTEN’s ecosystem analysis service will be publicly accessible, but this is only one part of the equation of developers using it. What is needed is integration into tools that developers use to manage their dependencies, i.e., package managers such as Maven and PyPi. After FASTEN, the package manager will automatically inform the developers of security warnings every time the developers use it; the developers will be able to ask their package manager to estimate the impact of an API change.

Validation through industrial use cases

The FASTEN platform as a whole will be evaluated on three industrial scale case studies, run by the project’s industrial partners. XWiki will use FASTEN as the basis for a new plug-in mechanism for their modular wiki software; Endocode will use FASTEN to improve the precision of their license compliance offering; SIG will integrate FASTEN to BetterCodeHub, their GitHub-connected code quality monitoring product. Visit FASTEN Use Cases page.