FOSDEM 2021: OW2 unveils latest advances of FASTEN, a promising innovation adding intelligence to package management systems
How FASTEN’s breakthrough research addresses software dependency issues faced by millions of developers will be revealed in the Dependency Management Devroom organised by OW2.
Paris, February 1, 2021 - OW2, the international community dedicated to develop and to promote an open source code base, announces the presentation of the FASTEN research project on OW2 virtual booth at FOSDEM, February 6-7 2021, and in the Dependency Management Devroom, coordinated by OW2 and FASTEN, on Sunday February 7th morning.
FASTEN develops an intelligent software package management framework that enhances robustness and security in software ecosystems by addressing the issues of operational and compliance risks generated by dependencies. Today, most development teams still fail to adequately inventory their software dependencies and specially indirect dependencies. These continue to undermine security and account for the majority of vulnerabilities. A number of dependency analysis tools are made available to open source developers, providing helpful support in detecting security and vulnerability issues but these tools only track dependencies at the component level. FASTEN ‘s analysis goes much further down to a very fine-grained level, such as the function, or method, making it easier for developers to control and manage dependencies. FASTEN’s core innovation is the creation of an ecosystem-wide Fine-Grained Call Graph (FGCG) leading to a more accurate evaluation of the impact of security vulnerabilities, license compliance, risk management, and evaluation of the consequences of library API changes on users.
The FASTEN presentation in the Dependency Management Devroom will highlight the main progresses achieved after two years of intensive research.
Today’s FASTEN key achievements include the availability of Call Graph Generators for Java, C and Python. Documentation is available on GitHub; the research consortium is working on developing an MVP and a Beta-testing campaign to showcase the main capabilities of the platform and collect feedback from end-users.
In addition, the team is continuously working on the integration with package managers such as PyPI and Maven. Developers will have access to the FASTEN knowledge base by just using their package manager, and will be able to explore this knowledge base to find information regarding libraries or projects. For instance, when a developer wants to update a dependency, the estimated impact of this update on his/her project will be communicated by the package manager. The developer will also be notified about any security issue (e.g. when using the piece of code where the vulnerability is spotted; when a new issue is coming from transitive dependencies; or if an update is required).
Presentations in the FOSDEM Dependency Management Devroom include:
• 10:00 : FASTEN : Intelligent Package Management, Paolo Boldi, Milano University
• 10:45 : DepClean: Automatically revealing bloated software dependencies in Maven projects, César Soto Valero, KTH University
• 11:30 : Lost in Zero Space, - Can we trust depending on packages with major version zero? Tom Mens, University of Mons
• 12:15 : Early warning signs for open source breakages - Using crowd feedback from dependency automation as an early warning indicator, Rhys Arkins, Whitesourcesoftware
• 12:45 : As Strong as the Weakest Link- Securing the Software Supply Chain, Brendan O’Leary, GitLab
• 13:25 : Reusing dependencies across ecosystems: what stands in the way? Todd Gamblin, Lawrence Livermore National Laboratory
To join the FASTEN presentation at FOSDEM on February 7th at 10:00am, please visit : https://fosdem.org/2021/schedule/track/dependency_management/.
FASTEN will also be presented on the OW2 virtual booth during both days of FOSDEM.
About OW2
OW2 is an independent community dedicated to promoting open source software and to fostering a vibrant community and business ecosystem. OW2 federates 100+ organizations and 6000+ IT professionals world wide. OW2 hosts 100+ technology Projects, including: ADR App, ASM, AuthzForce, CLIF, DocDoku, FusionDirectory, GLPI, JORAM, Knowage, LemonLDAP:NG, Lutece, OCS Inventory, Petals ESB, Prelude, ProActive, Rocket.Chat, SAT4J, SeedStack, Sympa, Telosys, Waarp, WebLab and XWiki.
About FASTEN project
The FASTEN project is developing an intelligent software package management system that will enhance robustness and security in software ecosystems. FASTEN addresses the operational and compliance risks associated to dependencies on networks of external open source software libraries. To solve these issues, FASTEN introduces a fine-grained, method-level, tracking of dependencies on top of existing dependency management networks. The project is developed by a consortium of seven partners and has received funding from the European Union’s Horizon 2020 research and innovation programme. The project started in January 2019 and will run until December 2021.