4280883
doi
10.5281/zenodo.4280883
oai:zenodo.org:4280883
Ana-Maria Oprescu
University of Amsterdam
Lodewijk Bergmans
Software Improvement Group
Miroslav Zivkovic
Software Improvement Group
Measuring the degree of library dependency
Nuria Bruch Tarrega
University of Amsterdam
info:eu-repo/semantics/openAccess
Creative Commons Attribution 4.0 International
https://creativecommons.org/licenses/by/4.0/legalcode
model dependency degree, transitive dependency, maven
<p>The usage of libraries, both commercial and open-source, provides the implementation of certain functionalities and is a widespread practice among developers. The usage of these libraries allows developers to avoid duplicating code by reusing it instead. However, when a developer uses a library in a software product, this creates a dependency. This dependency may result in transitive dependencies when the library depends on other libraries. The dependencies created when reusing a library can also carry problems — if a library has a security issue, it can be propagated to the software product, which depends on it, directly or indirectly. To deal with dependencies, developers can use package managers, which allow them to install and update the libraries they use. However, these package managers generally do a simple evaluation of the dependencies: either there is a dependency or not. Hence, a detailed evaluation of the dependencies is missing, which could help developers deal with vulnerabilities, breaking changes, and deprecated dependencies. In this thesis, we propose a model for software dependencies, which can help to provide a fine-grained evaluation of them. The model includes three types of metrics: coupling, coverage, and usage per class. For each metric in the model, we provide a formal definition and a theoretical validation by proving the metrics’ properties. We additionally implemented a proof-of-concept tool that, given a library from the Maven Central Repository, calculates the metrics of the model for each of the dependencies using bytecode analysis. Moreover, the proof-of-concept includes a visualization of the dependency tree, including the calculated metrics. Finally, we conducted experiments to validate the model, the implementation of the proof-of-concept, and the visualization. The experiments include interviews with 15 professional developers who evaluated the clarity and actionability of the model’s metrics and the proposed visualizations.</p>
Zenodo
2020-11-06
info:eu-repo/semantics/doctoralThesis
4280882
1605832028.263517
2175309
md5:2e356a877ac73e345cef79f8916dd06f
https://zenodo.org/records/4280883/files/MasterThesis_NuriaBruch.pdf
public
10.5281/zenodo.4280882
isVersionOf
doi