Study on Outdated Third-Party Code in Open Source Software
This empirical study explores the prevalence of outdated third-party code in open source projects, examining potential defects and how user projects manage such code. The research aims to enhance understanding of open source software reuse activities, evaluate software quality, and predict possible defects.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.
E N D
Presentation Transcript
An Empirical Study of Out-dated Third-party Code in Open Source Software Pei Xia Inoue Lab 2013/02/12 Department of Computer Science, Graduate School of Information Science & Technology, Osaka University 1
Third-party Code in OSS Developers reuse 3rd-party code from existing open source projects[1] libxml2 libpng openssl zlib libjpeg reuse User project User project User project User project [1] S.Haefliger, G.Krogh, S.Spaeth, 2008. Code Reuse in Open Source Software , Management Science, Vol.54 No.1 Jan.2008 2 Department of Computer Science, Graduate School of Information Science & Technology, Osaka University
Out-dated Third-Party Code Third-party code of older versions containing known defects such as software vulnerabilities that should be fixed by upgrading them to a newer version bug bug No Existing Research bug 3rd-party project v1.0 v2.1 v1.1 v1.2 v2.0 Timeline reuse User project User project User project User project 3 Department of Computer Science, Graduate School of Information Science & Technology, Osaka University
Research Questions What is the proportion of out-dated 3rd-party code reused in the open source software? What are the potential defects caused by such reuse? How do user projects manage those out- dated 3rd-party code? Be helpful in understanding OSS reuse activities, evaluating the quality of OSS and predicting some of the potential defects 4 Department of Computer Science, Graduate School of Information Science & Technology, Osaka University
Study Approach Overview 1.Defects Information Collection bug bug bug rep 3rd-party project v1.0 v2.1 v1.1 v1.2 v2.0 Timeline 3.Version Identifying 2.Projects Searching 4.Management Information Collection 5 Department of Computer Science, Graduate School of Information Science & Technology, Osaka University
Step 1 : Defects Information Collection Home page announcement National Vulnerability Database[2] The U.S. Government repository of standards based vulnerability management data [2] National Vulnerability Database,http://nvd.nist.gov/ 6 Department of Computer Science, Graduate School of Information Science & Technology, Osaka University
Step 2 : Projects Searching Using OpenCCFinder[3] to Search [3] P. Xia, Y. Manabe, N. Yoshida, and K. Inoue. Development of a code clone search tool for open source repositories. Technical report, IPSJ SIG Technical Reports, Vol.2011-SE-174, No2 ,pp.1-8, 2011. 7 Department of Computer Science, Graduate School of Information Science & Technology, Osaka University
Step 3 : Version Identifying // some comment public static void main(){ int a=0; a=a+1; } rep v1.0 v2.1 v1.1 v1.2 v2.0 Third-party project Timeline V2.1 Tokenization Tokenized file hash publicstaticvoid$(){int$=$;$=$+$;} 197770261 1786259145 917292968 706253673 197770261 1786259145 917292968 849110879 197770261 1786259145 527652421 706253673 Hashing 598032372 1191396480 527652421 706253673 197770261 598032372 1786259145 527652421 706253673 match 197770261 1786259145 917292968 706253673 v1.1 rep Latest ver. 598032372 1786259145 527652421 706253673 User project 1 v2.0 rep User project 2 Latest ver. 8 Department of Computer Science, Graduate School of Information Science & Technology, Osaka University
Step 4 : Management Information Collection Questions on reused 3rd-party code Modified or Copy&Paste? Keep updating? Well managed? Manual investigation Directory structure and file name Repository commit history readme.txt changelog.txt 9 Department of Computer Science, Graduate School of Information Science & Technology, Osaka University
Case study Subject Project Name zlib Domain Data compression Project History 1995-current libcurl File transfer 1999-current libpng Graphics 1995-current 10 Department of Computer Science, Graduate School of Information Science & Technology, Osaka University
Case Study Result (1/5) What is the proportion of out-dated 3rd-party code reused in the open source software? 20 # Projects using 3rd-party code zlib (45) 10 15 6 5 4 4 0 3 3 3 2 V1.1.3 V1.1.4 V1.2.1.1 V1.2.3 V1.2.3.2 V1.2.4 V1.2.5 V1.2.6 V1.2.7 4 libcurl (28) 3 2 3 3 1 2 2 2 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 libpng (50) 4 3 2 1 0 v1.4.6 v1.2.44 v1.2.22 v1.2.33 v1.2.35 v1.2.37 v1.2.42 v1.2.43 v1.2.46 v1.2.49 v1.5.10 v1.5.12 v1.5.13 v1.2.7 v1.2.8 v1.2.5 v1.4.2 v1.5.1 v1.5.4 v1.5.7 v1.4.8 v1.5.9 v1.2.21 v1.0.11 v1.2.12 v1.2.16 v1.2.23 v1.2.24 v1.2.27 v1.2.29 v1.2.32 Warning from hompage v1.2.34 v1.2.39 v1.2.40 v1.2.1 v1.4.1 v1.4.4 No defects reported Vulnerabilities reported Reused Versions of 3rd-party code 11 11 Department of Computer Science, Graduate School of Information Science & Technology, Osaka University
Case Study Result (2/5) What is the proportion of out-dated 3rd-party code reused in the open source software? # investigated projects # projects contain out- dated 3rd-party code Out-date code Percentage zlib 45 14 31.11% libcurl 28 24 85.71% libpng 50 46 92.00% total 123 84 68.30% 12 Department of Computer Science, Graduate School of Information Science & Technology, Osaka University
Case Study Result (3/5) What are the potential defects caused by such reuse? zlib version v1.1.3 v1.1.4 v1.2.1 v1.2.2 v1.2.1 v1.2.2 v1.2.2 v1.2.4 Reported defects CVE-2002-0059 VU#368819 CA-2002-07 CVE-2003-0107 VU#142121 CVE-2004-0797 VU#238687 CVE-2005-2096 VU#680620 CVE-2005-1849 Bug Fixed. Update suggestion from project homepage Example CVE-2005-1849: inftrees.h in zlib 1.2.2 allows remote attackers to cause a denial of service (application crash) via an invalid file that causes a large dynamic tree to be produced. 13 Department of Computer Science, Graduate School of Information Science & Technology, Osaka University
Case Study Result (4/5) How do user projects manage those out- dated 3rd-party code? Whether well managed other 16% have Version info 72% no reverted 1% no update 68% version info 28% keep updating 15% 14 Department of Computer Science, Graduate School of Information Science & Technology, Osaka University
Case Study Result (5/5) How do user projects manage those out- dated 3rd-party code? 96 (78.0%) of user projects reused the third- party code with copy and paste 6 (4.9%) of user projects changed directory names or mix the third-party code with other code 15 Department of Computer Science, Graduate School of Information Science & Technology, Osaka University
Conclusion In this study, 68.3% of open source software are reusing out-dated third-party code which contain critical defects. More than half of the open source projects did not manage the third-party code very well. 16 Department of Computer Science, Graduate School of Information Science & Technology, Osaka University
Future work Develop a 3rd-party code manage system Version identifying Defects prediction Automatically Updating 17 Department of Computer Science, Graduate School of Information Science & Technology, Osaka University
Q&A 18 Department of Computer Science, Graduate School of Information Science & Technology, Osaka University
