Measuring Dependency Freshness in Software Systems

Modern software systems often make use of third-party components to speed-up development and reduce maintenance costs. In return, developers need to update to new releases of these dependencies to avoid, for example, security and compatibility risks. In practice, prioritizing these updates is diffic...

Full description

Saved in:
Bibliographic Details
Main Authors: Cox, Joel, Bouwers, Eric, van Eekelen, Marko, Visser, Joost
Format: Conference Proceeding
Language:English
Subjects:
Context
Industries
Security
Software engineering
software maintenance
Software measurement
software metrics
Software systems
Online Access:Request full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:Modern software systems often make use of third-party components to speed-up development and reduce maintenance costs. In return, developers need to update to new releases of these dependencies to avoid, for example, security and compatibility risks. In practice, prioritizing these updates is difficult because the use of outdated dependencies is often opaque. In this paper we aim to make this concept more transparent by introducing metrics to quantify the use of recent versions of dependencies, i.e. The system's "dependency freshness". We propose and investigate a system-level metric based on an industry benchmark. We validate the usefulness of the metric using interviews, analyze the variance of the metric through time, and investigate the relationship between outdated dependencies and security vulnerabilities. The results show that the measurements are considered useful, and that systems using outdated dependencies four times as likely to have security issues as opposed to systems that are up-to-date.
ISSN:0270-5257
1558-1225
DOI:10.1109/ICSE.2015.140