Assessing the Real Impact of Open-Source Components in Software Systems

Abstract

Open-source libraries form the backbone of modern software systems, making software composition analysis (SCA) a vital part of the software development cycle. Despite its importance, current SCA methods, primarily focusing on open-source component issues, lack comprehensive analysis of these components' integration into the software system. This paper proposes an advanced SCA approach that simultaneously considers open-source component issues and their integration into a software system. We introduce a novel meta-model that links a library with its source code dependencies and enables a unified analysis, irrespective of the originating package manager or open-source repository. The proposed approach, instantiated through a code analysis tool and adapters for major package managers and repositories, was applied to over 200 popular GitHub projects. Results confirm that the impact of open-source component issues largely depends on their integration level in the software system, validating our assumption that effective risk management requires understanding of the open-source component use within the system. Our work, therefore, provides an enriched methodology for SCA.