Analysing the effectiveness of fine-grained dependency analysis to convince developers of updating their dependencies
C.P.H. Cosse (TU Delft - Electrical Engineering, Mathematics and Computer Science)
M. Keshani – Mentor (TU Delft - Software Engineering)
A Katsifodimos – Graduation committee member (TU Delft - Web Information Systems)
More Info
expand_more
Other than for strictly personal use, it is not permitted to download, forward or distribute the text or part of it, without the consent of the author(s) and/or copyright holder(s), unless the work is under an open content license such as Creative Commons.
Abstract
Dependency maintenance is a critically important part of software development as vulnerabilities and exploits are constantly being discovered. Unfortunately it is extremely tedious for developers to manually keep track of these vulnerability discoveries and update their dependencies consequently. Dependency maintenance tools such as Dependabot and WhiteSource help to make this job easier for developers but still many developers never update their dependencies even with notifications from these tools. As such this research paper aims to find if giving more information to the developer as to how the vulnerability affects their code entices developers more to update their dependencies. This research found that developers seem to not care much for extra information about vulnerabilities and in whole maybe a different approach is required to educate developers on the critical importance of dependency maintenance.