Building a Unified Call Graph at Ecosystem Level

Joseph Hejderup

Date: Wed, March 28, 2018
Time: 12:00
Room: HG.2.66 (Faculty of CEG)

A popular form of software reuse is the use of open source software libraries hosted on centralized code repositories, such as Maven or npm. Developers only need to declare dependencies to external libraries, and automated tools make them available to the workspace of the project. Recent incidents, such as the Equifax data breach and the leftpad package removal, demonstrate the difficulty in assessing the severity, impact and spread of bugs in dependency networks. While dependency checkers are being adapted as a counter measure, they only provide indicative information.

In this talk, we present a more precise, yet scalable approach to build a Unified Call Graph (UCG) at the ecosystem level to remedy the imprecision of existing, dependency-based approaches. An ecosystem-wide call graph gives us a global, yet fine-grained perspective of which library functions are called from where within the ecosystem’s dependency network. We demonstrate the feasibility of this general approach by applying it to the Rust library ecosystem and discuss the initial results and challenges of building call graphs for nearly 80,000 available library versions of the rust ecosystem.

Previous: Eduardo de Souza Amorim |
Next: Martijn Dwars |