FASTEN presentation at FOSDEM 2022 : Making Dependency Management Intelligent

•

0 likes•24 views

Fasten Project

The FASTEN project was presented for the third time at FOSDEM, on February 4-5, 2022, online, by Amir Mir from TUDelft.

Technology

FASTEN
Making Dependency Management Intelligent
Amir M. Mir (TU Delft)
@amir_mir93
s.a.m.mir@tudelft.nl

Open Source Software (OSS)
● Open-source libraries as a building block for creating new software

Package Dependency Networks (PDNs)
● Version constraints make these networks more complicated

Recent Failures with PDNs
● Leftpad in 2016
● Equifax data breach in 2017
● Log4j in 2021

Issues with PDNs
● The update problem
● The compliance problem
● The deprecation problem
● The lack of incentive problem

Existing Solutions to the Issues of PDNs
● Services like GitHub, Dependabot
● Problems:
○ No support for assessing updates
○ No help with impact assessment
○ False positives

The Root Cause
Current Solutions
Call Dependency
Networks (CDNs)

The FASTEN Project
● Fine-Grained Analysis of Software Ecosystems as Network
● Aims at solving the issues of PDNs by making package management robust and
intelligent
● A centralized service to host the graphs and serve the analyses

The FASTEN Solution
● More precise license compliance
○ Am I linking to GPL code?
● More precise risk profiling
○ Does this vulnerability affect my package?
● More precise change impact analysis
○ How many packages will I break if I change this function?
○ Can I safely update the dependencies of my package?
● Integration with package managers

Overview of the FASTEN Architecture
Data streams
Package repositories
Vulnerability information
FASTEN server
Call graph generators
Analysis layer
Security Change impact
Compliance Quality and Risk
Storage layer
REST
API
Web
UI
Continuous
Integration
servers

Examples of FASTEN Workflow
Update with confidence
Before FASTEN After FASTEN

Examples of FASTEN Workflow
Deciding to use a library
Before FASTEN After FASTEN

Questions?
https://www.fasten-project.eu/
https://github.com/fasten-project
https://twitter.com/fastenproject
The FASTEN project has received funding from the European Union’s Horizon 2020 research
and innovation programme under grant agreement No 825328.

Similar to FASTEN presentation at FOSDEM 2022 : Making Dependency Management Intelligent

Refactoring the monolith

Steven Hicks

NodeJS VS Python

Krishang Technolab

Modern applicatons require modern monitoring solutions that can react fast on changes in the monitored applications (think of autoscaling, updates). And after many years our old monitoring system, based on Nagios and Cacti, was not holding up anymore. This talk tells the story of your journey from our old system through defining our requirements and multiple tool evaluations (Zabbix, Prometheus, Icinga2) to our current impementation based on Icinga2. I will also show some of our implementation details and how we solved problems in our deployment.

OSMC 2017 | Building a Monitoring solution for modern applications by Martin ...

NETWAYS

presentation_SB_v01

Salvatore Balzano

"We can all agree that streaming is super cool. And for a while now, the adoption conversation has been largely led with an all-in mentality. But that’s silly. The only concerns end users have are: -The freshness of their data -Latency they require to meet their SLAs from source to consumption -All while maintaining data quality and governance. Luckily, the industry has realized this and we have seen a shift of streaming capabilities surfacing as an in-database technology, via objects as trivial to analytics engineers as views - materialized that is. With this convergence of streaming capabilities and batch level accessibility, this is when ELT tools like dbt can join in and expand out the adoption story. dbt is the T in ELT, Extract Load and Transform. In dbt, analytics engineers design models - SQL (and occasional python) statements that encapsulate business logic. At runtime, dbt will wrap that logic in a DDL statement and send it over to the data platform to execute. In this session, we’ll discuss how we see streaming at dbt Labs. We will dive into how we are extending dbt to support low-latency scenarios and the recent additions we have made to make batch and streaming allies in a DAG rather than archenemies."

Streaming is a Detail

HostedbyConfluent

Join our guest speaker Riaan Nolan of mukuru.com, the First Puppet Labs Certified Professional in South Africa, as he walks us through the facets of DevOps integrations and the mission-critical advantages that database automation can bring to your database infrastructure. Infrastructure automation isn’t easy, but it’s not rocket science either. Done right, it is a worthwhile investment, but deciding on which tools to invest in can be a confusing and overwhelming process. Riaan will share some of his secrets on how to proceed with this and he knows what he’s talking about: he saves the companies he works for substantial amounts on their monthly IT bills, typically around 50%. Don’t miss out on this opportunity to understand how you can find efficiencies for your database infrastructure and do watch this webinar to understand the key pain points, which indicate that it’s time to invest in database automation. AGENDA DevOps and databases - what are the challenges Managing databases in a DevOps environment - Requirements from microservice environments - Automated deployments - Performance monitoring - Backups - Schema changes - Version upgrades - Automated failover - Integration with ChatOps and other tools Data distribution - Database hosting in cloud environments - Managing data flows Cloud Automation on AWS SPEAKERS Riaan Nolan was the First Puppet Labs Certified Professional in South Africa. Riaan uses Amazon EC2, VPC and Autoscale with Cloudformation to spin up complete stacks with Autoscaling Fleets. He saves companies substantial amounts on their monthly IT bills, typically around 50% - yes, at one company that meant $500k+ per year. And he’s participated in a number of community tech related forums. He uses next generation technologies such as AWS, Cloudformation, Autoscale, Puppet, GlusterFS, NGINX, Magento and PHP to power huge eCommerce stores. His specialties are Puppet Automation, Cloud Deployments, eCommerce, eMarketing, Specialized Linux Services, Windows, Process making, Budgets, Asset Tracking, Procurement. - Devops Lead, Mukuru - Expert Live Systems Administrator, foodpanda | Hellofood - Senior Systems Administrator / Infrastructure Lead, Rocket Internet GmbH - Senior Technology Manager, Africa Internet Accelerator Art van Scheppingen is a Senior Support Engineer at Severalnines. He’s a pragmatic MySQL and Database expert with over 15 years experience in web development. He previously worked at Spil Games as Head of Database Engineering, where he kept a broad vision upon the whole database environment: from MySQL to Couchbase, Vertica to Hadoop and from Sphinx Search to SOLR. He regularly presents his work and projects at various conferences (Percona Live, FOSDEM) and related meetups.

Webinar slides: DevOps Tutorial: how to automate your database infrastructure

Severalnines

Software Quality Concerns in the Italian Bank Sector: the Emergence of a Me...

Daniel Russo

ngStockholm #8 at NetEnt - Micro Frontend Architecture

Ishaan Puniani

With 5 years of research and over 5000 survey respondents, there's no better way of understanding the evolving nature of the industry than this year's DevOps and Jenkins Community survey results. Join us, and a panel of industry experts, as we dig through historical data and retrospective insights to formulate meaningful predictions on the unfolding landscape of DevOps and the Jenkins Community in the years to come.

5 Years of Jenkins and DevOps Trends and What That Means For the Future of t...

DevOps.com

Effects of Ownership on Software Quality

Md. Shafiuzzaman Hira

What's new in the latest source{d} releases!

source{d}

Oprim - .Net Core Development Company in Canada

OprimSolutions1

Building Business on Top of Open Source

Open Networking Summit

panagenda reached out to 750+ professionals to share their company’s Domino application strategy. Join this session to find out what was most important to your peers and what challenges they had to overcome to make their project a success. Find out about the critical questions everybody should ask and have answers to throughout their project. Franz Walder presents the exciting results of the survey and explains what role analytics can play when tackling these challenges.

RNUG 2020: Domino Application Strategy: Key insights for successful moderniza...

panagenda

Organizations can pick between numerous free community-supported distributions of the Linux operating system. In the data center and on AWS, Azure, GKE, CloudFlare, DigitalOcean, and other public clouds, these free versions are available as part of the default configuration. Why, then, would you pay for Linux? These slides, based on a webinar hosted by Red Hat and leading IT research firm EMA, provide insights into what has and has not worked related to the adoption of free versus subscription-based Linux distributions.

Why Pay for Open Source Linux? Avoid the Hidden Cost of DIY

Enterprise Management Associates

D1: The NMC Methodology

lisbk

Performance monitoring for remote locations

AppNeta

Onkurananda1

Onkurananda Ganguly

Enase20.ppt

Yann-Gaël Guéhéneuc

HLayer / Cloud Native Best Practices

Aymen EL Amri

More from Fasten Project

FASTEN presentation at OW2con'22

Fasten Project

FASTEN presentation at OW2con 2021

Fasten Project

Software dependencies can be viewed as graph that only get bigger as software evolved. This lead to multiple challenging situations related to security, quality, licensing and more. Today tools are great but more accurate tools such as FASTEN are under development. Join me to learn how the current dependency management tool are evolving to cope with the growing complexity of software development. Discover the presentation by Antoine Mottier, OW2 CTO.

FASTEN Introduction, at EclipseCon 2021

Fasten Project

FASTEN user experience from a software vendor perspective : The future of ext...

Fasten Project

The Eclipse SW360 project provides a server application for the management of used software components in an organization. The catalogue can then be used to create Software Bill-of-Materials (SBOM) for products and projects. SBOM management is essential for a number of important aspects when delivering products: for understanding if vulnerabilities are relevant, for reviewing the licensing situation, for covering trade compliance and last but not least for the generation of compliance documentation. SW360 itself focusses only on SBOM management and the support of the approval processes, it does not scan for licenses nor for dependencies. For these tasks, integration with other OSS tools, for example, FOSSology for license scanning is provided. To automate the SBOM management, SW360 provides a REST API which allows CI infrastructure to call SW360 directly for checks, downloads or uploads. SW360 is a project hosted by the Eclipse Foundation licensed under the EPL-2.0; thus it is available for everyone as Open Source software.

Eclipse sw360 Web Application for managing software Bill-Of-Material, FASTEN ...

Fasten Project

Demonstration of FASTEN Dependency Management tools on top of Maven, FASTEN v...

Fasten Project

Highlight on FASTEN's Software Composition Analysis Market Background, Virtua...

Fasten Project

FASTEN was presented in the Devroom on Dependency Management at FOSDEM 2021. Presentation Abstract: The goal of the EU project FASTEN is being able to perform a more sophisticated analysis of security-vulnerability propagation, licensing compliance, and dependency risk profiles (among others) by relying on the call-level dependency network of the whole software ecosystem. We outline the purpose and structure of the project, and present some preliminary results.

Software Ecosystems as Networks - Advances on the FASTEN project, Paolo Boldi...

Fasten Project

This presentation was given by Paolo Boldi, Milano University, online. Abstract:The goal of the EU project FASTEN is being able to perform a more sophisticated analysis of security-vulnerability propagation, licensing compliance, and dependency risk profiles (among others) by relying on the call-level dependency network of the whole software ecosystem. We outline the purpose and structure of the project, and present some preliminary results.

FASTEN presentation at SFScon, November 2020

Fasten Project

FASTEN: Scaling static analyses to ecosystem, presented at FOSDEM 2020 in Bru...

Fasten Project

FOSDEM 2020 Presentation - There's no sustainability problem in FOSS, Except ...

Fasten Project

FOSDEM 2020 Presentation: Comparing dependency management issues across packa...

Fasten Project

FOSDEM 2020 Presentation : Precise, cross-project code navigation at GitHub s...

Fasten Project

Presentation of the FASTEN project, Conference SFScon, Bolzano, Italy

Fasten Project

FASTEN H2020 project presentation at Paris Open Source Summit, December 2019.

Fasten Project

Software engineers reuse code to reduce development and maintenance costs but how safe is it to use open source software (OSS)? By using OSS and dependencies to external libraries they can introduce to projects significant operational and compliance risk as well as difficult to assess security implications. The aim of the FASTEN project (a European Union’s H2020 research and innovation programme led by TU Delft) is to address this situation, by developing an intelligent software package management system that will enhance robustness and security in software ecosystems. Our team in Endocode AG is part of the FASTEN project with our FOSS toolchain Quartermaster, which detects license compliance on softwares.

Fasten and Quartermaster presentation at FOSSCOMM, October 2019 in Lamia, Gre...

Fasten Project

Fasten Industry Meeting with GitHub about Dependancy Management

Fasten Project

More from Fasten Project (17)