Software Engineering master student Nuria Bruch wins VERSEN Master Thesis Award!
The usage of libraries, both commercial and open-source, encapsulating the implementation of certain functionalities is a widespread practice among developers. However, when a developer uses a library in a software product, this creates a dependency, and if a library has a security issue, it can be propagated to the software product. Developers can use package managers, however, these generally offer a simple binary evaluation of the dependencies: either there is one or not. Hence, a detailed evaluation of the dependencies is missing, which could help developers deal with vulnerabilities, breaking changes, and deprecated dependencies. Nuria proposes a model for software dependencies, which can help provide a fine-grained evaluation of them. The model includes three types of metrics: coupling, coverage, and usage per class. For each metric in the model, Nuria provides a formal definition and a theoretical validation by proving the metrics’ properties. She additionally implemented a proof-of-concept tool that, given a library from the Maven Central Repository, calculates the metrics of the model for each of the dependencies using bytecode analysis. Moreover, the proof-of-concept includes a visualisation of the dependency tree, including the calculated metrics. Finally, she conducted experiments to validate the model, the implementation of the proof-of-concept, and the visualisation. The experiments include interviews with 15 professional developers who evaluated the clarity and actionability of the model’s metrics and the proposed visualisations.