Abstract
The globalization of the software industry has led to an emerging trend where software systems depend increasingly on the use of external open-source external libraries and application programming interfaces (APIs). While a significant body of research exists on identifying and recommending potentially reusable libraries to end users, very little is known on the potential direct and indirect impact of these external library recommendations on the quality and trustworthiness of a client’s project. In our research, we introduce a novel Ontological Trustworthiness Assessment Model (OntTAM), which supports (1) the automated analysis and assessment of quality attributes related to the trustworthiness of libraries and APIs in open-source systems and (2) provides developers with additional insights into the potential impact of reused libraries and APIs on the quality and trustworthiness of their project. We illustrate the applicability of our approach, by assessing the trustworthiness of libraries in terms of their API breaking changes, security vulnerabilities, and license violations and their potential impact on client projects.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
Notes
References
Alqahtani, S. S., Eghan, E. E., & Rilling, J. (2016). SV-AF—a Security Vulnerability Analysis Framework, in 2016 IEEE 27th International Symposium on Software Reliability Engineering (ISSRE), pp. 219–229.
Alqahtani, S. S., Eghan, E. E., & Rilling, J. (2017). Recovering semantic traceability links between APIs and security vulnerabilities: an ontological modeling approach. 10th IEEE International Conference on Software Testing, Verification and Validation.
Artho, C., Suzaki, K., Di Cosmo, R., Treinen, R., Zacchiroli, S., & A. P. S. Distributions (2012). Why do software packages conflict?, 141–150.
Atkinson, C., Gutheil, M., & Kiko, K. (2006). On the relationship of ontologies and models. Proc. 2nd Work. MetaModelling Ontol. WoMM06 LNI P96 Gesellschaft fur Inform. Bonn, 47–60.
Ayala, C., Franch, X., Conradi, R., Li, J., & Cruzes, D. (2013). Developing software with open source software components. Finding source code on the web for remix and reuse (pp. 167–186). New York: Springer New York.
Bergel, A., Denier, S., Ducasse, S., Laval, J., Bellingard, F., Vaillergues, P., Balmas, F., & Mordal-Manet, K. (2009). SQUALE—Software QUALity Enhancement. 2009 13th European Conference on Software Maintenance and Reengineering, 285–288.
Berners-Lee, T., Hendler, J., & Lassila, O. (2001). The Semantic Web. Scientific American, 284(5), 34–43.
Boland, T., Cleraux, C., & Fong, E. (2010). Toward a preliminary framework for assessing the trustworthiness of software (pp. 1–31). Gaithersburg: National Institute of Standards TechnologyInteragency/Internal Report, U.S. Department of Commerce.
Cadariu, M., Bouwers, E., Visser, J., & Van Deursen, A. (2015). Tracking known security vulnerabilities in proprietary software systems. 2015 IEEE 22nd Int. Conf. Softw. Anal. Evol. Reengineering, SANER 2015 - Proc, 516–519.
Cingolani, P., & Alcala-Fdez, J. (2012). jFuzzyLogic: a robust and flexible Fuzzy-Logic inference system language implementation. 2012 IEEE International Conference on Fuzzy Systems, 1–8.
Cossette, B. E. & Walker, R. J. (2012). Seeking the ground truth: a retroactive study on the evolution and migration of software libraries. Proc. ACM SIGSOFT 20th Int. Symp. Found. Softw. Eng, 55:1–55.
Decan, A., Mens, T., Claes, M., & Grosjean, P. (2016). When GitHub meets CRAN: an analysis of inter-repository package dependency problems. 2016 IEEE 23rd International Conference on Software Analysis, Evolution, and Reengineering (SANER), 493–504.
Di Penta, M., German, D. M., Guéhéneuc, Y.-G., and Antoniol, G. (2010). An exploratory study of the evolution of software licensing, Proc. 32nd ACM/IEEE Int. Conf. Softw. Eng. - ICSE ‘10, vol. 1, p. 145.
Dig, D., & Johnson, R. (2006). How do APIs evolve? A story of refactoring. Journal of Software Maintenance and Evolution: Research and Practice, 18(2), 83–107.
DuCharme, B. (2011). Learning SPARQL (2nd ed.). Sebastopol: O’Reilly Media.
F. S. Foundation (2014). Various licenses and comments about them. GNU Project [Online]. Available: https://www.gnu.org/licenses/license-list.en.html. Accessed 22 July 2017.
Gao, J. Z., Chen, C., Toyoshima, Y., & Leung, D. K. (1999). Engineering on the Internet for global software production. Computer (Long. Beach. Calif)., 32(5), 38–47.
German, D. M. & Hassan, A. E., (2009). License integration patterns: addressing license mismatches in component-based development. 2009 IEEE 31st International Conference on Software Engineering, 188–198.
Hemel, A., Kalleberg, K. T., Vermaas, R., & Dolstra, E. (2011). Finding software license violations through binary code clone detection. Proceeding of the 8th working conference on Mining software repositories - MSR ‘11, 63–72.
Henderson-Sellers, B. (2011). Bridging metamodels and ontologies in software engineering. Journal of Systems and Software, 84(2), 301–313.
Hmood, A., Schugerl, P., Rilling, J., & Charland, P. (2010). OntEQAM—a methodology for assessing evolvability as a quality factor in software ecosystems. Defence R&D Canada - Valcartier, Valcartier QUE (CAN), 8.
Hmood, A., Keivanloo, I., & Rilling, J. (2012). SE-EQUAM—an evolvable quality metamodel. 2012 IEEE 36th Annual Computer Software and Applications Conference Workshops, 334–339.
Hora, A. & Valente, M. T. (2015). apiwave: keeping track of API popularity and migration, 321–323.
I. E. Commission (2000). Programmable controllers—part 7: fuzzy control programming.
Jezek, K., Dietrich, J., & Brada, P. (2015). How Java APIs break—an empirical study. Information and Software Technology, 65, 129–146.
Jiang, H., Zhang, J., Ren, Z., & Zhang, T. (2017). An unsupervised approach for discovering relevant tutorial fragments for APIs. 2017 IEEE/ACM 39th International Conference on Software Engineering (ICSE), 38–48.
Kagdi, H., Yusuf, S., & Maletic, J. I. (2006). Mining sequences of changed-files from version histories. Proceedings of the 2006 international workshop on Mining software repositories - MSR ‘06, 47.
Kagdi, H., Collard, M. L., & Maletic, J. I. (2007). Comparing approaches to mining source code for call-usage patterns. Fourth International Workshop on Mining Software Repositories (MSR’07:ICSE Workshops 2007), 20–26.
Kamiya, T., Kusumoto, S., & Inoue, K. (2002). CCFinder: a multilinguistic token-based code clone detection system for large scale source code. IEEE Transactions on Software Engineering, 28(7), 654–670.
Kapur, P., Cossette, B., & Walker, R. J. (2010). Refactoring references for library migration. ACM SIGPLAN Notices, 45(10), 726.
I. Keivanloo, C. Forbes, J. Rilling, and P. Charland, (2011). Towards sharing source code facts using linked data. Proceeding 3rd Int. Work. Search-driven Dev. users, infrastructure, tools, Eval. - SUITE ‘11, 25–28.
Kuhn, B. M., Sebro, A. K., & Gingerich, D. (2016). Chapter 10 The lesser GPL, Free Software Foundation & Software Freedom Law Center, . [Online]. Available: https://copyleft.org/guide/comprehensive-gpl-guidech11.html.
del Bianco, V., Lavazza, L., Morasca, S., & Taibi, D. (2009). Quality of open source software: the QualiPSo trustworthiness model, 199–212.
Land, R., Sundmark, D., Lüders, F., Krasteva, I., & Causevic, A. (2009). Reuse with software components—a survey of industrial state of practice. Form. Found. Reuse Domain Eng, 150–159.
Larson, D., & Miller, K. (2005). Silver bullets for little monsters: making software more trustworthy. IT Prof., 7(2), 9–13.
Maalej, W., & Robillard, M. P. (2013). Patterns of knowledge in API reference documentation. IEEE Transactions on Software Engineering, 39(9), 1264–1282.
Mann, C. J. H. (2003). The description logic handbook—theory, implementation and applications. Kybernetes, 32(9/10), k.2003.06732iae.006.
McCall, J. A., Richards, P. K., & Walters, G. F. (1977). Factors in software quality. Volume I. Concepts and definitions of software quality.
McCarey, F., Cinnéide, M. Ó., & Kushmerick, N. (2005). Rascal: a recommender agent for agile reuse. Artificial Intelligence Review, 24(3–4), 253–276.
McGuinness, D. L. and Van Harmelen, F. (2004). Owl web ontology language overview. W3C Recomm. 10.2004–03, 2004, 1–12.
Mileva, Y. M., Dallmeier, V., Burger, M., & Zeller, A. (2009). Mining trends of library usage. Proc. Jt. Int. Annu. ERCIM Work. Princ. Softw. Evol. Softw. Evol, 57–62.
Mileva, Y. M., Dallmeier, V., & Zeller, A. (2010). Mining API popularity, Lect. Notes Comput. Sci. (including Subser. Lect. Notes Artif. Intell. Lect. Notes Bioinformatics), vol. 6303 LNCS, pp. 173–180.
Monden, A., Okahara, S., Manabe, Y., & Matsumoto, K. (2011). Guilty or not guilty: using clone metrics to determine open source licensing violations. IEEE Software, 28(2), 42–47.
Nguyen, V. H., Dashevskyi, S., & Massacci, F. (2016). An automatic method for assessing the versions affected by a vulnerability. Empirical Software Engineering, 21(6), 2268–2297.
Parnas, D. L. (1994). Software aging. ICSE ‘94 Proceedings of the 16th international conference on Software engineering, 279–287.
Pfleeger, S. L. (1992). Measuring software reliability. IEEE Spectrum, 29(8), 56–60.
Plate, H., Ponta, S. E., & Sabetta, A. (2015). Impact assessment for vulnerabilities in open-source software libraries. 2015 IEEE 31st Int. Conf. Softw. Maint. Evol. ICSME 2015 – Proc, 411–420.
Raemaekers, S., Van Deursen, A., & Visser, J. (2012). Measuring software library stability through historical version analysis. IEEE Int. Conf. Softw. Maintenance, ICSM, 378–387.
Raemaekers, S., Van Deursen, A., & Visser, J. (2014). Semantic versioning versus breaking changes: a study of the maven repository. Proc. - 2014 14th IEEE Int. Work. Conf. Source Code Anal. Manip. SCAM 2014, 215–224.
Rahman, M. M., Roy, C. K., & Lo, D. (2016). RACK: automatic API recommendation using crowdsourced knowledge. 2016 IEEE 23rd International Conference on Software Analysis, Evolution, and Reengineering (SANER). 349–359.
Rhodes, T., Boland, F., Fong, E., & Kass, M. (2010). Software assurance using structured assurance case models. Journal of Research of the National Institute of Standards and Technology, 115(3), 209–216.
Robbes, R., Lungu, M., & Röthlisberger, D. (2012). How do developers react to API deprecation?. Proceedings of the ACM SIGSOFT 20th International Symposium on the Foundations of Software Engineering - FSE ‘12, 1.
Samoladas, I., Gousios, G., Spinellis, D., & Stamelos, I. (2008). The SQO-OSS quality model: measurement based open source software evaluation. Open Source Development, Communities and Quality, Boston, MA: Springer US, 237–248.
Seedorf, S. & Mannheim, F. F. I. U. (2006). Applications of ontologies in software engineering. In 2nd International Workshop on Semantic Web Enabled Software Engineering (SWESE 2006).
Seneviratne, O., Kagal, L., Weitzner, D., Abelson, H., Berners-Lee, T., & Shadbolt, N. (2009). Detecting creative commons license violations on images on the world wide web. WWW2009.
Taibi, D. (2008). Defining an open source software trustworthiness model. Proc 3rd Int Dr Symp Emperical Software Eng, 4.
Tan, T., He, M., Yang, Y., Wang, Q., & Li, M. (2008). An analysis to understand software trustworthiness. 2008 The 9th International Conference for Young Computer Scientists, 2366–2371.
Teyton, C., Falleri, J. R., & Blanc, X. (2012). Mining library migration graphs. Proceedings of Work. Conf. Reverse Eng. WCRE. 289–298.
Thung, F., Lo, D., & Lawall, J. (2013). Automated library recommendation. Proceedings of Workshop Conference on Reverse Engineering. WCRE, 182–191.
Williams, J., & Dabirsiaghi, A. (2012). The unfortunate reality of insecure libraries (pp. 1–26). Appleton: Asp. Secur. Inc.
Witte R., Zhang Y., & Rilling J. (2007). Empowering software maintainers with semantic web technologies. ESWC, 4519, 37–52.
Wu, Y., Manabe, Y., Kanda, T., German, D. M., & Inoue, K. (2015). A method to detect license inconsistencies in large-scale open source projects. 2015 IEEE/ACM 12th Working Conference on Mining Software Repositories, 324–333.
Würsch, M., Ghezzi, G., Hert, M., Reif, G., & Gall, H. C. (2012). SEON: a pyramid of ontologies for software evolution and its applications. Computing, 94(11), 857–885.
Xavier, L., Brito, A., Hora, A., & Valente, M. T., (2017). Historical and impact analysis of API breaking changes: a large-scale study. 2017 IEEE 24th International Conference on Software Analysis, Evolution and Reengineering (SANER), 138–147.
Yang Y., Wang Q., & Li M. (2009). Process trustworthiness as a capability indicator for measuring and improving software trustworthiness. ICSP, 5543, 389–401.
Zadeh, L. A. (1975). The concept of a linguistic variable and its application to approximate reasoning-III. Information Sciences, 9(1), 43–80.
Zhang, Y., Witte, R., Rilling, J., & Haarslev, V. (2008). Ontological approach for the semantic recovery of traceability links between software artefacts. IET Software, 2(3), 185.
Zhong, H. & Mei, H. (2017). An empirical study on API usages. IEEE Trans. Softw. Eng. (Early Access), 1.
Author information
Authors and Affiliations
Corresponding author
Additional information
Publisher’s Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
About this article
Cite this article
Eghan, E.E., Alqahtani, S.S., Forbes, C. et al. API trustworthiness: an ontological approach for software library adoption. Software Qual J 27, 969–1014 (2019). https://doi.org/10.1007/s11219-018-9428-4
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11219-018-9428-4