GGI Activity: Manage software dependencies

Table of contents

Manage software dependencies

Activity ID: GGI-A-23.

Description

A dependency identification program looks for the dependencies actually used within the codebase. As a result, the organisation must establish and maintain a list of known dependencies for its code base and watch the evolution of the identified providers.

Establishing and maintaining a list of known dependencies is an enabler for, and a prerequisite to:

  • IP and licence checking: some licences cannot be mixed, even as a dependency. One has to know its dependencies to assess its associated legal risks.
  • Vulnerabilities management: the entire piece of software is as weak as its weakest part: see the example of the Heartbleed flaw. One has to know its dependencies to assess its associated security risks.
  • Lifecycle and sustainability: an active community on the dependency project is a bright sign for bug corrections, optimisations, and new features.
  • Thoughtful selection of used dependencies, according to “maturity” criteria - the goal being to use open source components that are safe, with a sane and well-maintained codebase, and a living, active and reactive community that will accept external contributions, etc.

Opportunity Assessment

Identifying and tracking dependencies is a required step to mitigate the risks associated with any code reuse. In addition, implementing tools and processes to manage software dependencies is a prerequisite to properly manage quality, compliance, and security.

Consider the following questions:

  • What is the company’s risk (cost, reputation, etc.) if the software is corrupted, attacked or sued?
  • Is the code base considered critical for people, the organisation, or business?
  • What if a component upon which an application depends changes its repository?

The minimal and first step is to implement a software composition analysis (SCA) tool. Support by specialised consulting firms may be required for a full-fledged SCA or dependency mapping.

Progress Assessment

The following verification points demonstrate progress in this activity:

  • Dependencies are identified in all in-house developed code.
  • Dependencies are identified in all external code executed within the company.
  • An easy-to-setup software composition analysis or dependency identification procedure is available for projects to add to their Continuous Integration process.
  • Dependency analysis tools are used.

Tools

  • OWASP Dependency check: dependency-Check is a Software Composition Analysis (SCA) tool that attempts to detect publicly disclosed vulnerabilities contained within a project’s dependencies.
  • OSS Review Toolkit: a suite of tools to assist with reviewing Open Source Software dependencies.
  • Fossa: fast, portable and reliable dependency analysis. Supports licence & vulnerability scanning. Language-agnostic; integrates with 20+ build systems.
  • Software 360.
  • Eclipse Dash license tool: takes a list of dependencies and requests ClearlyDefined to check their licences.
  • The FOSSology Project: FOSSology is an open source project with the mission of advancing open source license compliance.

Recommendations

  • Conduct regular audits about the dependencies and IP requirements to mitigate legal risks.
  • Ideally, integrate dependencies management in the Continuous integration process so that issues (new dependency, licence incompatibility) are identified and fixed as soon as possible.
  • Keep track of dependency-related vulnerabilities, keep users and developers informed.
  • Inform people about the risks associated with wrong licencing.
  • Propose an easy solution for projects to set up licence checking on their codebase.
  • Communicate on its importance and help projects to add it to their CI systems.
  • Set up a visible KPI for dependency-related risks.

Resources

Proposed next activities