Software applications (e.g., Java™ applications) increasingly depend on libraries, provided either by the same organization or third parties. Studies show that approx. 80% of Java™ application code may belong to libraries, while approx. 20% of application code may be developed for given applications. In some developments, programming models may facilitate either inclusion of libraries in software packages at software development time, or reference of libraries may be loaded dynamically at software runtime. Some packaged applications may use libraries by either copying them into a dedicated folder at software development time, or by declaring a dependency that may be resolved by an application container at software runtime. Some software dependencies may be resolved and integrated into common development environments with a tool having access to software repositories that provide centralized access to versions of closed-source or open-source libraries.
This ease of access makes it difficult for developers to understand and control the use of libraries. In particular, dependency on one library creates nested dependencies on other libraries that are not necessarily known to an application developer interested in functionalities provided by an originally included library. As such, in these situations, it may be difficult for developers and application users to spot whether any of the libraries that are automatically downloaded and included at development or runtime is free of functional or non-functional (security) bugs. In conventional systems, it may be required to manually compare dependency reports with bug and security reports provided by library vendors or third-parties, e.g., vulnerability databases.
Further, there may be significant risk that application users unknowingly depend on buggy and vulnerable software libraries with potentially critical impact on an application functionality or security. Besides security, there may exist other reasons to better understand and control use of third-party libraries, e.g., a requirement to adhere to license terms imposed by some libraries that potentially affect various relevant licenses for some applications. As such, there exists a need to improve software dependencies in applications to thereby reduce the impact of buggy and vulnerable software libraries.