REM: Visualizing the ripple effect on dependencies using metrics of health

dc.contributor.authorChen, Zhe
dc.contributor.supervisorGerman, Daniel M. of Computer Scienceen_US of Science M.Sc.en_US
dc.description.abstractIn recent years, free and open-source software (FOSS) components have become common dependencies in the development of software, both open source and proprietary. As the complexity of software increases, so does the number of software components they depend upon; in addition, software components are also depending on other components. Thus, their dependency graphs are growing in size and complexity. One of the current challenges in software development is that it is not trivial to know the full dependency graph of a software application and the vulnerabilities in it. Developers are usually aware of the direct dependencies their application requires, but might not be fully aware of the dependencies that those dependencies require (the transitive dependencies). Open-source software components, each as individual project, have health, a condition that is measured by the quality in different aspects of the development. Unfortunately, unhealthy software components as transitive dependencies can break any software application; therefore, software application developers need tools, methods and visualizations to inspect the health of these transitive dependencies and their potential impacts on the dependency graph of their software application. In this thesis, I first proposed and presented the Ripple Effect of Metrics (REM), a visualization of dependency graphs that leverages metrics of the health of dependencies. The two main features of the REM are: first, to display, and potentially summarize, the full dependency graph of an software application based on the health of each of its dependencies; and second, to display the ripple effect of vulnerable dependencies on the rest of the dependency graph. I then enhanced the features of an existing automated dependency tool in GitHub, open-source Dependabot, with the REMs to become the REM-Dependabot. The REM-Dependabot helps maintainers of software applications to inspect the health of all of its dependencies, especially the vulnerable dependencies with CVE security advisories, and also explore the impact that some of these dependencies might have. I designed a case study on one of the most popular NPM JavaScript applications with three use cases each with a goal that the maintainers of that application need to achieve. The case study demonstrates and argues that the REM can be beneficial to developers as an aid to a more effective dependency management with its visualization of the ripple effect on the dependency graph using health metrics activity. A major portion of this thesis has been published at 2020 Working Conference on Software Visualization (VISSOFT).en_US
dc.identifier.bibliographicCitationZ. Chen and D. M. German, "REM: Visualizing the Ripple Effect on Dependencies Using Metrics of Health," 2020 Working Conference on Software Visualization (VISSOFT), 2020, pp. 61-71, doi: 10.1109/VISSOFT51673.2020.00011.en_US
dc.rightsAvailable to the World Wide Weben_US
dc.subjectdependency graphen_US
dc.subjectsoftware visualizationen_US
dc.subjectdependency managementen_US
dc.titleREM: Visualizing the ripple effect on dependencies using metrics of healthen_US


Original bundle
Now showing 1 - 1 of 1
Thumbnail Image
13.04 MB
Adobe Portable Document Format
Main article
License bundle
Now showing 1 - 1 of 1
No Thumbnail Available
2 KB
Item-specific license agreed upon to submission