By SE Lab May 22, 2024
Mahmoud Alfadel, a postdoctoral researcher at the REBELs Lab in the Cheriton School of Computer Science at the University of Waterloo visited our laboratory and presentated about software engineering.
Title:
Build Systems and Software Dependencies: Enabling Trustworthy Software Releases
Abstract: text
In an era where software release cycles have accelerated from months or years to a rapid daily cadence, organizations such as Google, LinkedIn, Amazon, and Meta face the critical challenge of maintaining secure and reliable software releases. At the heart of this challenge lie the build systems, which determine how source code transforms into deliverables and play a pivotal role in integrating dependencies (libraries) into dynamic codebases. This constant evolution is essential for staying competitive, but poor build and dependency maintenance can lead to costly bugs and unforeseen software issues, including the incorporation of vulnerable dependencies.
In this research talk, I will explore the trend of build system downgrades where software projects transition from advanced build systems like Bazel to more traditional tools such as Make. This scenario triggered my curiosity—why would one opt for the classic over the cutting-edge, akin to swapping out a 2024 Tesla for a 1979 Ford Pinto? I specifically investigate the frequency of this phenomenon and the rationales behind it.
Additionally, managing external dependencies is a crucial aspect of the build process. Ensuring these dependencies are well-maintained before integration is paramount. I will present research highlighting the risks associated with integrating vulnerable dependencies and introduce ‘DepReveal,’ a prototype tool I developed to help developers track their vulnerability exposure. This tool has the potential to enable developers to tailor effective management practices based on the discoverability of vulnerabilities throughout the dependency lifecycle.