Going Beyond Metadata: Why We Need to Think of Adopting Static Analysis in Dependency Tools

The talk discusses the importance of adopting static analysis in dependency tools to go beyond metadata analysis and improve the selection, security, and maintenance of open source dependencies.

• Plugins and dependency bots in package managers primarily rely on metadata analysis, which is insufficient for making quick decisions on security or performance bugs
• Static analysis at the source code level provides more accurate and comprehensive information on how projects use their dependencies
• Incorporating static analysis in dependency tools presents challenges but also brings new capabilities to package repository-level analytics
• The use of packet managers has improved software productivity and quality, but dependency management remains a complex challenge

The speaker highlights the definitions of software reuse from a guidebook by the US National Department of Commerce in the 1980s, which emphasize the productivity and quality benefits of using well-designed, well-developed, and well-documented reusable software components. The use of packet managers has enabled software reuse, but dependency management remains a complex challenge.

Plugins to package managers such as cargo audit, npm audit, and dependency bots such as Dependabot or Renovate primarily rely on making recommendations to developers by analyzing build manifests in projects. Metadata analyses (or dependency tree analyses) are typically insufficient for making quick decisions on whether a project is affected, for example, by a security or performance bug. Much effort goes into testing and manual code reviews to determine whether a project is affected---not many analysis looks into how projects "actually use" their dependencies at the source code level. As more and more dependency-analysis-based projects are looking to integrate some form of static analysis in their products, we will in this talk focus on the challenges of incorporating static analysis: cases where it is helpful and not helpful, practical examples demonstrating substantial differences between metadata and static analysis, and what new "powers" static analysis brings to package repository-level analytics.