June 21-24, 2022
Austin, Texas, USA + Virtual
View More Details & Registration
Note: The schedule is subject to change.

The Sched app allows you to build your schedule but is not a substitute for your event registration. You must be registered for Open Source Summit North America 2022 to participate in the sessions. If you have not registered but would like to join us, please go to the event registration page to purchase a registration.

This schedule is automatically displayed in Central Daylight Time (UTC -5). To see the schedule in your preferred timezone, please select from the drop-down menu to the right, above "Filter by Date."

IMPORTANT NOTE: Timing of sessions and room locations are subject to change.

Wednesday, June 22 • 11:50am - 12:30pm
Going Beyond Metadata: Why We Need to Think of Adopting Static Analysis in Dependency Tools - Joseph Hejderup, TU Delft | Endor Labs

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
Plugins to package managers such as cargo audit, npm audit, and dependency bots such as Dependabot or Renovate primarily rely on making recommendations to developers by analyzing build manifests in projects. Metadata analyses (or dependency tree analyses) are typically insufficient for making quick decisions on whether a project is affected, for example, by a security or performance bug. Much effort goes into testing and manual code reviews to determine whether a project is affected---not many analysis looks into how projects "actually use" their dependencies at the source code level. As more and more dependency-analysis-based projects are looking to integrate some form of static analysis in their products, we will in this talk focus on the challenges of incorporating static analysis: cases where it is helpful and not helpful, practical examples demonstrating substantial differences between metadata and static analysis, and what new "powers" static analysis brings to package repository-level analytics.

avatar for Joseph Hejderup

Joseph Hejderup

Software Engineer, Endor Labs
Part-time developer, part-time PhD student, full-time enthusiast in developing and researching techniques that makes package management system more intelligent and resilient against supply chain problems! Joseph Hejderup (Software Engineer at Endor Labs & PhD student at Delft University... Read More →

Wednesday June 22, 2022 11:50am - 12:30pm CDT
Room 203/204 (Level 2)
  SupplyChainSecurityCon, Countering use of a bad dependency