English

Towards Understanding Third-party Library Dependency in C/C++ Ecosystem

Software Engineering 2022-09-21 v2

Abstract

Third-party libraries (TPLs) are frequently reused in software to reduce development cost and the time to market. However, external library dependencies may introduce vulnerabilities into host applications. The issue of library dependency has received considerable critical attention. Many package managers, such as Maven, Pip, and NPM, are proposed to manage TPLs. Moreover, a significant amount of effort has been put into studying dependencies in language ecosystems like Java, Python, and JavaScript except C/C++. Due to the lack of a unified package manager for C/C++, existing research has only few understanding of TPL dependencies in the C/C++ ecosystem, especially at large scale. Towards understanding TPL dependencies in the C/C++ecosystem, we collect existing TPL databases, package management tools, and dependency detection tools, summarize the dependency patterns of C/C++ projects, and construct a comprehensive and precise C/C++ dependency detector. Using our detector, we extract dependencies from a large-scale database containing 24K C/C++ repositories from GitHub. Based on the extracted dependencies, we provide the results and findings of an empirical study, which aims at understanding the characteristics of the TPL dependencies. We further discuss the implications to manage dependency for C/C++ and the future research directions for software engineering researchers and developers in fields of library development, software composition analysis, and C/C++package manager.

Keywords

Cite

@article{arxiv.2209.02575,
  title  = {Towards Understanding Third-party Library Dependency in C/C++ Ecosystem},
  author = {Wei Tang and Zhengzi Xu and Chengwei Liu and Jiahui Wu and Shouguo Yang and Yi Li and Ping Luo and Yang Liu},
  journal= {arXiv preprint arXiv:2209.02575},
  year   = {2022}
}

Comments

ASE 2022

R2 v1 2026-06-28T00:48:47.103Z