Inclusion criteria for third-party dependencies in enterprise software projects
Mustonen, Benjamin (2023-06-21)
B. Mustonen
21.06.2023
© 2023 Benjamin Mustonen. Ellei toisin mainita, uudelleenkäyttö on sallittu Creative Commons Attribution 4.0 International (CC-BY 4.0) -lisenssillä (https://creativecommons.org/licenses/by/4.0/). Uudelleenkäyttö on sallittua edellyttäen, että lähde mainitaan asianmukaisesti ja mahdolliset muutokset merkitään. Sellaisten osien käyttö tai jäljentäminen, jotka eivät ole tekijän tai tekijöiden omaisuutta, saattaa edellyttää lupaa suoraan asianomaisilta oikeudenhaltijoilta.
Julkaisun pysyvä osoite on
https://urn.fi/URN:NBN:fi:oulu-202306212717
https://urn.fi/URN:NBN:fi:oulu-202306212717
Tiivistelmä
Third-party libraries are commonly used in software development to save development time, allowing teams to focus on implementing their own business logic. Including third-party dependencies in a project is not without its risks, however. Bugs, vulnerabilities, and license incompatibilities are only some of the potential issues that can arise from third-party dependencies, yet knowing what to look for before including a dependency can be difficult.
This thesis investigates the factors that should be considered when including a third-party dependency through a review of current scientific literature and models a testable set of inclusion criteria through the design science process. The factors found in the literature were validated and assigned importance levels through a developer survey. Based on the survey results, the model was finalised and tested on six different libraries. The model as well as the test results were then evaluated by developers in a small-scale workshop.
The design science process resulted in a proof-of-concept model that was considered quite good by the developers evaluating it, in addition to a synthesis of existing knowledge on third-party dependencies. The model includes 14 factors divided into eight different criteria, with each factor having a clear definition, a way to measure it, as well as the number of points it contributes to the scoring system of the model. The final score of the model can then be used as a reference to aid in the dependency inclusion decision making process. The developers considered the criteria to be usable enough to be implemented as part of their dependency inclusion process with some minor changes. The major limitation with these findings is that the developer data, used in both creating the importance ratings as well as evaluating the model, was acquired through convenience sampling. This means that the findings cannot be generalised to a wider population. Additionally, the survey and the workshop both had low participation rates of 40% and 55% respectively, hurting the credibility of the results. Future research should consider repeating the study with sampling that can be generalised to a larger population to validate and improve upon the results in this thesis.
This thesis investigates the factors that should be considered when including a third-party dependency through a review of current scientific literature and models a testable set of inclusion criteria through the design science process. The factors found in the literature were validated and assigned importance levels through a developer survey. Based on the survey results, the model was finalised and tested on six different libraries. The model as well as the test results were then evaluated by developers in a small-scale workshop.
The design science process resulted in a proof-of-concept model that was considered quite good by the developers evaluating it, in addition to a synthesis of existing knowledge on third-party dependencies. The model includes 14 factors divided into eight different criteria, with each factor having a clear definition, a way to measure it, as well as the number of points it contributes to the scoring system of the model. The final score of the model can then be used as a reference to aid in the dependency inclusion decision making process. The developers considered the criteria to be usable enough to be implemented as part of their dependency inclusion process with some minor changes. The major limitation with these findings is that the developer data, used in both creating the importance ratings as well as evaluating the model, was acquired through convenience sampling. This means that the findings cannot be generalised to a wider population. Additionally, the survey and the workshop both had low participation rates of 40% and 55% respectively, hurting the credibility of the results. Future research should consider repeating the study with sampling that can be generalised to a larger population to validate and improve upon the results in this thesis.
Kokoelmat
- Avoin saatavuus [38865]
Ellei muuten mainita, aineiston lisenssi on https://creativecommons.org/licenses/by/4.0/