Abstract:
Large-scale code reuse significantly reduces both development costs and time. However, the massive share of third-party code in software projects poses new challenges, es...Show MoreMetadata
Abstract:
Large-scale code reuse significantly reduces both development costs and time. However, the massive share of third-party code in software projects poses new challenges, especially in terms of maintenance and security. In this paper, we propose a novel technique to specialize dependencies of Java projects, based on their actual usage. Given a project and its dependencies, we systematically identify the subset of each dependency that is necessary to build the project, and we remove the rest. As a result of this process, we package each specialized dependency in a JAR file. Then, we generate specialized dependency trees where the original dependencies are replaced by the specialized versions. This allows building the project with significantly less third-party code than the original. As a result, the specialized dependencies become a first-class concept in the software supply chain, rather than a transient artifact in an optimizing compiler toolchain. We implement our technique in a tool called DepTrim, which we evaluate with 30 notable open-source Java projects. DepTrim specializes a total of 343 (86.6%) dependencies across these projects, and successfully rebuilds each project with a specialized dependency tree. Moreover, through this specialization, DepTrim removes a total of 57,444 (42.2%) classes from the dependencies, reducing the ratio of dependency classes to project classes from 8.7\boldsymbol{\times} in the original projects to 5.0\boldsymbol{\times} after specialization. These novel results indicate that dependency specialization significantly reduces the share of third-party code in Java projects.
Published in: IEEE Transactions on Software Engineering ( Volume: 49, Issue: 11, November 2023)