SlideShare a Scribd company logo

Say No To Dependency Hell

Nicola Pedot, profile picture
Nicola Pedot

This document discusses the problem of dependency hell in software development and proposes approaches to better manage software dependencies and their vulnerabilities. It notes that modern software projects have many interconnected dependencies and outlines challenges with current methods of manually tracking dependency updates and vulnerabilities. It then presents some current dependency analysis tools like GitHub alerts, Snyk, and SourceClear. The document observes that current direct/transitive dependency classifications do not accurately reflect what dependencies are within a developer's control. It proposes methods like filtering non-deployed dependencies, grouping dependencies by project, and identifying "halted" dependencies no longer receiving updates to provide a clearer picture of exposure and priorities for remediation. The approach aims to reduce false alerts and help developers focus on fixing vulnerabilities

Software
Related topics:
Insights on Software Development
1 of 33
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
Say No to the Dependency Hell: Proper Management of Software Dependencies IVAN PASHCHENKO Trento - 2019
whoami 2 Ivan Pashchenko • PhD candidate in Information Security at the University of Trento • Former Intern at SAP Security Research • Former Leading Security Engineer at Bashneft, Russia • Snowboarder, hiker, volleyball player
3 Software project Own code
Nowadays software projects are highly interconnected 4 • Own code • Dependencies Own code Dependencies Software project
Dependencies? 5
You are writing code… This is a typical functionality, I do not want to invent a wheel – I will use already developed functionality. 6
And you use just one dependency… 7
8 Welcome to the Dependency Hell
Open source software 9
10
11 Source: https://www.infoworld.com/article/2608895/open-source- software/open-source-software-does-government-finally-grok-open-source.html
12 Source: https://www.infoworld.com/article/2608895/open-source- software/open-source-software-does-government-finally-grok-open-source.html
The Equifax breach 13
When you have a dependency 14 𝑚1 𝑚2𝑦1𝑥1 𝑦2𝑢1 𝑧1 direct transitive Dependency tree
Current dependency analysis 15 0. Follow the updates in your software dependencies manually - Subscribe to mailing lists of your dependencies - Telegram channels - Analyze changelogs of the new releases - Receive a lot of spam…
Current dependency analysis tools 16 1. Github vulnerability alerts: Example: https://github.com/iluwatar/java-design-patterns/network/dependencies
Current dependency analysis tools 17 1. Github vulnerability alerts: Listing the packages that a repository depends on: https://help.github.com/articles/listing-the-packages-that-a-repository-depends-on/ Viewing and updating vulnerable dependencies in your repository: https://help.github.com/articles/viewing-and-updating-vulnerable-dependencies-in-your- repository/ About security alerts for vulnerable dependencies: https://help.github.com/articles/about-security-alerts-for-vulnerable-dependencies/
Current dependency analysis tools 18 2. Snyk.io: Home page: https://snyk.io/ Introduction video: https://youtu.be/4ng5usM6fd8
Current dependency analysis tools 19 2. Snyk.io – Vulnerability DB:
Current dependency analysis tools 20 2. Snyk.io – Vulnerability DB:
Current dependency analysis tools 21 3. SourceClear - https://www.sourceclear.com/ Advantages: - one of the biggest vulnerability databases Disadvantage: - fully commercial 4. Vulas - https://github.com/SAP/vulnerability-assessment-tool Advantages: - open-source - precise code base matching algorithm Disadvantage: - they do not publish the vulnerability database - they support only Java (Maven&Gradle) and partially Python
You will have such a report 22 What would you do? Ignore? Panic?
Observation 1 23 Some dependencies are non deployed, hence such vulnerabilities cannot be exploited 𝑚1:compile 𝑚2: 𝑐𝑜𝑚𝑝𝑖𝑙𝑒𝑦1: 𝑐𝑜𝑚𝑝𝑖𝑙𝑒𝑥1: 𝑡𝑒𝑠𝑡 𝑦2: 𝑐𝑜𝑚𝑝𝑖𝑙𝑒𝑢1: 𝑡𝑒𝑠𝑡 𝑧1: 𝑐𝑜𝑚𝑝𝑖𝑙𝑒
Observation 2 24 𝑚1 𝑚2 𝑦1𝑥1 𝑦2𝑢1 𝑧1 𝑀 𝑌 𝑋 𝑈 𝑍 Direct ‘Direct’ and ‘transitive’ notions do not represent which dependencies really can be controlled Transitive Own
Observation 2 25 𝑚1 𝑚2 𝑦1𝑥1 𝑦2𝑢1 𝑧1 𝑀 𝑌 𝑋 𝑈 𝑍 ‘Direct’ and ‘transitive’ notions do not represent which dependencies really can be controlled Own In direct control Out of direct control
Observation 3 26 𝑚1 𝑥1 𝑢1 𝑣1 𝑣2 𝑣1 𝑣1 𝑣2 𝑣3 𝑡0 𝑡1 There would be no version of x1: 1) to fix vulnerability in x1 2) adopt fixed version of u1 Fixing such a dependency would require a software company either to contribute to the halted library (make a new release) or maintain an own copy of the library Some libraries may become halted
Counting dependencies 27 Build dependency tree Maven goals: dependency:tree and dependency:resolve Filter non-deployed dependencies Exclude test and provided scopes Group dependencies by projects Group all GAVs with the same groupId within one path and substitute them in the path with the GAV, closest to the vulnerable GAV Identify halted dependencies •𝐿𝑎𝑠𝑡 𝑟𝑒𝑙𝑒𝑎𝑠𝑒 𝑖𝑛𝑡𝑒𝑟𝑣𝑎𝑙 = 𝛼 σ𝑖=0 𝑛 { 1 − 𝛼 𝑖 ∗ 𝑅𝑒𝑙𝑒𝑎𝑠𝑒 𝑡𝑖𝑚𝑒 𝑛−𝑖} •𝐸𝑥𝑝𝑒𝑐𝑡𝑒𝑑 𝑟𝑒𝑙𝑒𝑎𝑠𝑒 𝑑𝑎𝑡𝑒 = 𝐿𝑎𝑠𝑡 𝑟𝑒𝑙𝑒𝑎𝑠𝑒 + 𝐿𝑎𝑠𝑡 𝑟𝑒𝑙𝑒𝑎𝑠𝑒 𝑖𝑛𝑡𝑒𝑟𝑣𝑎𝑙 •𝐸𝑥𝑝𝑒𝑐𝑡𝑒𝑑 𝑟𝑒𝑙𝑒𝑎𝑠𝑒 𝑑𝑎𝑡𝑒 < 𝑇𝐼𝑀𝐸 ⇒ 𝐿𝑖𝑏𝑟𝑎𝑟𝑦 𝑖𝑠 ℎ𝑎𝑙𝑡𝑒𝑑 Map with known vulnerable GA S. E. Ponta, H. Plate, and A. Sabetta. Beyond metadata: Code-centric and usage based analysis of known vulnerabilities in open-source software. In Proc. of ICSME-18, 2018
Effects Filtering non-deployed Dependency grouping “Is halted” analysis 28 20% less false alerts to check Developers may have fixed 82% of vulns in their dependencies (45% increase) 14% of dependencies are halted, hence would not be fixed
Following our approach you will have the following report 29 A bit more clear what to do, isn’t it?
An example of our report 30
31 We are looking for your experience More details about our research are here: http://bit.ly/vuln-research-trento "Dependencies as you see it" (what the problems are, why people could, should, or won't update etc.). This can be a brief Skype/Hangout/etc interview at your convenience.
We bring order to the dependency hell 32
33 For any questions or suggestions do not hesitate to contact me: E-mail: ivan.pashchenko@unitn.it Skype: ivanpashchenko Web-site: http://disi.unitn.it/~pashchenko Let’s say No to the Dependency Hell Information about our research is here: http://bit.ly/vuln-research-trento

More Related Content

PPTX
Say No to the Dependency Hell
Ivan Pashchenko
 
PDF
SFScon19 - Ivan Pashchenko - Say No to the Dependency Hell
South Tyrol Free Software Conference
 
PPTX
Mentors View: Aligning Your Team and Your Powers for Success
Sonatype
 
PPTX
Supply Chain Solutions for Modern Software Development
Sonatype
 
PPTX
A question of trust - understanding Open Source risks
Tim Mackey
 
PDF
DevSecCon Singapore 2018 - Measuring and maximizing vuln discovery efforts by...
DevSecCon
 
PPTX
The Top 3 Strategies To Reduce Your Open Source Security Risks - A WhiteSour...
WhiteSource
 
PPTX
Purple is the New Black: Modern Approaches for Application Security
Tanya Janca
 
Say No to the Dependency Hell
Ivan Pashchenko
 
SFScon19 - Ivan Pashchenko - Say No to the Dependency Hell
South Tyrol Free Software Conference
 
Mentors View: Aligning Your Team and Your Powers for Success
Sonatype
 
Supply Chain Solutions for Modern Software Development
Sonatype
 
A question of trust - understanding Open Source risks
Tim Mackey
 
DevSecCon Singapore 2018 - Measuring and maximizing vuln discovery efforts by...
DevSecCon
 
The Top 3 Strategies To Reduce Your Open Source Security Risks - A WhiteSour...
WhiteSource
 
Purple is the New Black: Modern Approaches for Application Security
Tanya Janca
 

Similar to Say No To Dependency Hell (20)

PDF
SFScon 2020 - Ivan Pashchenko - Learning from Developers How to Make Dependen...
South Tyrol Free Software Conference
 
PPTX
Software Composition Analysis Deep Dive
Ulisses Albuquerque
 
PDF
Donu’t Let Vulnerabilities Create a Hole in Your Organization
DevOps.com
 
PDF
Dependency Issues in Open Source Software Package Registries
Tom Mens
 
PPTX
How to increase the technical health of your software?
Tom Mens
 
PDF
Innocent Vulnerabilities vs. Malicious Backdoors: How to Manage Your Risk
DevOps.com
 
PDF
Fire alarms vs. Fire hoses: Keeping up with Dependencies
WhiteSource
 
PDF
Innocent Vulnerabilities vs. Malicious Backdoors: How to Manage Your Risk
WhiteSource
 
PDF
Dependency Health: Removing the Barriers to Keeping Projects in Shape
DevOps.com
 
PDF
Dependency Health: Removing the Barriers to Keeping Projects in Shape
DevOps.com
 
ODP
Are you using an opensource library? There's a good chance you are vulnerable...
Codemotion
 
PPTX
Embracing DevSecOps: A Changing Security Landscape for the US Government
DJ Schleen
 
PDF
Infiltrating the Supply Chain Attack: Advanced Payload Delivery and Evasion T...
null - The Open Security Community
 
PDF
FOSDEM 2020 Presentation: Comparing dependency management issues across packa...
Fasten Project
 
PPTX
Is my software ecosystem healthy? It depends!
Tom Mens
 
PPTX
On the health of the npm packaging ecosystem
Tom Mens
 
PDF
Aliens in Your Apps!
All Things Open
 
PDF
Application Security in the Age of Open Source
Black Duck by Synopsys
 
PPTX
All You need to Know about Secure Coding with Open Source Software
Javier Perez
 
PDF
OWASP - Dependency Check
Vandana Verma
 
SFScon 2020 - Ivan Pashchenko - Learning from Developers How to Make Dependen...
South Tyrol Free Software Conference
 
Software Composition Analysis Deep Dive
Ulisses Albuquerque
 
Donu’t Let Vulnerabilities Create a Hole in Your Organization
DevOps.com
 
Dependency Issues in Open Source Software Package Registries
Tom Mens
 
How to increase the technical health of your software?
Tom Mens
 
Innocent Vulnerabilities vs. Malicious Backdoors: How to Manage Your Risk
DevOps.com
 
Fire alarms vs. Fire hoses: Keeping up with Dependencies
WhiteSource
 
Innocent Vulnerabilities vs. Malicious Backdoors: How to Manage Your Risk
WhiteSource
 
Dependency Health: Removing the Barriers to Keeping Projects in Shape
DevOps.com
 
Dependency Health: Removing the Barriers to Keeping Projects in Shape
DevOps.com
 
Are you using an opensource library? There's a good chance you are vulnerable...
Codemotion
 
Embracing DevSecOps: A Changing Security Landscape for the US Government
DJ Schleen
 
Infiltrating the Supply Chain Attack: Advanced Payload Delivery and Evasion T...
null - The Open Security Community
 
FOSDEM 2020 Presentation: Comparing dependency management issues across packa...
Fasten Project
 
Is my software ecosystem healthy? It depends!
Tom Mens
 
On the health of the npm packaging ecosystem
Tom Mens
 
Aliens in Your Apps!
All Things Open
 
Application Security in the Age of Open Source
Black Duck by Synopsys
 
All You need to Know about Secure Coding with Open Source Software
Javier Perez
 
OWASP - Dependency Check
Vandana Verma
 
Ad

More from Nicola Pedot (13)

PDF
AI, ML e l'anello mancante
Nicola Pedot
 
PDF
Ethic clean
Nicola Pedot
 
PDF
Java al servizio della data science - Java developers' meeting
Nicola Pedot
 
PDF
Jakarta EE 2018
Nicola Pedot
 
PDF
Lazy Java
Nicola Pedot
 
PDF
Java 9-10 What's New
Nicola Pedot
 
PDF
JavaEE6 my way
Nicola Pedot
 
PDF
Java 8 Overview
Nicola Pedot
 
PDF
BDD & design paradoxes appunti devoxx2012
Nicola Pedot
 
PDF
Tom EE appunti devoxx2012
Nicola Pedot
 
ODP
Eclipse Svn
Nicola Pedot
 
ODP
Eclipse
Nicola Pedot
 
PPT
Presentazione+Android
Nicola Pedot
 
AI, ML e l'anello mancante
Nicola Pedot
 
Ethic clean
Nicola Pedot
 
Java al servizio della data science - Java developers' meeting
Nicola Pedot
 
Jakarta EE 2018
Nicola Pedot
 
Lazy Java
Nicola Pedot
 
Java 9-10 What's New
Nicola Pedot
 
JavaEE6 my way
Nicola Pedot
 
Java 8 Overview
Nicola Pedot
 
BDD & design paradoxes appunti devoxx2012
Nicola Pedot
 
Tom EE appunti devoxx2012
Nicola Pedot
 
Eclipse Svn
Nicola Pedot
 
Eclipse
Nicola Pedot
 
Presentazione+Android
Nicola Pedot
 
Ad

Recently uploaded (20)

PDF
Which alternative to Crystal Reports is best for small or large businesses.pdf
Varsha Nayak
 
PPTX
VVF-Customer-Presentation2025-Ver1.9.pptx
blackmambaettijean
 
PDF
Addressing The Cult of Project Management Tools-Why Disconnected Work is Hold...
OnePlan Solutions
 
PDF
Internet Downloader Manager (IDM) Crack 6.42 Build 42 Updates Latest 2025
itskinga12
 
PDF
SAP S4 Hana Brochure 3 (PTS SYSTEMS AND SOLUTIONS)
pts464036
 
PDF
Understanding Forklifts - TECH EHS Solution
TECH EHS Solution
 
PDF
How Creative Agencies Leverage Project Management Software.pdf
Orangescrum
 
PDF
System and Network Administration Chapter 2
jaramharo
 
PDF
wealthsignaloriginal-com-DS-text-... (1).pdf
skmiani786
 
PPTX
L1 - Introduction to python Backend.pptx
MoizAhmed480282
 
PPTX
Reimagine Home Health with the Power of Agentic AI​
AutomationEdge Technologies
 
PDF
Adobe Illustrator 28.6 Crack My Vision of Vector Design
ghrom2211g
 
PDF
Flood Susceptibility Mapping Using Image-Based 2D-CNN Deep Learnin. Overview ...
lawrenceomai2
 
PDF
Raksha Bandhan Grocery Pricing Trends in India 2025.pdf
Actowiz Solustions
 
PDF
AI in Product Development-omnex systems
omnex systems
 
PPTX
history of c programming in notes for students .pptx
Vijayakumari829030
 
PPTX
Lecture 3: Operating Systems Introduction to Computer Hardware Systems
hci7se
 
PDF
Internet Downloader Manager (IDM) Crack 6.42 Build 41
ghrom2211g
 
PDF
Claude Code: Everyone is a 10x Developer - A Comprehensive AI-Powered CLI Tool
William Chong
 
PDF
EN-Survey-Report-SAP-LeanIX-EA-Insights-2025.pdf
deepakkhaitan3
 
Which alternative to Crystal Reports is best for small or large businesses.pdf
Varsha Nayak
 
VVF-Customer-Presentation2025-Ver1.9.pptx
blackmambaettijean
 
Addressing The Cult of Project Management Tools-Why Disconnected Work is Hold...
OnePlan Solutions
 
Internet Downloader Manager (IDM) Crack 6.42 Build 42 Updates Latest 2025
itskinga12
 
SAP S4 Hana Brochure 3 (PTS SYSTEMS AND SOLUTIONS)
pts464036
 
Understanding Forklifts - TECH EHS Solution
TECH EHS Solution
 
How Creative Agencies Leverage Project Management Software.pdf
Orangescrum
 
System and Network Administration Chapter 2
jaramharo
 
wealthsignaloriginal-com-DS-text-... (1).pdf
skmiani786
 
L1 - Introduction to python Backend.pptx
MoizAhmed480282
 
Reimagine Home Health with the Power of Agentic AI​
AutomationEdge Technologies
 
Adobe Illustrator 28.6 Crack My Vision of Vector Design
ghrom2211g
 
Flood Susceptibility Mapping Using Image-Based 2D-CNN Deep Learnin. Overview ...
lawrenceomai2
 
Raksha Bandhan Grocery Pricing Trends in India 2025.pdf
Actowiz Solustions
 
AI in Product Development-omnex systems
omnex systems
 
history of c programming in notes for students .pptx
Vijayakumari829030
 
Lecture 3: Operating Systems Introduction to Computer Hardware Systems
hci7se
 
Internet Downloader Manager (IDM) Crack 6.42 Build 41
ghrom2211g
 
Claude Code: Everyone is a 10x Developer - A Comprehensive AI-Powered CLI Tool
William Chong
 
EN-Survey-Report-SAP-LeanIX-EA-Insights-2025.pdf
deepakkhaitan3
 

Say No To Dependency Hell

  • 1. Say No to the Dependency Hell: Proper Management of Software Dependencies IVAN PASHCHENKO Trento - 2019
  • 2. whoami 2 Ivan Pashchenko • PhD candidate in Information Security at the University of Trento • Former Intern at SAP Security Research • Former Leading Security Engineer at Bashneft, Russia • Snowboarder, hiker, volleyball player
  • 4. Nowadays software projects are highly interconnected 4 • Own code • Dependencies Own code Dependencies Software project
  • 6. You are writing code… This is a typical functionality, I do not want to invent a wheel – I will use already developed functionality. 6
  • 7. And you use just one dependency… 7
  • 8. 8 Welcome to the Dependency Hell
  • 10. 10
  • 14. When you have a dependency 14 𝑚1 𝑚2𝑦1𝑥1 𝑦2𝑢1 𝑧1 direct transitive Dependency tree
  • 15. Current dependency analysis 15 0. Follow the updates in your software dependencies manually - Subscribe to mailing lists of your dependencies - Telegram channels - Analyze changelogs of the new releases - Receive a lot of spam…
  • 16. Current dependency analysis tools 16 1. Github vulnerability alerts: Example: https://github.com/iluwatar/java-design-patterns/network/dependencies
  • 17. Current dependency analysis tools 17 1. Github vulnerability alerts: Listing the packages that a repository depends on: https://help.github.com/articles/listing-the-packages-that-a-repository-depends-on/ Viewing and updating vulnerable dependencies in your repository: https://help.github.com/articles/viewing-and-updating-vulnerable-dependencies-in-your- repository/ About security alerts for vulnerable dependencies: https://help.github.com/articles/about-security-alerts-for-vulnerable-dependencies/
  • 18. Current dependency analysis tools 18 2. Snyk.io: Home page: https://snyk.io/ Introduction video: https://youtu.be/4ng5usM6fd8
  • 19. Current dependency analysis tools 19 2. Snyk.io – Vulnerability DB:
  • 20. Current dependency analysis tools 20 2. Snyk.io – Vulnerability DB:
  • 21. Current dependency analysis tools 21 3. SourceClear - https://www.sourceclear.com/ Advantages: - one of the biggest vulnerability databases Disadvantage: - fully commercial 4. Vulas - https://github.com/SAP/vulnerability-assessment-tool Advantages: - open-source - precise code base matching algorithm Disadvantage: - they do not publish the vulnerability database - they support only Java (Maven&Gradle) and partially Python
  • 22. You will have such a report 22 What would you do? Ignore? Panic?
  • 23. Observation 1 23 Some dependencies are non deployed, hence such vulnerabilities cannot be exploited 𝑚1:compile 𝑚2: 𝑐𝑜𝑚𝑝𝑖𝑙𝑒𝑦1: 𝑐𝑜𝑚𝑝𝑖𝑙𝑒𝑥1: 𝑡𝑒𝑠𝑡 𝑦2: 𝑐𝑜𝑚𝑝𝑖𝑙𝑒𝑢1: 𝑡𝑒𝑠𝑡 𝑧1: 𝑐𝑜𝑚𝑝𝑖𝑙𝑒
  • 24. Observation 2 24 𝑚1 𝑚2 𝑦1𝑥1 𝑦2𝑢1 𝑧1 𝑀 𝑌 𝑋 𝑈 𝑍 Direct ‘Direct’ and ‘transitive’ notions do not represent which dependencies really can be controlled Transitive Own
  • 25. Observation 2 25 𝑚1 𝑚2 𝑦1𝑥1 𝑦2𝑢1 𝑧1 𝑀 𝑌 𝑋 𝑈 𝑍 ‘Direct’ and ‘transitive’ notions do not represent which dependencies really can be controlled Own In direct control Out of direct control
  • 26. Observation 3 26 𝑚1 𝑥1 𝑢1 𝑣1 𝑣2 𝑣1 𝑣1 𝑣2 𝑣3 𝑡0 𝑡1 There would be no version of x1: 1) to fix vulnerability in x1 2) adopt fixed version of u1 Fixing such a dependency would require a software company either to contribute to the halted library (make a new release) or maintain an own copy of the library Some libraries may become halted
  • 27. Counting dependencies 27 Build dependency tree Maven goals: dependency:tree and dependency:resolve Filter non-deployed dependencies Exclude test and provided scopes Group dependencies by projects Group all GAVs with the same groupId within one path and substitute them in the path with the GAV, closest to the vulnerable GAV Identify halted dependencies •𝐿𝑎𝑠𝑡 𝑟𝑒𝑙𝑒𝑎𝑠𝑒 𝑖𝑛𝑡𝑒𝑟𝑣𝑎𝑙 = 𝛼 σ𝑖=0 𝑛 { 1 − 𝛼 𝑖 ∗ 𝑅𝑒𝑙𝑒𝑎𝑠𝑒 𝑡𝑖𝑚𝑒 𝑛−𝑖} •𝐸𝑥𝑝𝑒𝑐𝑡𝑒𝑑 𝑟𝑒𝑙𝑒𝑎𝑠𝑒 𝑑𝑎𝑡𝑒 = 𝐿𝑎𝑠𝑡 𝑟𝑒𝑙𝑒𝑎𝑠𝑒 + 𝐿𝑎𝑠𝑡 𝑟𝑒𝑙𝑒𝑎𝑠𝑒 𝑖𝑛𝑡𝑒𝑟𝑣𝑎𝑙 •𝐸𝑥𝑝𝑒𝑐𝑡𝑒𝑑 𝑟𝑒𝑙𝑒𝑎𝑠𝑒 𝑑𝑎𝑡𝑒 < 𝑇𝐼𝑀𝐸 ⇒ 𝐿𝑖𝑏𝑟𝑎𝑟𝑦 𝑖𝑠 ℎ𝑎𝑙𝑡𝑒𝑑 Map with known vulnerable GA S. E. Ponta, H. Plate, and A. Sabetta. Beyond metadata: Code-centric and usage based analysis of known vulnerabilities in open-source software. In Proc. of ICSME-18, 2018
  • 28. Effects Filtering non-deployed Dependency grouping “Is halted” analysis 28 20% less false alerts to check Developers may have fixed 82% of vulns in their dependencies (45% increase) 14% of dependencies are halted, hence would not be fixed
  • 29. Following our approach you will have the following report 29 A bit more clear what to do, isn’t it?
  • 30. An example of our report 30
  • 31. 31 We are looking for your experience More details about our research are here: http://bit.ly/vuln-research-trento "Dependencies as you see it" (what the problems are, why people could, should, or won't update etc.). This can be a brief Skype/Hangout/etc interview at your convenience.
  • 32. We bring order to the dependency hell 32
  • 33. 33 For any questions or suggestions do not hesitate to contact me: E-mail: ivan.pashchenko@unitn.it Skype: ivanpashchenko Web-site: http://disi.unitn.it/~pashchenko Let’s say No to the Dependency Hell Information about our research is here: http://bit.ly/vuln-research-trento