Towards Understanding Third-party Library Dependency in C/C++ Ecosystem

TL;DR

This paper investigates third-party library dependencies in the C/C++ ecosystem by developing a dependency detector, analyzing 24,000 GitHub repositories, and providing insights into dependency patterns and management challenges.

Contribution

It introduces a comprehensive dependency detector for C/C++, applies it to large-scale data, and offers new insights into dependency characteristics and management implications.

Findings

Identified common dependency patterns in C/C++ projects

Analyzed dependency distribution across repositories

Discussed implications for dependency management and future research

Abstract

Third-party libraries (TPLs) are frequently reused in software to reduce development cost and the time to market. However, external library dependencies may introduce vulnerabilities into host applications. The issue of library dependency has received considerable critical attention. Many package managers, such as Maven, Pip, and NPM, are proposed to manage TPLs. Moreover, a significant amount of effort has been put into studying dependencies in language ecosystems like Java, Python, and JavaScript except C/C++. Due to the lack of a unified package manager for C/C++, existing research has only few understanding of TPL dependencies in the C/C++ ecosystem, especially at large scale. Towards understanding TPL dependencies in the C/C++ecosystem, we collect existing TPL databases, package management tools, and dependency detection tools, summarize the dependency patterns of C/C++ projects, and construct a comprehensive and precise C/C++ dependency detector. Using our detector, we extract dependencies from a large-scale database containing 24K C/C++ repositories from GitHub. Based on the extracted dependencies, we provide the results and findings of an empirical study, which aims at understanding the characteristics of the TPL dependencies. We further discuss the implications to manage dependency for C/C++ and the future research directions for software engineering researchers and developers in fields of library development, software composition analysis, and C/C++package manager.