Has anyone ever run a dependency analysis on the OpenTAP code base? On the plugin template and/or the corpus of plugins?
Can you elaborate a bit on what you mean by Dependency Analysis? In what context are we talking about here?
Hi Rolf,
I started poking around the repo, but I thought I’d ask the community.
What I mean is a list of which libraries and other software components are integrated with / linked against when OpenTAP and Plugins are built. The repo ToC and even SBOMs don’t show this info. It is typically generated by SCA tools like FOSSA. I believe there are ways to extract some of it directly from GitHub.
The purpose of a dependency deep dive is typically vulnerability analysis. While OpenTAP itself and plugins are probably very secure, it wouldn’t surprise me if there were CVEs logged against a raft of .NET components and libs. The other purpose of dependency checking is license compliance.
Thanks.
Bill W.
Ok, so we do a “BlackDuck” scan at every release of OpenTAP. This identifies possible weaknesses as well as license issues, related to dependencies. I believe it is comparable to FOSSA.
One example was Newtonsoft.Json, which had a vulnerability related to deep JSON structures leading to stack overflow errors. This was identified by BlackDuck. So we are upgrading that to a version that does not have that issue.
But, I am not sure exactly what kind of information you are looking for. Maybe you can point to a project that generates a ToC or SBOM?