API trustworthiness: an ontological approach for software library adoption

  • Ellis E. Eghan
  • Sultan S. Alqahtani
  • Christopher Forbes
  • Juergen RillingEmail author


The globalization of the software industry has led to an emerging trend where software systems depend increasingly on the use of external open-source external libraries and application programming interfaces (APIs). While a significant body of research exists on identifying and recommending potentially reusable libraries to end users, very little is known on the potential direct and indirect impact of these external library recommendations on the quality and trustworthiness of a client’s project. In our research, we introduce a novel Ontological Trustworthiness Assessment Model (OntTAM), which supports (1) the automated analysis and assessment of quality attributes related to the trustworthiness of libraries and APIs in open-source systems and (2) provides developers with additional insights into the potential impact of reused libraries and APIs on the quality and trustworthiness of their project. We illustrate the applicability of our approach, by assessing the trustworthiness of libraries in terms of their API breaking changes, security vulnerabilities, and license violations and their potential impact on client projects.


Software quality Trustworthiness Code reuse License violations API breaking changes Software security vulnerabilities 



  1. Alqahtani, S. S., Eghan, E. E., & Rilling, J. (2016). SV-AF—a Security Vulnerability Analysis Framework, in 2016 IEEE 27th International Symposium on Software Reliability Engineering (ISSRE), pp. 219–229.Google Scholar
  2. Alqahtani, S. S., Eghan, E. E., & Rilling, J. (2017). Recovering semantic traceability links between APIs and security vulnerabilities: an ontological modeling approach. 10th IEEE International Conference on Software Testing, Verification and Validation.Google Scholar
  3. Artho, C., Suzaki, K., Di Cosmo, R., Treinen, R., Zacchiroli, S., & A. P. S. Distributions (2012). Why do software packages conflict?, 141–150.Google Scholar
  4. Atkinson, C., Gutheil, M., & Kiko, K. (2006). On the relationship of ontologies and models. Proc. 2nd Work. MetaModelling Ontol. WoMM06 LNI P96 Gesellschaft fur Inform. Bonn, 47–60.Google Scholar
  5. Ayala, C., Franch, X., Conradi, R., Li, J., & Cruzes, D. (2013). Developing software with open source software components. Finding source code on the web for remix and reuse (pp. 167–186). New York: Springer New York.CrossRefGoogle Scholar
  6. Bergel, A., Denier, S., Ducasse, S., Laval, J., Bellingard, F., Vaillergues, P., Balmas, F., & Mordal-Manet, K. (2009). SQUALE—Software QUALity Enhancement. 2009 13th European Conference on Software Maintenance and Reengineering, 285–288.Google Scholar
  7. Berners-Lee, T., Hendler, J., & Lassila, O. (2001). The Semantic Web. Scientific American, 284(5), 34–43.CrossRefGoogle Scholar
  8. Boland, T., Cleraux, C., & Fong, E. (2010). Toward a preliminary framework for assessing the trustworthiness of software (pp. 1–31). Gaithersburg: National Institute of Standards TechnologyInteragency/Internal Report, U.S. Department of Commerce.Google Scholar
  9. Cadariu, M., Bouwers, E., Visser, J., & Van Deursen, A. (2015). Tracking known security vulnerabilities in proprietary software systems. 2015 IEEE 22nd Int. Conf. Softw. Anal. Evol. Reengineering, SANER 2015 - Proc, 516–519.Google Scholar
  10. Cingolani, P., & Alcala-Fdez, J. (2012). jFuzzyLogic: a robust and flexible Fuzzy-Logic inference system language implementation. 2012 IEEE International Conference on Fuzzy Systems, 1–8.Google Scholar
  11. Cossette, B. E. & Walker, R. J. (2012). Seeking the ground truth: a retroactive study on the evolution and migration of software libraries. Proc. ACM SIGSOFT 20th Int. Symp. Found. Softw. Eng, 55:1–55.Google Scholar
  12. Decan, A., Mens, T., Claes, M., & Grosjean, P. (2016). When GitHub meets CRAN: an analysis of inter-repository package dependency problems. 2016 IEEE 23rd International Conference on Software Analysis, Evolution, and Reengineering (SANER), 493–504.Google Scholar
  13. Di Penta, M., German, D. M., Guéhéneuc, Y.-G., and Antoniol, G. (2010). An exploratory study of the evolution of software licensing, Proc. 32nd ACM/IEEE Int. Conf. Softw. Eng. - ICSE ‘10, vol. 1, p. 145.Google Scholar
  14. Dig, D., & Johnson, R. (2006). How do APIs evolve? A story of refactoring. Journal of Software Maintenance and Evolution: Research and Practice, 18(2), 83–107.CrossRefGoogle Scholar
  15. DuCharme, B. (2011). Learning SPARQL (2nd ed.). Sebastopol: O’Reilly Media.Google Scholar
  16. F. S. Foundation (2014). Various licenses and comments about them. GNU Project [Online]. Available: Accessed 22 July 2017.
  17. Gao, J. Z., Chen, C., Toyoshima, Y., & Leung, D. K. (1999). Engineering on the Internet for global software production. Computer (Long. Beach. Calif)., 32(5), 38–47.Google Scholar
  18. German, D. M. & Hassan, A. E., (2009). License integration patterns: addressing license mismatches in component-based development. 2009 IEEE 31st International Conference on Software Engineering, 188–198.Google Scholar
  19. Hemel, A., Kalleberg, K. T., Vermaas, R., & Dolstra, E. (2011). Finding software license violations through binary code clone detection. Proceeding of the 8th working conference on Mining software repositories - MSR ‘11, 63–72.Google Scholar
  20. Henderson-Sellers, B. (2011). Bridging metamodels and ontologies in software engineering. Journal of Systems and Software, 84(2), 301–313.CrossRefGoogle Scholar
  21. Hmood, A., Schugerl, P., Rilling, J., & Charland, P. (2010). OntEQAM—a methodology for assessing evolvability as a quality factor in software ecosystems. Defence R&D Canada - Valcartier, Valcartier QUE (CAN), 8.Google Scholar
  22. Hmood, A., Keivanloo, I., & Rilling, J. (2012). SE-EQUAM—an evolvable quality metamodel. 2012 IEEE 36th Annual Computer Software and Applications Conference Workshops, 334–339.Google Scholar
  23. Hora, A. & Valente, M. T. (2015). apiwave: keeping track of API popularity and migration, 321–323.Google Scholar
  24. I. E. Commission (2000). Programmable controllers—part 7: fuzzy control programming.Google Scholar
  25. Jezek, K., Dietrich, J., & Brada, P. (2015). How Java APIs break—an empirical study. Information and Software Technology, 65, 129–146.CrossRefGoogle Scholar
  26. Jiang, H., Zhang, J., Ren, Z., & Zhang, T. (2017). An unsupervised approach for discovering relevant tutorial fragments for APIs. 2017 IEEE/ACM 39th International Conference on Software Engineering (ICSE), 38–48.Google Scholar
  27. Kagdi, H., Yusuf, S., & Maletic, J. I. (2006). Mining sequences of changed-files from version histories. Proceedings of the 2006 international workshop on Mining software repositories - MSR ‘06, 47.Google Scholar
  28. Kagdi, H., Collard, M. L., & Maletic, J. I. (2007). Comparing approaches to mining source code for call-usage patterns. Fourth International Workshop on Mining Software Repositories (MSR’07:ICSE Workshops 2007), 20–26.Google Scholar
  29. Kamiya, T., Kusumoto, S., & Inoue, K. (2002). CCFinder: a multilinguistic token-based code clone detection system for large scale source code. IEEE Transactions on Software Engineering, 28(7), 654–670.CrossRefGoogle Scholar
  30. Kapur, P., Cossette, B., & Walker, R. J. (2010). Refactoring references for library migration. ACM SIGPLAN Notices, 45(10), 726.CrossRefGoogle Scholar
  31. I. Keivanloo, C. Forbes, J. Rilling, and P. Charland, (2011). Towards sharing source code facts using linked data. Proceeding 3rd Int. Work. Search-driven Dev. users, infrastructure, tools, Eval. - SUITE ‘11, 25–28.Google Scholar
  32. Kuhn, B. M., Sebro, A. K., & Gingerich, D. (2016). Chapter 10 The lesser GPL, Free Software Foundation & Software Freedom Law Center, . [Online]. Available:
  33. del Bianco, V., Lavazza, L., Morasca, S., & Taibi, D. (2009). Quality of open source software: the QualiPSo trustworthiness model, 199–212.Google Scholar
  34. Land, R., Sundmark, D., Lüders, F., Krasteva, I., & Causevic, A. (2009). Reuse with software components—a survey of industrial state of practice. Form. Found. Reuse Domain Eng, 150–159.Google Scholar
  35. Larson, D., & Miller, K. (2005). Silver bullets for little monsters: making software more trustworthy. IT Prof., 7(2), 9–13.CrossRefGoogle Scholar
  36. Maalej, W., & Robillard, M. P. (2013). Patterns of knowledge in API reference documentation. IEEE Transactions on Software Engineering, 39(9), 1264–1282.CrossRefGoogle Scholar
  37. Mann, C. J. H. (2003). The description logic handbook—theory, implementation and applications. Kybernetes, 32(9/10), k.2003.06732iae.006.CrossRefGoogle Scholar
  38. McCall, J. A., Richards, P. K., & Walters, G. F. (1977). Factors in software quality. Volume I. Concepts and definitions of software quality.Google Scholar
  39. McCarey, F., Cinnéide, M. Ó., & Kushmerick, N. (2005). Rascal: a recommender agent for agile reuse. Artificial Intelligence Review, 24(3–4), 253–276.CrossRefGoogle Scholar
  40. McGuinness, D. L. and Van Harmelen, F. (2004). Owl web ontology language overview. W3C Recomm. 10.2004–03, 2004, 1–12.Google Scholar
  41. Mileva, Y. M., Dallmeier, V., Burger, M., & Zeller, A. (2009). Mining trends of library usage. Proc. Jt. Int. Annu. ERCIM Work. Princ. Softw. Evol. Softw. Evol, 57–62.Google Scholar
  42. Mileva, Y. M., Dallmeier, V., & Zeller, A. (2010). Mining API popularity, Lect. Notes Comput. Sci. (including Subser. Lect. Notes Artif. Intell. Lect. Notes Bioinformatics), vol. 6303 LNCS, pp. 173–180.Google Scholar
  43. Monden, A., Okahara, S., Manabe, Y., & Matsumoto, K. (2011). Guilty or not guilty: using clone metrics to determine open source licensing violations. IEEE Software, 28(2), 42–47.CrossRefGoogle Scholar
  44. Nguyen, V. H., Dashevskyi, S., & Massacci, F. (2016). An automatic method for assessing the versions affected by a vulnerability. Empirical Software Engineering, 21(6), 2268–2297.Google Scholar
  45. Parnas, D. L. (1994). Software aging. ICSE ‘94 Proceedings of the 16th international conference on Software engineering, 279–287.Google Scholar
  46. Pfleeger, S. L. (1992). Measuring software reliability. IEEE Spectrum, 29(8), 56–60.CrossRefGoogle Scholar
  47. Plate, H., Ponta, S. E., & Sabetta, A. (2015). Impact assessment for vulnerabilities in open-source software libraries. 2015 IEEE 31st Int. Conf. Softw. Maint. Evol. ICSME 2015 – Proc, 411–420.Google Scholar
  48. Raemaekers, S., Van Deursen, A., & Visser, J. (2012). Measuring software library stability through historical version analysis. IEEE Int. Conf. Softw. Maintenance, ICSM, 378–387.Google Scholar
  49. Raemaekers, S., Van Deursen, A., & Visser, J. (2014). Semantic versioning versus breaking changes: a study of the maven repository. Proc. - 2014 14th IEEE Int. Work. Conf. Source Code Anal. Manip. SCAM 2014, 215–224.Google Scholar
  50. Rahman, M. M., Roy, C. K., & Lo, D. (2016). RACK: automatic API recommendation using crowdsourced knowledge. 2016 IEEE 23rd International Conference on Software Analysis, Evolution, and Reengineering (SANER). 349–359.Google Scholar
  51. Rhodes, T., Boland, F., Fong, E., & Kass, M. (2010). Software assurance using structured assurance case models. Journal of Research of the National Institute of Standards and Technology, 115(3), 209–216.CrossRefGoogle Scholar
  52. Robbes, R., Lungu, M., & Röthlisberger, D. (2012). How do developers react to API deprecation?. Proceedings of the ACM SIGSOFT 20th International Symposium on the Foundations of Software Engineering - FSE ‘12, 1.Google Scholar
  53. Samoladas, I., Gousios, G., Spinellis, D., & Stamelos, I. (2008). The SQO-OSS quality model: measurement based open source software evaluation. Open Source Development, Communities and Quality, Boston, MA: Springer US, 237–248.Google Scholar
  54. Seedorf, S. & Mannheim, F. F. I. U. (2006). Applications of ontologies in software engineering. In 2nd International Workshop on Semantic Web Enabled Software Engineering (SWESE 2006).Google Scholar
  55. Seneviratne, O., Kagal, L., Weitzner, D., Abelson, H., Berners-Lee, T., & Shadbolt, N. (2009). Detecting creative commons license violations on images on the world wide web. WWW2009.Google Scholar
  56. Taibi, D. (2008). Defining an open source software trustworthiness model. Proc 3rd Int Dr Symp Emperical Software Eng, 4.Google Scholar
  57. Tan, T., He, M., Yang, Y., Wang, Q., & Li, M. (2008). An analysis to understand software trustworthiness. 2008 The 9th International Conference for Young Computer Scientists, 2366–2371.Google Scholar
  58. Teyton, C., Falleri, J. R., & Blanc, X. (2012). Mining library migration graphs. Proceedings of Work. Conf. Reverse Eng. WCRE. 289–298.Google Scholar
  59. Thung, F., Lo, D., & Lawall, J. (2013). Automated library recommendation. Proceedings of Workshop Conference on Reverse Engineering. WCRE, 182–191.Google Scholar
  60. Williams, J., & Dabirsiaghi, A. (2012). The unfortunate reality of insecure libraries (pp. 1–26). Appleton: Asp. Secur. Inc.Google Scholar
  61. Witte R., Zhang Y., & Rilling J. (2007). Empowering software maintainers with semantic web technologies. ESWC, 4519, 37–52.Google Scholar
  62. Wu, Y., Manabe, Y., Kanda, T., German, D. M., & Inoue, K. (2015). A method to detect license inconsistencies in large-scale open source projects. 2015 IEEE/ACM 12th Working Conference on Mining Software Repositories, 324–333.Google Scholar
  63. Würsch, M., Ghezzi, G., Hert, M., Reif, G., & Gall, H. C. (2012). SEON: a pyramid of ontologies for software evolution and its applications. Computing, 94(11), 857–885.CrossRefGoogle Scholar
  64. Xavier, L., Brito, A., Hora, A., & Valente, M. T., (2017). Historical and impact analysis of API breaking changes: a large-scale study. 2017 IEEE 24th International Conference on Software Analysis, Evolution and Reengineering (SANER), 138–147.Google Scholar
  65. Yang Y., Wang Q., & Li M. (2009). Process trustworthiness as a capability indicator for measuring and improving software trustworthiness. ICSP, 5543, 389–401.Google Scholar
  66. Zadeh, L. A. (1975). The concept of a linguistic variable and its application to approximate reasoning-III. Information Sciences, 9(1), 43–80.MathSciNetCrossRefGoogle Scholar
  67. Zhang, Y., Witte, R., Rilling, J., & Haarslev, V. (2008). Ontological approach for the semantic recovery of traceability links between software artefacts. IET Software, 2(3), 185.CrossRefGoogle Scholar
  68. Zhong, H. & Mei, H. (2017). An empirical study on API usages. IEEE Trans. Softw. Eng. (Early Access), 1.Google Scholar

Copyright information

© Springer Science+Business Media, LLC, part of Springer Nature 2019

Authors and Affiliations

  1. 1.Department of Computer Science and Software EngineeringConcordia UniversityMontrealCanada

Personalised recommendations