Third-party libraries (TPLs) are frequently reused in software to reduce development cost and the time-to-market. However, exter- nal library dependencies may introduce vulnerabilities into host applications. The issue of library dependency has received consid- erable critical attention. Many package managers like Maven, Pip, NPM are proposed to manage TPLs, and there has been a lot of effort put into studying dependencies in language ecosystem like Java, Python, JavaScript except C/C++. Due to the lack of a unified package manager for C/C++, existing research has only a few un- derstanding of TPL dependency in C/C++ ecosystem, especially at large-scale.

Towards Understanding TPL dependencies in C/C++ ecosystem, we collect existing TPL databases, package management tools and dependency detection tools, summarize the dependency patterns of C/C++ projects, and construct a comprehensive and precise C/C++ dependency detector. Using our detector, we extract dependencies from a large-scale database containing 24K C/C++ repositories from GitHub. Based on the extracted dependencies, we provide the results and findings of an empirical study aimed at understanding the characteristics of the TPL dependencies. We further discuss the challenges to manage dependency for C/C++ and the future directions for software engineering researchers and developers in fields of software composition analysis, C/C++ package manager and library development. Our dataset of extracted dependencies used in this work are anonymously available at url:

Wei Tang

Tsinghua University

Zhengzi Xu

Nanyang Technological University

Chengwei Liu

Nanyang Technological University, Singapore

Wu Jiahui

Nanyang Technological University

shouguo yang

Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China

Yi Li

Nanyang Technological University, Singapore

Singapore

Ping Luo

Tsinghua University

Yang Liu

Nanyang Technological University