{"id":18609507,"url":"https://github.com/secure-software-engineering/upcy","last_synced_at":"2026-03-11T22:42:34.172Z","repository":{"id":148704605,"uuid":"530823513","full_name":"secure-software-engineering/upcy","owner":"secure-software-engineering","description":"UpCy automatically finds compatible updates for Maven dependencies.","archived":false,"fork":false,"pushed_at":"2026-02-08T19:42:16.000Z","size":355,"stargazers_count":12,"open_issues_count":1,"forks_count":1,"subscribers_count":1,"default_branch":"main","last_synced_at":"2026-02-08T20:11:08.072Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/secure-software-engineering.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2022-08-30T20:41:56.000Z","updated_at":"2025-12-05T12:33:33.000Z","dependencies_parsed_at":"2025-04-10T22:31:39.437Z","dependency_job_id":"e468194e-32e1-4b3e-8ded-72fb17980b11","html_url":"https://github.com/secure-software-engineering/upcy","commit_stats":null,"previous_names":[],"tags_count":3,"template":false,"template_full_name":null,"purl":"pkg:github/secure-software-engineering/upcy","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/secure-software-engineering%2Fupcy","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/secure-software-engineering%2Fupcy/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/secure-software-engineering%2Fupcy/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/secure-software-engineering%2Fupcy/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/secure-software-engineering","download_url":"https://codeload.github.com/secure-software-engineering/upcy/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/secure-software-engineering%2Fupcy/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":30405693,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-03-11T22:36:59.286Z","status":"ssl_error","status_checked_at":"2026-03-11T22:36:57.544Z","response_time":84,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-07T03:06:18.456Z","updated_at":"2026-03-11T22:42:34.155Z","avatar_url":"https://github.com/secure-software-engineering.png","language":"Java","funding_links":[],"categories":[],"sub_categories":[],"readme":"# UpCy - Safely Updating Outdated Dependencies\n\nUpCy is a tool that automatically suggests (source- and ABI-compatible) updates for a Maven project.\nUpCy is implemented in Java.\n\n## Requirements\nTo execute and build UpCy yourself, you need to have the following software installed:\n- JDK \u003e= 1.8.0_231\n- Maven \u003e= 3.8.4\n- Docker \u003e= 20.10.17\n\n\n\n## What is UpCy?\n**UpCy** is a tool for Maven projects that automatically finds a list of update steps that updates a dependency to a target version while minimizing the number of API incompatibilities (source code- and ABI).\nTypically, a dependency in a Maven project is used by multiple libraries in the project's dependency tree. Thus, developers usually need to update not only the single dependencies but find out what other dependencies use that dependency as well and find a compatible version.\nTo ease fixing of remaining incompatibilities, **UpCy** uses static analysis to identify API incompatible methods that are *actually* used in the project.\n**UpCy** does this automatically and reports (remaining) incompatible API methods.\n\nGiven a Maven project, one of its dependencies, and the target update version, UpCy finds a set of update steps with a minimum number of source code- and binary incompatibilities by finding min-(s,t)-cut and querying on the entire dependency graph of Maven Central.\n\nDevelopers can use **UpCy** to automatically find compatible updates, e.g., to eliminate certain vulnerable dependencies (especially transitive ones) from a project's dependency graph or update outdated dependencies.\n\n## Setup\n\n### Install SootDiff\n- Clone the SootDiff repository `git clone https://github.com/secure-software-engineering/sootdiff.git`\n- change into the folder `cd sootdiff`\n- Build and install SootDiff in your local maven repository `mvn clean compile install -DskipTests`\n\n\n### Install Maven-EcoSystem (libraries for assessing the Neo4j DB of Maven Central)\n- Clone the Maven-EcoSystem repository `git clone https://github.com/anddann/mvn-ecosystem-graph`\n- change into the folder `cd mvn-ecosystem-graph`\n- Build and install SootDiff in your local maven repository `mvn clean compile install`\n\n\n### Install UpCy-Base (libraries for building dependency graph and running call graph analysis)\n- Clone the UpCy-Base repository `git clone https://github.com/anddann/upcy-base`\n- change into the folder `cd upcy-base`\n- Build and install SootDiff in your local maven repository `mvn clean compile install`\n\n###  Setup Graph Database of Maven Central (Neo4j) \u0026 Database of Binary- \u0026 Source-Code Incompatibilities (MongoDB)\nDownload the database files `incompabilities_mongodb.tar.gz` and `maven-central_neo4j.tar.gz` from \u003chttps://zenodo.org/record/7037674#.YxDXFOxBzUY\u003e.\nExtract both files using the command `tar xzf \u003cFileName\u003e`. The unzipped folders contain the databases.\nThen start an instance of a MongoDB and Neo4j database and mount these two folders as volumes.\nA ready-to-use configuration is in the file `docker-compose-dbs.yml`.\nTo run it execute `docker-compose -f docker-compose-dbs.yml up`.\nThis fires ups the databases and mounts the extracted folders as volumes.\nThen wait for the databases to start.\n\n### Build UpCy\n- To build UpCy and its docker container run `mvn clean compile package`.\n\n\n## Run UpCy\n\n### Set environment variables\nFor connecting to the databases, the following environment variables **must** be set with concrete values.\n```\nNEO4J_URL=bolt://localhost:7687\nNEO4J_USER=neo4j\nNEO4J_PASS=DUMMYPASSWORD\nMONGO_USER=user\nMONGO_HOST=localhost\nMONGO_PW=DUMMYPASSWORD\n```\n\n\n## Run UpCy\n\n## Execute on a Maven Module\nTo execute UpCy and the call graph analysis based on Soot your Maven module must compile since Soot uses the bytecode class for call graph construction.\nFurther, all dependencies must be resolved.\n\nFirst, compile the module by running `mvn compile`.\n\nSecond, generate the dependency graph for the project by executing:\n```\nmvn com.github.ferstl:depgraph-maven-plugin:4.0.1:graph -DshowVersions -DshowGroupIds -DshowDuplicates -DshowConflicts -DgraphFormat=json\n```\n\nThird, invoke the UpCy class `java -cp \u003cPATH-TO-UPCY-JAR\u003e de.upb.upcy.update.MainMavenComputeUpdateSuggestion` with the following arguments:\n* -dg,--dependency-graph \u003carg\u003e   the generated dependency graph as json file\n* -gav \u003carg\u003e                     the GAV of the dependency to update in the form - group:artifact:version\n* -module,--maven-module \u003carg\u003e   path to the maven module containing the pom.xml\n* -targetGav \u003carg\u003e               the target GAV in the form - group:artifact:version\n* -preflight                     execute a preflight check\n\nFourth, UpCy will create a file `_recommendation_results.csv` in the module's folder with the computed update options.\n\n\n\n### Re-Run experiments\nThe main class for re-running UpCy is `de.upb.upcy.update.MainComputeUpdateSuggestion`.\nTo re-run the experiments, download the [experimental-results_dataset.zip](https://zenodo.org/record/7037674#.YxDXFOxBzUY) and unzip it on your local machine.\nThen pass the unzipped folder as an argument to the class `de.upb.upcy.update.MainComputeUpdateSuggestion`.\nThe code then clones each repository and executes UpCy on each project and with each update step given in the `_update-steps.csv` files.\n\n\n#### Re-Run experiments using the Docker pipeline\nThe docker pipeline allows you to re-run the UpCy experiments distributed on multiple machines using the docker-compose file `docker-compose-upcy-dockerized.yml`\nThe pipeline consists of **one** `rabbitmq` message broker container for distributing the workload, **one** `producer` container creating the tasks, and **multiple** worker containers that run UpCy.\n\n\n\nBefore running the containers copy the file `upcy.sample.env` to `upcy.env` and adapt the environment variables there.\nTo save the results, the containers connect to an external `FILESERVER_HOST` that you must specify in the env file.\nThe `FILESERVER_HOST` can be a WebDav server, starting with `https://` or a local folder, starting with `file://`\nThe producer node reads as input from `FILESERVER_HOST/project_input_recommendation.zip`.\nFor creating the file from [experimental-results_dataset.zip](https://zenodo.org/record/7037674#.YxDXFOxBzUY) run the bash script `prepare-inputfile.sh`\nIf you prefer to create the file manually, keep in mind that\n- the file must contain a root folder `projects`\n- sub-folders with `repoOwner_repoName` and containing a `COMMIT` file\n- the sub-folders must contain the `_update-steps.csv` files\n- the example input is [experimental-results_dataset.zip](https://zenodo.org/record/7037674#.YxDXFOxBzUY). Note the file does not have the root folder `projects`. Thus, you must unzip it and add the root folder yourself.\n\n\n## ToDos (Performance Improvements)\n- Split Cypher Query to speed up performance heavily (most critical performance improvement)\n  - MATCH query to find nodes that solve constraint\n  - 2nd query to get for the returned nodes the subgraph\n  - merge both graph (nodes based on gavc) to not lose any information (e.g., due to limit)\n- Pooling of MongoDB Connections in Sig*Process, since they are separate processes, the connection pool is not shared =\u003e SigTest / Processor / MySigTestHandler in separate Process\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsecure-software-engineering%2Fupcy","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsecure-software-engineering%2Fupcy","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsecure-software-engineering%2Fupcy/lists"}