IQT Labs' Open Source Software Nutrition Label Prototype is a proof-of-concept visualization designed to support analysis of third-party code dependencies.
It brings together open source software project metadata and allows users to sort their dependencies based on different criteria.
This project is:
- A work-in-process
- Co-produced by the IQT Labs Human-Machine Interfaces and Engineering teams
- Conceived as a platform for future collaboration
- Part of an ongoing applied research initiative focused on third-party code dependencies
- Currently available as a series of minimum working examples (MWEs) based on an internal software project, below:
MWE #1 | MWE #2 | MWE #3 | MWE #4 | MWE #5 |
---|---|---|---|---|
Many Python and JavaScript packages in circulation today are fit for consumption providing real productivity benefits to the developers who rely on them. Others are more akin to junk food, momentarily enticing, both easy to ingest and neglect, but sub-optimal in the long term. (For instance, when analyzing one of our codebases, we came across a package dependency which serves as a “tombstone package”.) Finally, a few contain the software analogue of food contaminants, which compromise basic security and effectiveness, underscoring the need for more sophisticated open source software health metrics.
The Nutrition Label concept is an approach to information transparency that researchers in the data science, online media, and Internet of Things (IoT) communities have adapted from its original FDA context. Our premise is that software nutrition labels can help developers and enterprise program managers make better-informed decisions about third-party software on the basis of project health, maintenance activity, and supply chain risk.
Much like the long, tortuous history of food labeling in the United States, the push for greater transparency around open source software and data science packages will likely involve many stakeholders working together over an extended period. The IQT Labs Open Source Software Nutrition Label prototype is one small attempt to demonstrate the art of the possible in this context.
This codebase and the demo links above contain minimum working examples (MWEs) which are neither feature-complete, nor production-ready.
The current MWEs focus on IQT Labs' FakeFinder face-swap detection project. They visualize package health score data from Snyk Advisor,* (94/100 example above) as well as associated software project metadata, for the top-level software dependencies listed in FakeFinder's various requirements.txt
files.
* Example from a query dated 2021-08-25
.
- N.B. These values may have changed since our initial query in 2021. We have not set the UI to refresh automatically.
The Snyk- and GitHub-derived data shown in the Open Source Software Nutrition Label Prototype are not endorsed or approved by IQT Labs, and future nutrition label releases may vary.
Please note that Snyk Advisor scores change over time and as the data underlying this demo represents a single snapshot in time, future Snyk results for these same Python software packages are likely to vary. These data are provided “as is” with no warranties of any kind, and use of this information is at your sole risk. To the maximum extent provided by law, neither IQT Labs and its affiliates nor any government agency or third party shall be liable for any damages of any kind relating to or resulting from use of the information on this site. For more information, review IQT's Terms of Use.
Built in React and TypeScript, the Open Source Software Nutrition Label Prototype takes advantage of @lineup-lite
's multi-attribute ranking and data visualization capabilities.
This visualization approach we chose for this prototype enables users to make sophisticated comparisons. As Samuel Gratzl et al. (2013) explain:
Multi-attribute rankings are ubiquitous and diverse. Popular examples include university rankings, rankings of food products by their nutrient content, rankings of computer hardware, and most livable city rankings. When rankings are based on a single attribute or are completely subjective, their display is trivial and does not require elaborate visualization techniques. If a ranking, however, is based on multiple attributes, how these attributes contribute to the rank and how changes in one or more attributes influence the ranking is not straightforward to understand. In order to interpret, modify, and compare such rankings, we need advanced visual tools.
To customize this prototype with data of your own:
- clone (or download) this repo
- modify your rows in src/data/index.tsx
- update your columns in src/App.tsx
That's it. There's no step four!
Provided you can run React locally and provided you've formatted your row data and column visualizations correctly, React.useMemo
will take care of the rest.
As the react-table Quick Start Guide explains:
It's important that we're using React.useMemo here to ensure that our data isn't recreated on every render. If we didn't use React.useMemo, the table would think it was receiving new data on every render and attempt to recalculate a lot of logic every single time.
If you get stuck at any point, we also recommend familiarizing yourself with the @lineup-lite/components
documentation.
Anyone interested in discussing related research or collaboration should e-mail gsieniawski@iqt.org.
- 🦂 Catch a bug? Smell an odor? Open a New Issue ticket detailing the problem; incl. screenshots if you can
- Have pertinent and unrestricted components to add? We look forward to reviewing new Pull Requests that originate from feature dev. branches
- Pro tip: the odds we'll act promptly on/respond favorably to any of the above increase exponentially if you follow best practices
_|_| _|_|_| _|_| _|_|_| _| _| _|_|_|_| _|_| _|
_| _| _| _| _| _| _| _| _| _| _| _| _| _|
_|_|_|_| _|_|_| _|_|_|_| _| _|_|_|_| _|_|_| _| _| _|
_| _| _| _| _| _| _| _| _| _| _| _|
_| _| _| _| _| _|_|_| _| _| _|_|_|_| _|_|_|_| _| _|
While @lineup-lite
uses MPL 2.0, the Open Source Software Nutrition Label Prototype is available under the Apache 2.0 License.