University of Oulu

Inclusion criteria for third-party dependencies in enterprise software projects

Saved in:
Author: Mustonen, Benjamin1
Organizations: 1University of Oulu, Faculty of Information Technology and Electrical Engineering, Department of Information Processing Science, Information Processing Science
Format: ebook
Version: published version
Access: open
Online Access: PDF Full Text (PDF, 1.7 MB)
Pages: 77
Persistent link:
Language: English
Published: Oulu : B. Mustonen, 2023
Publish Date: 2023-06-21
Thesis type: Master's thesis
Tutor: Turhan, Burak
Reviewer: Ram, Prabhat
Turhan, Burak


Third-party libraries are commonly used in software development to save development time, allowing teams to focus on implementing their own business logic. Including third-party dependencies in a project is not without its risks, however. Bugs, vulnerabilities, and license incompatibilities are only some of the potential issues that can arise from third-party dependencies, yet knowing what to look for before including a dependency can be difficult.

This thesis investigates the factors that should be considered when including a third-party dependency through a review of current scientific literature and models a testable set of inclusion criteria through the design science process. The factors found in the literature were validated and assigned importance levels through a developer survey. Based on the survey results, the model was finalised and tested on six different libraries. The model as well as the test results were then evaluated by developers in a small-scale workshop.

The design science process resulted in a proof-of-concept model that was considered quite good by the developers evaluating it, in addition to a synthesis of existing knowledge on third-party dependencies. The model includes 14 factors divided into eight different criteria, with each factor having a clear definition, a way to measure it, as well as the number of points it contributes to the scoring system of the model. The final score of the model can then be used as a reference to aid in the dependency inclusion decision making process. The developers considered the criteria to be usable enough to be implemented as part of their dependency inclusion process with some minor changes. The major limitation with these findings is that the developer data, used in both creating the importance ratings as well as evaluating the model, was acquired through convenience sampling. This means that the findings cannot be generalised to a wider population. Additionally, the survey and the workshop both had low participation rates of 40% and 55% respectively, hurting the credibility of the results. Future research should consider repeating the study with sampling that can be generalised to a larger population to validate and improve upon the results in this thesis.

see all

Copyright information: © Benjamin Mustonen, 2023. Except otherwise noted, the reuse of this document is authorised under a Creative Commons Attribution 4.0 International (CC-BY 4.0) licence ( This means that reuse is allowed provided appropriate credit is given and any changes are indicated. For any use or reproduction of elements that are not owned by the author(s), permission may need to be directly from the respective right holders.