CfgNet: A Framework for Tracking Equality-Based Configuration Dependencies Across a Software Project

Modern software development incorporates various technologies, such as containerization, CI/CD pipelines, and build tools, which have to be jointly configured to enable building, testing, deployment, and execution of software systems. The vast configuration space spans several different configuration artifacts with their own syntax and semantics, encoding hundreds of configuration options and their values. The interplay of these technologies requires some level of coordination, which is realized by matching configurations. That is, configuration options and their according values may depend on other options and values from entirely different technologies and artifacts. This creates non-obvious configuration dependencies that are hard to track. The missing awareness and overview of such configuration dependencies across diverse configuration artifacts, tools, and frameworks can lead to dependency conflicts and severe configuration errors. We propose CfgNet , a framework that models the configuration landscape of a software project as a configuration network in an extensible and artifact-independent way. This way, we enable the early detection of possible dependency violations and proactively prevent misconfigurations during software development and maintenance. In a literature study, we found that the most common form of dependencies is the equality of values of different options. Based on this result, we developed an equality-based linker to determine dependent options across different artifacts. To demonstrate the extensibility of our framework, we also implemented nine plugins for popular technologies, such as Maven and Docker. To evaluate our approach, we injected and violated five real-world configuration dependencies extracted from Stack Overflow, which we support with our technology plugins, in five subject systems. CfgNet found all injected dependency violations and four additional ones already present in these systems. Moreover, we applied CfgNet to the commit history of 50 repositories selected from GitHub and found dependency conflicts in about two thirds of these repositories. We manually inspected 883 conflicts, with about 89 % true positives, demonstrating the need to reliably track cross-technology configuration dependencies and prevent their misconfiguration.