FASTEN · Project

Track Hidden Risks in Open Source Code Your Software Depends On

digitalPilotedTRL 7

Imagine your company builds software using hundreds of free building blocks from the internet — like LEGO pieces made by strangers. If one piece turns out to be broken or legally restricted, you might not even know it's buried deep inside your product. FASTEN built a kind of X-ray machine that looks inside all those building blocks at the individual function level, spotting security holes, license problems, and risky dependencies before they blow up. Think of the Equifax breach — a single outdated library led to hundreds of thousands of leaked credit card numbers.

By the numbers

hundreds of thousands

websites disrupted by LeftPad incident (illustrating dependency risk)

hundreds of thousands

credit card numbers leaked in Equifax breach (illustrating security risk)

programming languages supported (Java, C, Python)

total project deliverables produced

demo deliverables with working implementations

consortium partners across 5 countries

EUR 3,488,536

EU contribution to project development

The business problem

What needed solving

Every company shipping software today depends on chains of open source libraries — but a single vulnerable or improperly licensed component buried deep in those chains can cause data breaches (like Equifax, with hundreds of thousands of credit card numbers leaked) or service outages (like LeftPad, which took down hundreds of thousands of websites). Current tools only check dependencies at the package level, missing the critical question: does your code actually call the dangerous function?

The solution

What was built

FASTEN built a method-level dependency tracking service for Java, C, and Python ecosystems, including: call graph implementations for all 3 languages, a license compliance and compatibility solver, a ranked search engine for reachability and impact queries, and a rules-based compliance checking and reporting tool. All components were delivered in final versions across 53 deliverables.

Audience

Who needs this

Enterprise software companies managing large open source dependency chainsFinancial institutions under regulatory pressure to secure software supply chainsAutomotive OEMs building software-defined vehicles with open source C componentsSaaS providers needing automated license compliance verificationGovernment IT departments required to audit software provenance

Business applications

Who can put this to work

Financial Services & Fintech

enterprise

Target: Banks, insurance companies, and payment processors relying on open source software

If you are a financial services company dealing with regulatory pressure to secure your software supply chain — this project developed a method-level dependency analysis service for Java, C, and Python that traces exactly which vulnerable code paths your application actually calls. Instead of getting hundreds of false-positive vulnerability alerts, you see only the risks that genuinely reach your running code, letting your security team focus on what matters.

Software Development & SaaS

any

Target: Software product companies and SaaS providers shipping products built on open source

If you are a software company shipping products assembled from open source libraries and worried about license compliance — this project built a license compliance and compatibility solver that operates on call graphs, detecting exactly which license obligations apply to your specific usage. With 53 deliverables including a ranked search engine for reachability and impact queries, the tooling helps you clear legal reviews faster and avoid costly license violations.

Automotive & Embedded Systems

enterprise

Target: Automotive OEMs and Tier-1 suppliers building software-defined vehicles

If you are an automotive company integrating open source into safety-critical C codebases and need to prove supply chain integrity — this project implemented application-specific build graphs for C (alongside Java and Python) that map dependencies at the function call level. This gives your compliance teams the evidence they need for type-approval audits and helps catch vulnerability propagation paths that traditional package-level scanners miss entirely.

Frequently asked

Quick answers

What would this cost to adopt?

The project's tools were built as services integrated into popular package managers for Java, C, and Python. As an EU Innovation Action funded with EUR 3,488,536, results are expected to be available under open terms, though commercial support or enterprise features may require licensing from consortium partners. Contact the consortium for current pricing.

Does this work at industrial scale with large codebases?

Yes — the project was specifically designed to handle massive dependency networks like Maven and PyPI, which contain millions of packages. The ranked search engine for reachability and impact queries was built to process ecosystem-wide call graphs, and the consortium included 3 industry partners to validate real-world scalability.

Who owns the intellectual property?

IP is shared among the 7 consortium partners across 5 countries under the Horizon 2020 grant agreement. The project built a license compliance solver and a rules-based compatibility checker — tools that themselves address IP questions. Contact TU Delft (coordinator) for licensing terms on specific components.

Which programming languages are supported?

The project built application-specific call graph implementations for Java, C, and Python — covering three of the most widely used languages in enterprise and open source development. These integrate with existing package managers like Maven and PyPI.

How does this differ from existing vulnerability scanners?

Traditional scanners flag every known vulnerability in any dependency you include, generating massive noise. FASTEN works at the method call-graph level, meaning it traces whether your code actually calls the vulnerable function. This dramatically reduces false positives and tells you exactly which code paths carry real risk.

Is this ready to deploy today?

The project ran from 2019 to 2022 and delivered final versions of all core components: the call graph builder, license compliance solver, and ranked search engine. As an Innovation Action, it targeted near-market readiness. Contact the consortium to learn about current deployment options and ongoing maintenance.

Does it help with regulatory compliance like the EU Cyber Resilience Act?

Based on available project data, FASTEN's method-level dependency tracking and license compliance tools directly address the kind of software supply chain transparency that regulations like the EU Cyber Resilience Act demand. The rules-based compliance checks and reporting deliverable was built specifically for this purpose.

Consortium

Who built it

The FASTEN consortium of 7 partners across 5 countries (DE, EL, FR, IT, NL) is well-balanced for bringing research to market: 3 universities provide the scientific depth in ecosystem analysis and graph processing, while 3 industry partners (including 3 SMEs) ensure the tools work in real development workflows. The 43% industry ratio is strong for a research-to-market project. Coordinated by TU Delft — one of Europe's top technical universities with deep software engineering expertise — the EUR 3,488,536 budget supported 53 deliverables, an unusually high output suggesting mature, production-oriented development rather than purely academic research.

TECHNISCHE UNIVERSITEIT DELFTCoordinator · NL
SOFTWARE IMPROVEMENT GROUP BVparticipant · NL
OW2participant · FR
UNIVERSITA DEGLI STUDI DI MILANOparticipant · IT
ATHENS UNIVERSITY OF ECONOMICS AND BUSINESS - RESEARCH CENTERparticipant · EL
XWIKIparticipant · FR

How to reach the team

TU Delft, Netherlands — reach out to the Software Engineering department for FASTEN follow-up

Order a report on this consortium See TECHNISCHE UNIVERSITEIT DELFT profile →

Next steps

Talk to the team behind this work.

Want to know if FASTEN's dependency analysis tools fit your software supply chain security needs? SciTransfer can arrange a direct introduction to the right consortium partner for your use case.

Order a report on this topic More in Digital & ICT