Reif, MichaelEichberg, MichaelMezini, MiraTichy, MatthiasBodden, EricKuhrmann, MarcoWagner, StefanSteghöfer, Jan-Philipp2019-03-292019-03-292018978-3-88579-673-2https://dl.gi.de/handle/20.500.12116/21122Proceeding FSE 2016 Proceedings of the 2016 24th ACM SIGSOFT International Symposium on Foundations of Software Engineering. Today, every application uses software libraries. Yet, while a lot of research exists w.r.t. analyzing applications, research that targets the analysis of extensible libraries and frameworks as such is scarce. This is unfortunate because developers of libraries (e.g. the Java Development Kit) want to ensure that the library behaves as intended regardless of how it is used. To fill this gap, we discuss the construction of call graphs that abstract over all potential usages of the respective library. Additionally, we show that the current practice of using call graph algorithms designed for applications leads to call graphs that, at the same time, lack relevant call edges and contain unnecessary edges when used for libraries. Unlike algorithms for applications, call graph construction algorithms for libraries must also take the goals of subsequent analyses into consideration. We will discuss the differences between an analysis for vulnerabilities vs. one for general software quality attributes, e.g., dead methods. This distinction affects the decision about what constitutes the library-private implementation, which, therefore, needs special treatment.enCall Graph ConstructionLibrariesJavaText/Conference Paper1617-5468