Dynamic Analysis of Inter-endpoint Dependencies in RESTful APIs

Abstract

In an era where software products are used in every aspect of everyday life, mechanisms for their efficient architecture, management and availability are essential. An Application Programming Interface (API), particularly a REST API, is a widely adopted mechanism through which software components expose their functionalities to other components, applications or users. REST APIs define a set of endpoints, each exposing a specific functionality of the underlying software. However, the efficient and correct utilization of an API requires a thorough understanding of both the functionality and structure of each endpoint individually, as well as the interactions among them. Often, API calls must adhere to a specific order, as invoking an endpoint correctly may require data returned from a call to another endpoint. Detecting these dependencies guides optimal API utilization and reveals valuable workflows in a way that can accelerate development. Although current API documentation - such as OpenAPI specifications or Postman Collections - offers structural details, descriptions and examples, it lacks sufficient information to clarify endpoint interactions and dependencies. This thesis first introduces an existing static method developed in a previous study, for identifying dependencies by analyzing Postman Collections. While this method successfully reveals such dependencies, it is constrained by the need for a Postman Collection - which is often lacking - and the limited accuracy and completeness of its results. This study builds on previous work, and introduces a new dynamic approach to identify dependencies by capturing and analyzing real-world API calls through a mediator system, thereby incorporating dynamic business logic insights into the analysis. This method significantly enhances the quality of results and enables the generation of dependency documentation even for APIs that are entirely undocumented. Finally, the dynamic method is integrated into the RADAR system, which provides an environment for visualizing and analyzing API dependencies identified through both static and dynamic analysis.