CENTRIS: A Precise and Scalable Approach for Identifying Modified Open-Source Software Reuse
Open-source software (OSS) is widely reused as it provides convenience and efficiency in software development. Despite evident benefits, unmanaged OSS components can introduce threats, such as vulnerability propagation and license violation. Unfortunately, however, identifying reused OSS components...
Saved in:
| Main Authors: | , , , , |
|---|---|
| Format: | Journal Article |
| Language: | English |
| Published: |
11-02-2021
|
| Subjects: | |
| Online Access: | Get full text |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| Summary: | Open-source software (OSS) is widely reused as it provides convenience and
efficiency in software development. Despite evident benefits, unmanaged OSS
components can introduce threats, such as vulnerability propagation and license
violation. Unfortunately, however, identifying reused OSS components is a
challenge as the reused OSS is predominantly modified and nested. In this
paper, we propose CENTRIS, a precise and scalable approach for identifying
modified OSS reuse. By segmenting an OSS code base and detecting the reuse of a
unique part of the OSS only, CENTRIS is capable of precisely identifying
modified OSS reuse in the presence of nested OSS components. For scalability,
CENTRIS eliminates redundant code comparisons and accelerates the search using
hash functions. When we applied CENTRIS on 10,241 widely-employed GitHub
projects, comprising 229,326 versions and 80 billion lines of code, we observed
that modified OSS reuse is a norm in software development, occurring 20 times
more frequently than exact reuse. Nonetheless, CENTRIS identified reused OSS
components with 91% precision and 94% recall in less than a minute per
application on average, whereas a recent clone detection technique, which does
not take into account modified and nested OSS reuse, hardly reached 10%
precision and 40% recall. |
|---|---|
| DOI: | 10.48550/arxiv.2102.06182 |