CENTRIS: A precise and scalable approach for identifying modified open-source software reuse

Seunghoon Woo; Sunghan Park; Seulbae Kim; Heejo Lee; Hakjoo Oh

doi:10.1109/ICSE43902.2021.00083

CENTRIS: A precise and scalable approach for identifying modified open-source software reuse

Seunghoon Woo, Sunghan Park, Seulbae Kim, Heejo Lee, Hakjoo Oh

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

36 Citations (Scopus)

Abstract

Open-source software (OSS) is widely reused as it provides convenience and efficiency in software development. Despite evident benefits, unmanaged OSS components can introduce threats, such as vulnerability propagation and license violation. Unfortunately, however, identifying reused OSS components is a challenge as the reused OSS is predominantly modified and nested. In this paper, we propose CENTRIS, a precise and scalable approach for identifying modified OSS reuse. By segmenting an OSS code base and detecting the reuse of a unique part of the OSS only, CENTRIS is capable of precisely identifying modified OSS reuse in the presence of nested OSS components. For scalability, CENTRIS eliminates redundant code comparisons and accelerates the search using hash functions. When we applied CENTRIS on 10,241 widely-employed GitHub projects, comprising 229,326 versions and 80 billion lines of code, we observed that modified OSS reuse is a norm in software development, occurring 20 times more frequently than exact reuse. Nonetheless, CENTRIS identified reused OSS components with 91% precision and 94% recall in less than a minute per application on average, whereas a recent clone detection technique, which does not take into account modified and nested OSS reuse, hardly reached 10% precision and 40% recall.

Original language	English
Title of host publication	Proceedings - 2021 IEEE/ACM 43rd International Conference on Software Engineering, ICSE 2021
Publisher	IEEE Computer Society
Pages	860-872
Number of pages	13
ISBN (Electronic)	9780738113197
DOIs	https://doi.org/10.1109/ICSE43902.2021.00083
Publication status	Published - 2021 May
Event	43rd IEEE/ACM International Conference on Software Engineering, ICSE 2021 - Virtual, Online, Spain Duration: 2021 May 22 → 2021 May 30

Publication series

Name	Proceedings - International Conference on Software Engineering
ISSN (Print)	0270-5257

Conference

Conference	43rd IEEE/ACM International Conference on Software Engineering, ICSE 2021
Country/Territory	Spain
City	Virtual, Online
Period	21/5/22 → 21/5/30

Bibliographical note

Publisher Copyright:
© 2021 IEEE.

Keywords

Open-Source Software
Software Composition Analysis
Software Security

ASJC Scopus subject areas

Software

Access to Document

10.1109/ICSE43902.2021.00083

Cite this

Woo, S., Park, S., Kim, S., Lee, H., & Oh, H. (2021). CENTRIS: A precise and scalable approach for identifying modified open-source software reuse. In Proceedings - 2021 IEEE/ACM 43rd International Conference on Software Engineering, ICSE 2021 (pp. 860-872). (Proceedings - International Conference on Software Engineering). IEEE Computer Society. https://doi.org/10.1109/ICSE43902.2021.00083

CENTRIS: A precise and scalable approach for identifying modified open-source software reuse. / Woo, Seunghoon; Park, Sunghan; Kim, Seulbae et al.
Proceedings - 2021 IEEE/ACM 43rd International Conference on Software Engineering, ICSE 2021. IEEE Computer Society, 2021. p. 860-872 (Proceedings - International Conference on Software Engineering).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Woo, S, Park, S, Kim, S, Lee, H & Oh, H 2021, CENTRIS: A precise and scalable approach for identifying modified open-source software reuse. in Proceedings - 2021 IEEE/ACM 43rd International Conference on Software Engineering, ICSE 2021. Proceedings - International Conference on Software Engineering, IEEE Computer Society, pp. 860-872, 43rd IEEE/ACM International Conference on Software Engineering, ICSE 2021, Virtual, Online, Spain, 21/5/22. https://doi.org/10.1109/ICSE43902.2021.00083

@inproceedings{f338b3021b5c40ff9accf23ac13bcc59,

title = "CENTRIS: A precise and scalable approach for identifying modified open-source software reuse",

abstract = "Open-source software (OSS) is widely reused as it provides convenience and efficiency in software development. Despite evident benefits, unmanaged OSS components can introduce threats, such as vulnerability propagation and license violation. Unfortunately, however, identifying reused OSS components is a challenge as the reused OSS is predominantly modified and nested. In this paper, we propose CENTRIS, a precise and scalable approach for identifying modified OSS reuse. By segmenting an OSS code base and detecting the reuse of a unique part of the OSS only, CENTRIS is capable of precisely identifying modified OSS reuse in the presence of nested OSS components. For scalability, CENTRIS eliminates redundant code comparisons and accelerates the search using hash functions. When we applied CENTRIS on 10,241 widely-employed GitHub projects, comprising 229,326 versions and 80 billion lines of code, we observed that modified OSS reuse is a norm in software development, occurring 20 times more frequently than exact reuse. Nonetheless, CENTRIS identified reused OSS components with 91% precision and 94% recall in less than a minute per application on average, whereas a recent clone detection technique, which does not take into account modified and nested OSS reuse, hardly reached 10% precision and 40% recall.",

keywords = "Open-Source Software, Software Composition Analysis, Software Security",

author = "Seunghoon Woo and Sunghan Park and Seulbae Kim and Heejo Lee and Hakjoo Oh",

note = "Publisher Copyright: {\textcopyright} 2021 IEEE.; 43rd IEEE/ACM International Conference on Software Engineering, ICSE 2021 ; Conference date: 22-05-2021 Through 30-05-2021",

year = "2021",

month = may,

doi = "10.1109/ICSE43902.2021.00083",

language = "English",

series = "Proceedings - International Conference on Software Engineering",

publisher = "IEEE Computer Society",

pages = "860--872",

booktitle = "Proceedings - 2021 IEEE/ACM 43rd International Conference on Software Engineering, ICSE 2021",

}

TY - GEN

T1 - CENTRIS

T2 - 43rd IEEE/ACM International Conference on Software Engineering, ICSE 2021

AU - Woo, Seunghoon

AU - Park, Sunghan

AU - Kim, Seulbae

AU - Lee, Heejo

AU - Oh, Hakjoo

PY - 2021/5

Y1 - 2021/5

N2 - Open-source software (OSS) is widely reused as it provides convenience and efficiency in software development. Despite evident benefits, unmanaged OSS components can introduce threats, such as vulnerability propagation and license violation. Unfortunately, however, identifying reused OSS components is a challenge as the reused OSS is predominantly modified and nested. In this paper, we propose CENTRIS, a precise and scalable approach for identifying modified OSS reuse. By segmenting an OSS code base and detecting the reuse of a unique part of the OSS only, CENTRIS is capable of precisely identifying modified OSS reuse in the presence of nested OSS components. For scalability, CENTRIS eliminates redundant code comparisons and accelerates the search using hash functions. When we applied CENTRIS on 10,241 widely-employed GitHub projects, comprising 229,326 versions and 80 billion lines of code, we observed that modified OSS reuse is a norm in software development, occurring 20 times more frequently than exact reuse. Nonetheless, CENTRIS identified reused OSS components with 91% precision and 94% recall in less than a minute per application on average, whereas a recent clone detection technique, which does not take into account modified and nested OSS reuse, hardly reached 10% precision and 40% recall.

AB - Open-source software (OSS) is widely reused as it provides convenience and efficiency in software development. Despite evident benefits, unmanaged OSS components can introduce threats, such as vulnerability propagation and license violation. Unfortunately, however, identifying reused OSS components is a challenge as the reused OSS is predominantly modified and nested. In this paper, we propose CENTRIS, a precise and scalable approach for identifying modified OSS reuse. By segmenting an OSS code base and detecting the reuse of a unique part of the OSS only, CENTRIS is capable of precisely identifying modified OSS reuse in the presence of nested OSS components. For scalability, CENTRIS eliminates redundant code comparisons and accelerates the search using hash functions. When we applied CENTRIS on 10,241 widely-employed GitHub projects, comprising 229,326 versions and 80 billion lines of code, we observed that modified OSS reuse is a norm in software development, occurring 20 times more frequently than exact reuse. Nonetheless, CENTRIS identified reused OSS components with 91% precision and 94% recall in less than a minute per application on average, whereas a recent clone detection technique, which does not take into account modified and nested OSS reuse, hardly reached 10% precision and 40% recall.

KW - Open-Source Software

KW - Software Composition Analysis

KW - Software Security

UR - http://www.scopus.com/inward/record.url?scp=85113459739&partnerID=8YFLogxK

U2 - 10.1109/ICSE43902.2021.00083

DO - 10.1109/ICSE43902.2021.00083

M3 - Conference contribution

AN - SCOPUS:85113459739

T3 - Proceedings - International Conference on Software Engineering

SP - 860

EP - 872

BT - Proceedings - 2021 IEEE/ACM 43rd International Conference on Software Engineering, ICSE 2021

PB - IEEE Computer Society

Y2 - 22 May 2021 through 30 May 2021

ER -

CENTRIS: A precise and scalable approach for identifying modified open-source software reuse

Abstract

Publication series

Conference

Bibliographical note

Keywords

ASJC Scopus subject areas

Access to Document

Other files and links

Fingerprint

Cite this