TY - GEN
T1 - Efficient Prior Publication Identification for Open Source Code
AU - Serafini, Daniele
AU - Zacchiroli, Stefano
N1 - Publisher Copyright:
© 2022 ACM.
PY - 2022/9/7
Y1 - 2022/9/7
N2 - Free/Open Source Software (FOSS) enables large-scale reuse of preexisting software components. The main drawback is increased complexity in software supply chain management. A common approach to tame such complexity is automated open source compliance, which consists in automating the verification of adherence to various open source management best practices about license obligation fulfillment, vulnerability tracking, software composition analysis, and nearby concerns. We consider the problem of auditing a source code base to determine which of its parts have been published before, which is an important building block of automated open source compliance toolchains. Indeed, if source code allegedly developed in house is recognized as having been previously published elsewhere, alerts should be raised to investigate where it comes from and whether this entails that additional obligations shall be fulfilled before product shipment. We propose an efficient approach for prior publication identification that relies on a knowledge base of known source code artifacts linked together in a global Merkle direct acyclic graph and a dedicated discovery protocol. We introduce swh-scanner, a source code scanner that realizes the proposed approach in practice using as knowledge base Software Heritage, the largest public archive of source code artifacts. We validate experimentally the proposed approach, showing its efficiency in both abstract (number of queries) and concrete terms (wall-clock time), performing benchmarks on 16845 real-world public code bases of various sizes, from small to very large.
AB - Free/Open Source Software (FOSS) enables large-scale reuse of preexisting software components. The main drawback is increased complexity in software supply chain management. A common approach to tame such complexity is automated open source compliance, which consists in automating the verification of adherence to various open source management best practices about license obligation fulfillment, vulnerability tracking, software composition analysis, and nearby concerns. We consider the problem of auditing a source code base to determine which of its parts have been published before, which is an important building block of automated open source compliance toolchains. Indeed, if source code allegedly developed in house is recognized as having been previously published elsewhere, alerts should be raised to investigate where it comes from and whether this entails that additional obligations shall be fulfilled before product shipment. We propose an efficient approach for prior publication identification that relies on a knowledge base of known source code artifacts linked together in a global Merkle direct acyclic graph and a dedicated discovery protocol. We introduce swh-scanner, a source code scanner that realizes the proposed approach in practice using as knowledge base Software Heritage, the largest public archive of source code artifacts. We validate experimentally the proposed approach, showing its efficiency in both abstract (number of queries) and concrete terms (wall-clock time), performing benchmarks on 16845 real-world public code bases of various sizes, from small to very large.
KW - license compliance
KW - open compliance
KW - open source
KW - prior art
KW - software supply chain
KW - source code scanning
U2 - 10.1145/3555051.3555068
DO - 10.1145/3555051.3555068
M3 - Conference contribution
AN - SCOPUS:85139161221
T3 - ACM International Conference Proceeding Series
BT - Proceedings of the 18th International Symposium on Open Collaboration, OpenSym 2022
PB - Association for Computing Machinery
T2 - 18th International Symposium on Open Collaboration, OpenSym 2022
Y2 - 6 September 2022 through 10 September 2022
ER -