The worldwide software ecosystem [1] (SECO) concerns all software producing organizations and individuals that collaboratively serve a market for software and services. SECOs comprises a network of developers, vendors, consumers, and other stakeholders who interact through various platforms. It includes open-source repository software and also proprietary software ranging from small to large-scale enterprise software systems [2].
A SECO represents a set of actors that function together as a unit that interacts and communicates with a shared software market according to the services and their relationships [3]. Building on this concept, this research proposes a software provenance theory, ensuring that the origin and history of every software engineering artifact are traceable across the entire software supply network.
Mining Software Repositories (MSR) is a research area within software engineering that focuses on analyzing the vast amount of data generated during software development, maintenance, and usage [4]. This data is stored in various repositories such as version control systems (e.g., GitHub), issue trackers (e.g., Jira), and code review systems (e.g., Gerrit), among others. The main goal of MSR is to extract actionable insights and patterns that can improve software quality, guide development processes, and inform decision-making within software teams.
In the broader context of software engineering, MSR plays a crucial role in supporting evidence-based decision-making. By applying techniques from data mining, machine learning, and information retrieval to software repositories, MSR helps researchers and practitioners understand trends, predict future issues, improve software processes, and evaluate the effectiveness of different practices.
Traditionally, repo mining has focused on file-level or project-level data, providing a broad view of software systems and their evolution [5]. However, as software ecosystems grow in complexity, a finergrained approach is increasingly necessary. By analyzing source code at the method level, researchers can obtain more detailed insights into code reuse, identify security vulnerabilities with greater precision, and understand the intricacies of software dependencies and maintenance challenges [3].
We propose SearchSECO, a hash based index for code fragments that enables searching source code at the method level in the worldwide software ecosystem [3]. Currently, it is possible to identify files by their hashes in the Software Heritage Graph. We want to create a set of parsers that extract fragments (methods) from the code files and makes them findable. By making methods from the worldwide software ecosystem findable, we can perform more reliable license checks, search for vulnerabilities, and extract call graphs from those methods [6].
We unearth the relationships between code fragments, code files, and their projects on a worldwide scale. This fine-grained data enables much richer analyses, significantly moving forward the field of empirical software engineering and its sub-field of repository mining. Our first projects will deal with license violation detection in open source, vulnerability finding, and software package identification for SBOM creation [6,7].
The primary aim of this research is to enhance the capabilities of repository mining through the development and deployment of SearchSECO, a hash-based index for code fragments [7]. By enabling method-level source code searching, this research seeks to address critical issues in license conflict detection and vulnerability benchmarking within the worldwide software ecosystem. The goal is to provide a robust, scalable tool that can significantly improve the accuracy and efficiency of software license compliance and security vulnerability detection.
Impact of the Project: The project's main predicted impacts are: 1) enabling data-driven analysis of software ecosystems, and potentially faster submission to the repository mining community, 2) code license checking and conflict identification will be easier and faster with the cutting-edge technology, 3) the outcome of this research will help for better code quality and better findability 4) promotion of the SearchSECO tool to researchers and SearchSECO will ease of use.
Seulbae et al. introduced one state-of-the-art solution named VUDDY (VUlnerable coDe clone DiscoverY) project which is a scalable approach for code clone detection [5]. This work identifies the code clone and vulnerability by leveraging the syntactic and symbolic information of the code. This research worked on four types of code clones that have been recognized and published by scientific papers according to the granularity units such as token level, line level, function level, file level, etc. However, this work has limitations in terms of accuracy and consistency because of granularity abstraction. This leads to higher false negatives and the paper also acknowledges that trustworthiness a concern originates from the false negative. We effectively use similar techniques as VUDDY, however, we are storing all the methods that we encounter instead of only the methods encountered with potential vulnerabilities. This for instance enables us to study license violations, something that VUDDY was not built for.
License conflicts and violations are universal issues, and software licenses generally fall into two categories. The first one is declared licenses which is specified for the whole project and the second one is in-code licenses which are directly attached to files throughout the entire directory tree [8]. Most of the violations originated from the declared to-in-code mismatches on the other hand declared to declared-to-declared inconsistencies also occur but less often.
Research shows [9] there are multiple reasons behind code license violations in open-source code software (OSS). The first one originates from the resource and time constraints of software developers and they do not want to focus on trivial tasks. And the second one is related to the misconceptions about the nature and characteristics of open-source licenses which are escalating chronologically because of the large number of repositories produced. Another paper mentioned about the incompatibility of licenses among components, for example, GNU General Public License (GPL) has multiple versions but it doesn't have backward compatibility such as components released under GPL version 3 are not compatible with components released under GPL version 2 [10]. However, when the same project shares two different licenses then it's an inconsistency but that does not necessarily mean a license conflict. License conflict means contradictory, incompatible obligations or contradictory rights [8].
Wolter et al. also published a research work based on 1,000 GitHub repositories and the found that fifty percent of the work repositories did not include a complete and accurate list of all the licenses associated with the code. However, out of these 10% has a mismatch between permissive and copyleft licenses. This work heavily relied on existing open source tools such as Nomos, ScanCode etc. also mentioned the necessity of license scanning tools directly from the code.
The FOSSology project is one of the widely used projects for license detection [11]. Based on regular expressions a license scanner has been developed and the main tool of FOSSology. For the purpose of license scanning, FOSSology introduced open-source license scanners, for example, Ninka. Within source code comments, Nika can analyze sentences and it can recognize over 120 different licenses [12]. Some research done based on binary code clone detection for detecting software code released in binary form [13] which mentioned that upstream suppliers often provide solutions in binary form, thus it's difficult to assess the existence of unlicensed third-party code. It's also mentioned that the license violations are not accidental, but rather more systematic, and for most software and hardware products this is a large-scale problem.
This research is based on a previously proposed solution named SearchSECO by Slinger Jansen et al. for a hash-based index that aims to collect billions of open-source files from open-source repositories to provide full software provenance which also address the license conflicts and violations problem [3].
Software engineering is a maturing field, and repository mining as a branch of it, is as well. This can be observed especially when looking at the way in which empirical software engineering research is being conducted and evaluated. In this thesis project, we follow the empirical software engineering research standards for our sub-projects. 1To address the issues and problems of vulnerability detection, license conflicts, software maintenance, and scalability in large-scale software ecosystems, this PhD research will enhance the capability and explore the possibility of an already proposed solution named SearchSECO [3]. This PhD research will be under the Design Science Research (DSR) paradigm because this research is based on software artifact development which involves an evaluation process for code license violation detection. The evaluation process will have two steps: the first step is a vulnerability benchmarking framework that will be established to evaluate the capabilities of the SearchSECO software artifact. The second step is a case study in an industry organization and for this purpose, we plan to incorporate other research methods under DSR to answer a particular research question. For example, to deploy SearchSECO in an industry organization and to identify code license violations in large unidentified code bases we will follow Action Design Research (ADR) as a part of this PhD research (section 6, WP2 and WP3) [14,15]. ADR is particularly designed to develop, work, and evaluate with organizational settings where researcher intervention is expected [16]. This method centers on creating, intervening, and evaluating an artifact that embodies the researchers' theoretical foundations and intentions while incorporating user influence and the impact of real-world use.
A validity threat for our project is that we can hardly generalize our findings to the whole software ecosystem. Even though we currently have analyzed the top 100.000 projects on Github, that is still only a fraction of the total Github source code, let alone the worldwide software ecosystems' source code. For now, we will refrain from making inductive statements outside of the scope of our own data set.
A construct validity threat is on the definition of a clone. Currently, we are storing any clone, including for instance, getters and setters, in an abstract manner. However, as these are typically uniform and we use a high level of abstraction, we find many false positives in our clone set. In the near future we hope to counter this validity threat by setting a standard length for a 'valid' clone, e.g., a minimum of five lines of code.
A proposed and partially implemented system diagram is shown in figure 1. It illustrates the project SearchSECO intended to collect source code from the worldwide software ecosystem and store methodlevel code with the call graph of the code in a Software Method Knowledge Base (SMKB), which allows for structural analysis of the source code. For example, license violation and vulnerability patterns will be identifiable utilizing the call graph of a source code. Thus, in the software engineering domain more specifically in repository mining SearchSECO is a radical innovation [3]. To construct SeacrhSECO we follow four lines of query: first, we develop parsing techniques and design work distribution mechanisms to explore the global SECO. Next, we store the collected methods in the SecureSECO Knowledge Base (SMKB). Third, we apply basic data analysis techniques to the stored data within the SMKB. Finally, we leverage artificial intelligence to perform graph mining on the worldwide SECO graph for deeper insights [3].
A total of four years PhD thesis plans has been added to the Table1. The first paper with the initial results has been accepted for publication at BENEVOL 2024 conference. The title is "Work in Progress Paper: Detecting Method Level License Conflicts in the Worldwide Software Ecosystem". This paper demonstrated code-level license extraction and violation detection as a definitive method for ensuring license compliance in borrowed code, independent of any declarations. Using SearchSECO, we examined 3,500 repositories from leading software companies to assess the prevalence of violations. Our analysis uncovered approximately 32,000 violations in total.
The FOSSology project first introduced an ML-based solution for license identification problems utilizing license classification [17]. Another research introduced Machine learning-based license exception detection [18]. However, only a few ML-based solutions are introduced, and some topics such as license violation are not explored. Moming et al. introduced an ML-based solution named ModelGo for license conflict detection [19]. Research needs to be done on this problem. In our SearchSECO project introducing ML-based license violation solution could be an interesting experiment for the scientific and research community. However, another idea is to create a hybrid solution, utilizing the current proposed SearchSECO license violation and combining an ML-based solution.
A recent development is the use of LLMs for generating code. Frequently, the code that is generated follows exact patterns from licensed code, meaning that the LLM could potentially be offering licensed code, thereby stimulating license violations by the software engineer [20]. While we cannot guarantee it currently, we look forward to exploring whether we can identify such licensed code suggestions, with the goal of improving these LLMs to avoid licensed code.
Incorporating existing tools such as Binary Analysis Tool (BAT) [13] binary code clone detection can be done in the SearchSECO project too. Utilizing bytecode scanning tools like JEB Decompiler or ProGuard [21] that can extract relevant license details directly from compiled code (e.g., Java .class files or .NET assemblies). Bytecode-level analysis allows for the detection of licensing information even when source code is unavailable [22].
SearchSECO has the aim of creating a new sense of provenance in software engineering, where we try to find the earliest version of a code clone and its authors. Provenance, which concerns the origins of an artifact, has been neglected in software engineering for far too long. For instance, if we look at the Dieselgate scandal, the code which violated the tests was never found. With SearchSECO, it would perhaps have been possible to identify the intended code [23].
As we are performing design science, with potentially highly useful artifacts, both for research and industry, we foresee several routes towards research impact. For one, we hope to apply and evaluate our artifacts in case studies. Secondly, if the technology proves valuable for the industry, we could consider spinning out the SearchSECO features into a startup.
We wish to thank Geert-Jan Giezeman, Wouter Beffers, and Deekshitha for their important contributions to the SearchSECO project on Github. This research was funded by the Business Finland project 6G Bridge -6G software for extremely distributed and heterogeneous massive networks of connected devices (8516/31/2022).
(S. Jansen) https://yamadharma.github.io/ (A. Didar Islam); https://kmitd.github.io/ilaria/ (S. Jansen) 0000-0002-0877-7063 (A. Didar Islam); 0000-0003-3752-2868 (S. Jansen)
ChatGPT 4o was used for polishing the grammar and spelling of the text in this document.