<scp>LiDetector</scp> : License Incompatibility Detection for Open Source Software-Reference-Cited by-同舟云学术

LiDetector : License Incompatibility Detection for Open Source Software

Published:2023-01-31 Issue:1 Volume:32 Page:1-28
ISSN:1049-331X
Container-title:ACM Transactions on Software Engineering and Methodology
language:en
Short-container-title:ACM Trans. Softw. Eng. Methodol.

Author:

Xu Sihan¹^ORCID,Gao Ya²,Fan Lingling¹^ORCID,Liu Zheli¹,Liu Yang³^ORCID,Ji Hua¹

Affiliation:

1. TKLNDST, College of Cyber Science, Nankai University, Tongyan Road, Jinnan District, Tianjin, China

2. TKLNDST, College of Computer Science, Nankai University, Tongyan Road, Jinnan District, Tianjin, China

3. Zhejiang Sci-tech University, Hangzhou, Zhejiang, China and Nanyang Technological University, Singapore

Abstract

Open-source software (OSS) licenses dictate the conditions, which should be followed to reuse, distribute, and modify software. Apart from widely-used licenses such as the MIT License, developers are also allowed to customize their own licenses (called custom license), whose descriptions are more flexible. The presence of such various licenses imposes challenges to understand licenses and their compatibility. To avoid financial and legal risks, it is essential to ensure license compatibility when integrating third-party packages or reusing code accompanied with licenses. In this work, we propose LiDetector , an effective tool that extracts and interprets OSS licenses (including both official licenses and custom licenses), and detects license incompatibility among these licenses. Specifically, LiDetector introduces a learning-based method to automatically identify meaningful license terms from an arbitrary license, and employs Probabilistic Context-Free Grammar (PCFG) to infer rights and obligations for incompatibility detection. Experiments demonstrate that LiDetector outperforms existing methods with 93.28% precision for term identification, and 91.09% accuracy for right and obligation inference, and can effectively detect incompatibility with 10.06% FP rate and 2.56% FN rate. Furthermore, with LiDetector , our large-scale empirical study on 1,846 projects reveals that 72.91% of the projects are suffering from license incompatibility, including popular ones such as the MIT License and the Apache License. We highlighted lessons learned from perspectives of different stakeholders and made all related data and the replication package publicly available to facilitate follow-up research.

Funder

National Natural Science Foundation of China

National Key Research Project of China

Publisher

Association for Computing Machinery (ACM)

Subject

Software

Link

https://dl.acm.org/doi/pdf/10.1145/3518994

Reference70 articles.

1. Thomas A. Alspaugh, Hazeline U. Asuncion, and Walt Scacchi. 2009. Intellectual property rights requirements for heterogeneously-licensed systems. In Proceedings of the 17th IEEE International Requirements Engineering Conference. 24–33.

2. Software licenses in context: The challenge of heterogeneously-licensed systems;Alspaugh Thomas A.;Journal of the Association for Information Systems,2010

3. Benjamin Andow, Samin Yaseer Mahmud, Wenyu Wang, Justin Whitaker, William Enck, Bradley Reaves, Kapil Singh, and Tao Xie. 2019. Policylint: Investigating internal privacy policy contradictions on Google Play. In Proceedings of the 28th USENIX Conference on Security Symposium. 585–602.

4. BDF. 2021. The Backdoor Factory. Retrieved 27th Sep 2021 from https://github.com/secretsquirrel/the-backdoor-factory.

5. Blosc. 2021. A blocking shuffling and lossless compression library. Retrieved 27th Sep 2021 from https://github.com/Blosc/c-blosc.

Cited by 6 articles. 订阅此论文施引文献订阅此论文施引文献，注册后可以免费订阅5篇论文的施引文献，订阅后可以查看论文全部施引文献

1. A Large-Scale Empirical Study of Open Source License Usage: Practices and Challenges;Proceedings of the 21st International Conference on Mining Software Repositories;2024-04-15

2. Catch the Butterfly: Peeking into the Terms and Conflicts Among SPDX Licenses;2024 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER);2024-03-12

3. Towards Automated Detection of Unethical Behavior in Open-Source Software Projects;Proceedings of the 31st ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering;2023-11-30

4. The software heritage license dataset (2022 edition);Empirical Software Engineering;2023-11

5. Understanding and Remediating Open-Source License Incompatibilities in the PyPI Ecosystem;2023 38th IEEE/ACM International Conference on Automated Software Engineering (ASE);2023-09-11