Identifying Open-Source License Violation and 1-day Security Risk at Large Scale