Identifying Open-Source License Violation and 1-day Security Risk at Large Scale
Citation: Ruian Duan, Ashish Bijlani, Meng Xu, Taesoo Kim, Wenke Lee (2017) Identifying Open-Source License Violation and 1-day Security Risk at Large Scale.
Internet Archive Scholar (search for fulltext): Identifying Open-Source License Violation and 1-day Security Risk at Large Scale
Download: https://www.cc.gatech.edu/~rduan9/publications/osspolice.pdf
Tagged:
Summary
Describes OSSPolice, software which compares open source code to Java and C++ binaries in Android apps to find reuse and potential licensing and security risks.
Does not attempt to identify malware or intentional hiding, nor provide legal analysis, nor discover new security bugs. However, is resilient to some common obfuscation.
Uses tree structure of open source libraries to deal situations prior work might find as false positives (eg entire library included in other library which is also a common dependency) and false negatives (eg partial library inclusion).
Result is scalable system which has been used to analyze 2.6 million Android apps.
Authors present some findings from analyzed apps, including aggregate numbers of potential license violations, popular dependencies, and popular licenses.
Theoretical and Practical Relevance
Code is at https://github.com/osssanitizer/osspolice and project home page at https://osssanitizer.github.io/