Scalable Call Graph Constructor for Maven

TL;DR

This paper presents an incremental approach to generate scalable call graphs for Maven ecosystems by stitching partial graphs, enabling on-demand analysis that outperforms existing frameworks in scalability.

Contribution

It introduces an incremental CHA algorithm that constructs call graphs on-demand by combining pre-extracted partial graphs, addressing scalability issues in ecosystem-wide analysis.

Findings

Scales well for large Maven ecosystems

Outperforms existing framework OPAL in efficiency

Enables on-demand call graph generation

Abstract

As a rich source of data, Call Graphs are used for various applications including security vulnerability detection. Despite multiple studies showing that Call Graphs can drastically improve the accuracy of analysis, existing ecosystem-scale tools like Dependabot do not use Call Graphs and work at the package-level. Using Call Graphs in ecosystem use cases is not practical because of the scalability problems that Call Graph generators have. Call Graph generation is usually considered to be a "full program analysis" resulting in large Call Graphs and expensive computation. To make an analysis applicable to ecosystem scale, this pragmatic approach does not work, because the number of possible combinations of how a particular artifact can be combined in a full program explodes. Therefore, it is necessary to make the analysis incremental. There are existing studies on different types of incremental program analysis. However, none of them focuses on Call Graph generation for an entire ecosystem. In this paper, we propose an incremental implementation of the CHA algorithm that can generate Call Graphs on-demand, by stitching together partial Call Graphs that have been extracted for libraries before. Our preliminary evaluation results show that the proposed approach scales well and outperforms the most scalable existing framework called OPAL.