JC-Finder: Detecting Java Clone-based Third-Party Library by Class-level Tree Analysis

TL;DR

JC-Finder is a new Java clone-based software composition analysis tool that accurately detects third-party library reuse by analyzing class-level code clones, outperforming existing tools in accuracy and speed.

Contribution

The paper introduces JC-Finder, a novel class-level clone detection tool specifically designed for Java, improving accuracy and efficiency in identifying third-party library reuse.

Findings

Achieved an F1-score of 0.818, outperforming other tools by 0.427.

Detected TPL reuse in 789 out of 7,947 projects, about 9.89%.

Found 26.20% more TPLs than explicitly declared in package managers.

Abstract

While reusing third-party libraries (TPL) facilitates software development, its chaotic management has brought great threats to software maintenance and the unauthorized use of source code also raises ethical problems such as misconduct on copyrighted code. To identify TPL reuse in projects, Software Composition Analysis (SCA) is employed, and two categories of SCA techniques are used based on how TPLs are introduced: clone-based SCA and package-manager-based SCA (PM-based SCA). Although introducing TPLs by clones is prevalent in Java, no clone-based SCA tools are specially designed for Java. Also, directly applying clone-based SCA techniques from other tools is problematic. To fill this gap, we introduce JC-Finder, a novel clone-based SCA tool that aims to accurately and comprehensively identify instances of TPL reuse introduced by source code clones in Java projects. JC-Finder achieves both accuracy and efficiency in identifying TPL reuse from code cloning by capturing features at the class level, maintaining inter-function relationships, and excluding trivial or duplicated elements. To evaluate the efficiency of JC-Finder, we applied it to 9,965 most popular Maven libraries as reference data and tested the TPL reuse of 1,000 GitHub projects. The result shows that JC-Finder achieved an F1-score of 0.818, outperforming the other function-level tool by 0.427. The average time taken for resolving TPL reuse is 14.2 seconds, which is approximately 9 times faster than the other tool. We further applied JC-Finder to 7,947 GitHub projects, revealing TPL reuse by code clones in 789 projects (about 9.89% of all projects) and identifying a total of 2,142 TPLs. JC-Finder successfully detects 26.20% more TPLs that are not explicitly declared in package managers.