关键词: 开源软件, 软件组件分析, 第三方库检测, 代码克隆, 修改重用, 静态分析

Abstract: Third-party libraries (TPLs) are a crucial component of modern C/C++ software development, and their precise detection and management are essential for ensuring software quality and security. However, existing methods primarily rely on code syntax features, which have limited adaptability to Type II and Type III clone reuse scenarios, often leading to detection failures. To address this, we propose a new TPL detection method based on function Abstract Syntax Tree (AST) features, named TPLADD. This method leverages the degree and order metrics of AST nodes to quickly perform vector embeddings of function syntax and integrates vector databases with Approximate Nearest Neighbor (ANN) search techniques, significantly enhancing the detection robustness in modified reuse scenarios. Additionally, an anomaly-based filtering technique effectively reduces the impact of interference functions, improving detection accuracy. A feature vector index library was constructed based on 29,782 open-source software (OSS) projects and 726,074 versions collected from GitHub, and its effectiveness was validated on 100 well-known projects. Experimental results show that, in terms of precision, TPLADD outperforms CENTRIS with an improvement of 3.88% in precision and 2.76% in recall. In terms of robustness, even with significant code modifications, TPLADD maintains an F1 score of 74%. In terms of performance, the average detection time for each TPL is only 0.42s, and the index library occupies only 0.41% of the total function feature storage, demonstrating its high robustness, accuracy, and good performance.

Key words: open-source software, software composition analysis, third-party library detection, code cloning, modified reuse, static analysis