TPLADD: Highly Robust and Precise C/C++ Third-Party Libraries Detection Method

doi:10.3778/j.issn.1673-9418.2409052

Abstract

Abstract: Third-party libraries (TPLs) are a crucial component of modern C/C++ software development, and their precise detection and management are essential for ensuring software quality and security. However, existing methods primarily rely on code syntax features, which have limited adaptability to Type Ⅱ and Type Ⅲ clone reuse scenarios, often leading to detection failures. This paper proposes a new TPL detection method based on function abstract syntax tree (AST) features, named TPLADD (third-party library approximate detection with deduplication). This method leverages the degree and order metrics of AST nodes to quickly perform vector embeddings of function syntax, and integrates vector databases with approximate nearest neighbor search techniques, significantly enhancing the detection robustness in modified reuse scenarios. Additionally, an anomaly-based filtering technique effectively reduces the impact of interference functions, improving detection accuracy. A feature vector index library is constructed based on 29782 open-source software (OSS) projects and 726074 versions collected from GitHub, and its effectiveness is validated on 100 well-known projects. Experimental results show that: in terms of precision, TPLADD outperforms CENTRIS with an improvement of 3.88 percentage points in precision and 2.76 percentage points in recall; in terms of robustness, even with significant code modifications, TPLADD maintains an F1 score of 74%; in terms of performance, the average detection time for each TPL is only 0.42 s, and the index library occupies only 0.41% of the total function feature storage. The above results demonstrate the high robustness, accuracy, and good performance of TPLADD.

Key words: open-source software, software composition analysis, third-party library detection, code cloning, modified reuse, static analysis

摘要： 第三方库（TPL）作为现代C/C++软件开发的重要组成部分，其精确检测与管理对于保障软件质量与安全性至关重要。然而现有方法主要依赖代码语法特征，对Type Ⅱ和Type Ⅲ克隆重用场景的适应性不足，易导致检测失效。提出一种基于函数抽象语法树（AST）特征的TPL检测方法TPLADD。该方法利用AST节点度数与次序的度量信息快速实现函数语法向量嵌入，并结合向量数据库与近似最近邻检索技术，显著提升了修改重用场景下的检测鲁棒性。基于异常检测的过滤技术可以有效减少干扰函数对检测的影响，提高结果精确性。基于GitHub搜集的29?782个开源软件（OSS）共计726?074个版本，构建了特征向量索引库，并在100个知名项目上验证有效性。实验结果表明，在精度上，TPLADD相较于CENTRIS，精确率和召回率分别提升了3.88和2.76个百分点；在鲁棒性上，TPLADD即使出现较大程度代码修改时，仍能保持74%的F1值；在性能上，TPLADD平均每个TPL检测耗时仅0.42?s，索引库存储占用率仅为总体函数特征的0.41%。这些充分体现了TPLADD高鲁棒性、高精确性的特点，且具备良好的性能表现。

关键词: 开源软件, 软件组件分析, 第三方库检测, 代码克隆, 修改重用, 静态分析

JIA Yunfeng, WANG Junfeng, WU Peng. TPLADD: Highly Robust and Precise C/C++ Third-Party Libraries Detection Method[J]. Journal of Frontiers of Computer Science and Technology, 2025, 19(7): 1969-1980.

贾昀峰, 王俊峰, 吴鹏. TPLADD：高鲁棒性与高精度的C/C++第三方库检测方法[J]. 计算机科学与探索, 2025, 19(7): 1969-1980.

References

[1] 高恺, 何昊, 谢冰, 等. 开源软件供应链研究综述[J]. 软件学报, 2024, 35(2): 581-603.
GAO K, HE H, XIE B, et al. Survey on open source software supply chains[J]. Journal of Software, 2024, 35(2): 581-603.
[2] MIRANDA A, PIMENTEL J. On the use of package managers by the C++ open-source community[C]//Proceedings of the 33rd Annual ACM Symposium on Applied Computing. New York: ACM, 2018: 1483-1491.
[3] 纪守领, 王琴应, 陈安莹, 等. 开源软件供应链安全研究综述[J]. 软件学报, 2023, 34(3): 1330-1364.
JI S L, WANG Q Y, CHEN A Y, et al. Survey on open-source software supply chain security[J]. Journal of Software, 2023, 34(3): 1330-1364.
[4] 何熙巽, 张玉清, 刘奇旭. 软件供应链安全综述[J]. 信息安全学报, 2020, 5(1): 57-73.
HE X X, ZHANG Y Q, LIU Q X. Survey of software supply chain security[J]. Journal of Cyber Security, 2020, 5(1): 57-73.
[5] DUAN R A, BIJLANI A, XU M, et al. Identifying open-source license violation and 1-day security risk at large scale[C]//Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. New York: ACM, 2017: 2169-2185.
[6] WOO S, PARK S, KIM S, et al. CENTRIS: a precise and scalable approach for identifying modified open-source software reuse[C]//Proceedings of the 2021 IEEE/ACM 43rd International Conference on Software Engineering. Piscataway: IEEE, 2021: 860-872.
[7] WU J H, XU Z Z, TANG W, et al. OSSFP: precise and scalable C/C third-party library detection using fingerprinting functions[C]//Proceedings of the 2023 IEEE/ACM 45th International Conference on Software Engineering. Piscataway: IEEE, 2023: 270-282.
[8] LI M H, WANG W, WANG P, et al. LibD: scalable and precise third-party library detection in Android markets[C]//Proceedings of the 2017 IEEE/ACM 39th International Conference on Software Engineering. Piscataway: IEEE, 2017: 335-346.
[9] TANG W, LUO P, FU J L, et al. LibDX: a cross-platform and accurate system to detect third-party libraries in binary code[C]//Proceedings of the 2020 IEEE 27th International Conference on Software Analysis, Evolution and Reengineering. Piscataway: IEEE, 2020: 104-115.
[10] TANG W, WANG Y L, ZHANG H Y, et al. LibDB: an effective and efficient framework for detecting third-party libraries in binaries[C]//Proceedings of the 19th International Conference on Mining Software Repositories. New York: ACM, 2022: 423-434.
[11] YANG C, XU Z Z, CHEN H X, et al. ModX: binary level partially imported third-party library detection via program modularization and semantic matching[C]//Proceedings of the 2022 IEEE/ACM 44th International Conference on Software Engineering. Piscataway: IEEE, 2022: 1393-1405.
[12] LI S Y, WANG Y P, DONG C P, et al. LibAM: an area matching framework for detecting third-party libraries in binaries[J]. ACM Transactions on Software Engineering and Methodology, 2024, 33(2): 1-35.
[13] MA Z A, WANG H Y, GUO Y, et al. LibRadar: fast and accurate detection of third-party libraries in Android apps[C]//Proceedings of the 38th International Conference on Software Engineering Companion. New York: ACM, 2016: 653-656.
[14] TANG W, XU Z Z, LIU C W, et al. Towards understanding third-party library dependency in C/C++ ecosystem[C]//Proceedings of the 37th IEEE/ACM International Conference on Automated Software Engineering. New York: ACM, 2022: 1-12.
[15] NA Y, WOO S, LEE J, et al. Cneps: a precise approach for examining dependencies among third-party C/C++ open-source components[C]//Proceedings of the 2024 IEEE/ACM 46th International Conference on Software Engineering. Piscataway: IEEE, 2024: 2918-2929.
[16] JIANG L, YUAN H C, TANG Q Y, et al. Third-party library dependency for large-scale SCA in the C/C++ ecosystem: how far are we?[C]//Proceedings of the 32nd ACM SIGSOFT International Symposium on Software Testing and Analysis. New York: ACM, 2023: 1383-1395.
[17] SAJNANI H, SAINI V, SVAJLENKO J, et al. SourcererCC: scaling code clone detection to big-code[C]//Proceedings of the 2016 IEEE/ACM 38th International Conference on Software Engineering. Piscataway: IEEE, 2016: 1157-1168.
[18] 陈秋远, 李善平, 鄢萌, 等. 代码克隆检测研究进展[J]. 软件学报, 2019, 30(4): 962-980.
CHEN Q Y, LI S P, YAN M, et al. Code clone detection: a literature review[J]. Journal of Software, 2019, 30(4): 962-980.
[19] ZAKERI-NASRABADI M, PARSA S, RAMEZANI M, et al. A systematic literature review on source code similarity measurement and clone detection: techniques, applications, and challenges[J]. Journal of Systems and Software, 2023, 204: 111796.
[20] KAMIYA T, KUSUMOTO S, INOUE K. CCFinder: a multi-linguistic token-based code clone detection system for large scale source code[J]. IEEE Transactions on Software Engineering, 2002, 28(7): 654-670.
[21] LOPES C V, MAJ P, MARTINS P, et al. DéjàVu: a map of code duplicates on GitHub[J]. Proceedings of the ACM on Programming Languages, 2017, 1: 84.
[22] JIANG L X, MISHERGHI G, SU Z D, et al. DECKARD: scalable and accurate tree-based detection of code clones[C]//Proceedings of the 29th International Conference on Software Engineering. Piscataway: IEEE, 2007: 96-105.
[23] GAO Y, WANG Z, LIU S, et al. TECCD: a tree embedding approach for code clone detection[C]//Proceedings of the 2019 IEEE International Conference on Software Maintenance and Evolution. Piscataway: IEEE, 2019: 145-156.
[24] CHOCHLOV M, AHMED G A, PATTEN J V, et al. Using a nearest-neighbour, BERT-based approach for scalable clone detection[C]//Proceedings of the 2022 IEEE International Conference on Software Maintenance and Evolution. Piscataway: IEEE, 2022: 582-591.
[25] HU Y T, ZOU D Q, PENG J R, et al. TreeCen: building tree graph for scalable semantic code clone detection[C]//Proceedings of the 37th IEEE/ACM International Conference on Automated Software Engineering. New York: ACM, 2022: 1-12.
[26] SIVAKUMAR S, VIDELA L S, RAJESH KUMAR T, et al. Review on Word2Vec word embedding neural net[C]//Proceedings of the 2020 International Conference on Smart Electronics and Communication. Piscataway: IEEE, 2020: 282-290.
[27] NISHIOKA D, KAMIYA T. Towards informative tagging of code fragments to support the investigation of code clones[C]//Proceedings of the 2021 IEEE 15th International Workshop on Software Clones. Piscataway: IEEE, 2021: 8-14.
[28] HUANG J. Code clone detection based on Doc2vec model and bagging[C]//Proceedings of the 2022 2nd International Conference on Control and Intelligent Robotics. New York: ACM, 2022: 649-653.
[29] PANG G S, SHEN C H, CAO L B, et al. Deep learning for anomaly detection[J]. ACM Computing Surveys, 2022, 54(2): 1-38.
[30] JAFARI O, MAURYA P, NAGARKAR P, et al. A survey on locality sensitive hashing algorithms and their applications [EB/OL]. [2024-08-10]. https://arxiv.org/abs/2102.08942.
[31] SAXENA A, PRASAD M, GUPTA A, et al. A review of clustering techniques and developments[J]. Neurocomputing, 2017, 267: 664-681.
[32] 田甜, 巩敦卫. 并发程序变异测试研究综述[J]. 电子学报, 2020, 48(11): 2267-2277.
TIAN T, GONG D W. Survey on mutation testing of concurrent programs[J]. Acta Electronica Sinica, 2020, 48(11): 2267-2277.