ASE 2023
Mon 11 - Fri 15 September 2023 Kirchberg, Luxembourg
Tue 12 Sep 2023 10:42 - 10:54 at Room E - Open Source and Software Ecosystems 1 Chair(s): Denys Poshyvanyk

The reuse and distribution of open-source software must be in compliance with its accompanying open-source license. In modern packaging ecosystems, maintaining such compliance is challenging because a package may have a complex multi-layered dependency graph with many packages, any of which may have an incompatible license. Although prior research finds that license incompatibilities are prevalent, empirical evidence is still scarce in some modern packaging ecosystems (e.g., PyPI). It also remains unclear how developers remediate the license incompatibilities in the dependency graphs of their packages (including direct and transitive dependencies), let alone any automated approaches. To bridge this gap, we conduct a large-scale empirical study of license incompatibilities and their remediation practices in the PyPI ecosystem. We find that 7.27% of the PyPI package releases have license incompatibilities and 61.3% of them are caused by transitive dependencies, causing challenges in their remediation; for remediation, developers can apply one of the five strategies: migration, removal, pinning versions, changing their own licenses, and negotiation. Inspired by our findings, we propose SILENCE, an SMT-solver-based approach to recommend license incompatibility remediations with minimal costs in package dependency graph. Our evaluation shows that the remediations proposed by SILENCE can match 19 historical real-world cases (except for migrations not covered by an existing knowledge base) and have been accepted by five popular PyPI packages whose developers were previously unaware of their license incompatibilities.

Tue 12 Sep

Displayed time zone: Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna change

10:30 - 12:00
Open Source and Software Ecosystems 1Research Papers / Tool Demonstrations at Room E
Chair(s): Denys Poshyvanyk William & Mary
10:30
12m
Talk
An Empirical Study of Malicious Code In PyPI Ecosystem
Research Papers
Wenbo Guo School of Cyber Science and Engineering, Sichuan University, Zhengzi Xu Nanyang Technological University, Chengwei Liu Nanyang Technological University, Cheng Huang School of Cyber Science and Engineering, Sichuan University, Yong Fang School of Cyber Science and Engineering, Sichuan University, Yang Liu Nanyang Technological University
Pre-print
10:42
12m
Talk
Understanding and Remediating Open-Source License Incompatibilities in the PyPI Ecosystem
Research Papers
Weiwei Xu Peking University, Hao He Carnegie Mellon University, Kai Gao Peking University, Minghui Zhou Peking University
Pre-print
10:54
12m
Talk
Mitigating Persistence of Open-Source Vulnerabilities in Maven Ecosystem
Research Papers
Lyuye Zhang Nanyang Technological University, Chengwei Liu Nanyang Technological University, Sen Chen Tianjin University, Zhengzi Xu Nanyang Technological University, Lingling Fan Nankai University, Lida Zhao Nanyang Technological University, Yiran Zhang Nanyang Technological University, Yang Liu Nanyang Technological University
11:06
12m
Talk
Bus Factor Explorer
Tool Demonstrations
Egor Klimov JetBrains Research, Muhammad Umair Ahmed Bilkent University, Nikolai Sviridov JetBrains Research, Pouria Derakhshanfar JetBrains Research, Eray Tüzün Bilkent University, Vladimir Kovalenko JetBrains Research
Media Attached
11:30
12m
Talk
EALink: An Efficient and Accurate Pre-Trained Framework for Issue-Commit Link Recovery
Research Papers
Chenyuan Zhang Xiamen University, Yanlin Wang Sun Yat-sen University, Zhao Wei Tencent, Yong Xu Tencent, Juhong Wang Tencent, Hui Li Xiamen University, Rongrong Ji Xiamen University
Pre-print Media Attached
11:42
12m
Talk
Fork Entropy: Assessing the Diversity of Open Source Software Projects' ForksRecorded talk
Research Papers
Liang Wang Nanjing University, Zhiwen Zheng State Key Laboratory for Novel Software Technology, Nanjing University, Xiangchen Wu State Key Laboratory for Novel Software Technology, Nanjing University, Baihui Sang State Key Laboratory for Novel Software Technology, Nanjing University, Jierui Zhang Nanjing University, Xianping Tao Nanjing University
Media Attached