CNEPS: A Precise Approach for Examining Dependencies among Third-Party C/C++ Open-Source Components

The rise in open-source software (OSS) reuse has led to intricate dependencies among third-party components, increasing the demand for precise dependency analysis. However, owing to the presence of reused files that are difficult to identify the originating components (i.e., indistinguishable files) and duplicated components, precisely identifying component dependencies is becoming challenging. In this paper, we present Cneps, a precise approach for examining dependencies in reused C/C++ OSS components. The key idea of Cneps is to use a novel granularity called a module, which represents a minimum unit (i.e., set of source files) that can be reused as a library from another project. By examining dependencies based on modules instead of analyzing single reused files, Cneps can precisely identify dependencies in the target projects, even in the presence of indistinguishable files. To differentiate duplicated components, Cneps examines the cloned paths and originating projects of each component, enabling precise identification of dependencies associated with them. Experimental results on top 100 C/C++ software show that Cneps outperforms a state-of-the-art approach by identifying twice as many dependencies. Cneps could identify 435 dependencies with 89.9% precision and 93.2% recall in less than 10 seconds per application on average, whereas the existing approach hardly achieved 63.5% precision and 42.5% recall. CCS CONCEPTS • Software and its engineering → Software libraries and repositories.