• Journal of Software Assessment and Valuation
• /
• v.13 no.2
• /
• pp.9-17
• /
• 2017

Software compliance is an essential process when Open Source Software is included in software development to avoid such as license violation issue. However, analyzing quite big software which involves many developers requires enormous time and hard difficulty. To resolve these kinds of problem, SPDX formalizes and standardize the metadata about the software package. When the use of SPDX is activated, software package analysis would be simple and could contribute fair Open Source Software distribution. In this paper, we develop blockchain based SPDX distribution platform which fulfills the requirement of SPDX lifecycle to provide SPDX database which does not depend on particular centralized service but serve as distributed ledger and control by user's certification and their purpose. Moreover, to contribute invigoration of blockchain based SPDX distribution platform, we develop SPDX document generation plug-in for integrated development environment such as Visual Studio.

• Journal of KIISE
• /
• v.42 no.6
• /
• pp.713-722
• /
• 2015

As open-source software (OSS) becomes more widely used, many users breach the terms in the license agreement of OSS, or reuse a vulnerable OSS module. Therefore, a technique needs to be developed for investigating if a binary program includes an OSS module. In this paper, we propose an efficient technique to detect a particular OSS module in an executable program using its function-level features. The conventional methods are inappropriate for determining whether a module is contained in a specific program because they usually measure the similarity between whole programs. Our technique determines whether an executable program contains a certain OSS module by extracting features such as its function-level instructions, control flow graph, and the structural attributes of a function from both the program and the module, and comparing the similarity of features. In order to demonstrate the efficiency of the proposed technique, we evaluate it in terms of the size of features, detection accuracy, execution overhead, and resilience to compiler optimizations.