WO2018034785A1 - Method and system for authoritative name analysis - Google Patents

Method and system for authoritative name analysis Download PDF

Info

Publication number
WO2018034785A1
WO2018034785A1 PCT/US2017/043006 US2017043006W WO2018034785A1 WO 2018034785 A1 WO2018034785 A1 WO 2018034785A1 US 2017043006 W US2017043006 W US 2017043006W WO 2018034785 A1 WO2018034785 A1 WO 2018034785A1
Authority
WO
WIPO (PCT)
Prior art keywords
files
package
file
supercluster
contents
Prior art date
Application number
PCT/US2017/043006
Other languages
French (fr)
Inventor
Brian Fox
Bruce MAYHEW
Jamie WHITEHOUSE
Gazi MAHMUD
Original Assignee
Sonatype, Inc.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sonatype, Inc. filed Critical Sonatype, Inc.
Priority to CA3028785A priority Critical patent/CA3028785C/en
Priority to EP17841817.4A priority patent/EP3469497A4/en
Publication of WO2018034785A1 publication Critical patent/WO2018034785A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/70Software maintenance or management
    • G06F8/71Version control; Configuration management
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/70Software maintenance or management
    • G06F8/75Structural analysis for program understanding
    • G06F8/751Code clone detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Security & Cryptography (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

A computer system, method, or non-transitory computer-readable medium provides an authoritative name source for files within an ecosystem (103, 105, 107). Files (117-127) in the ecosystem (105, 107) which have identical contends and similar contents to each other are merged (131) into the same supercluster (141, 143, 145), to capture possibly incremental changes to the files over time in one of the superclusters. For each supercluster (161, 163, 165) which has files with identical and similar contents, the supercluster is broken down (151) into package clusters (171-177), based on packages to which the files belong, each of the package clusters has the files from a same package. The package cluster which has most change frequency across versions (181), is identified as the authoritative package. The authoritative name for the files is resolved, based on the authoritative packages that are determined, across the plurality of superclusters which have files with identical and similar contents, and the authoritative name is generated (191). Any authoritative name collision is resolved (195).

Description

METHOD AND SYSTEM FOR AUTHORITATIVE NAME ANALYSIS
TECHNICAL FIELD
[0001] The technical field relates in general to software development, and more particularly to authoritatively identifying files and packages used in software development.
BACKGROUND
[0002] In today's software development field, software components that are used in connection with an application are usually written by others, and are used and re-used, possibly with changes. This trend is increasing.
[0003] A package is conventionally used to organize a set of related components intended for use by a particular application. The package may contain, by way of example, content needed to reference an external library; source code, binaries, executables, classes, and interfaces;
identifying information and a manifest that identifies requirements if the package; scripts, other packages, and related items that run when the package is installed, de-installed, and/or used by a software application. A developer of a file or package typically will publish the package with that file to a repository so that the package can be shared and re-used, such as by other developers.
[0004] The available tools for software development makes it easy to use packages and software components, but these tools do not make it easy to understand where the package or the files in the package originated. Compounding the lack of visibility and understanding is the fact that packages and files in packages tend to depend on other components and/or packages and files which may themselves be used or re-used, possibly with changes.
[0005] A software repository is a known technique to provide developers with a convenient collection of re-used and re-usable packages and software components, where the package and/or component in the software repository may be a copy or specialized version and/or may incorporate other components and/or packages such as by dependency. A conventional repository manager can be used as a central point of storage and exchange for packages and software component usage. Package management systems are available which can provide tools to automate distribution of packages, can maintain information about dependencies and version information, and can work with software repositories. For a single ecosystem which is a collection of software repositories and/or support systems all of which store interrelated files, there can be thousands of distinct software packages with their attendant files.
[0006] Nevertheless, the problem with visibility and understanding of packages and the software components remains. There may be numerous files in a repository which are essentially the same component but which might have minor variations in content and/or name; any of these components might have originated elsewhere in the ecosystem. Using a repository manager or a package manager to identify the software repository where an application, package or component is stored or managed, does not necessarily correctly identify where that package or component actually originated and does not necessarily identify the name of the original file or the package where the file originated.
[0007] In particular, with all of the sharing of files via packages, it remains problematic to correctly locate the original name and version of a file which appears in different packages, in combination with the original package which originated that component.
SUMMARY
[0008] Accordingly, one or more embodiments provide a computer system which provides an authoritative name source for files within an ecosystem. The computer system includes at least one processor is configured to perform the following.
[0009] The files in the ecosystem are clustered into a plurality of superclusters, in which the files in each supercluster of the plurality of superclusters have identical contents. Then, of the files in the ecosystem which are clustered into the plurality of superclusters, which of the files have similar contents to each other are determined, and the files which have similar contents to each other are merged into the same supercluster, to capture possibly incremental changes to the files over time in one of the superclusters which has the files with identical contents and similar contents.
[0010] For each supercluster which has the files with identical and similar contents, the following is performed. Each supercluster is broken down into package clusters, based on packages to which the files belong, so that each of the package clusters has the files (that is, the files with identical and similar contents (probably due to incremental changes) from a same package. Which of the package clusters has most change frequency across versions is determined, as the authoritative package.
[0011] Then, an authoritative name for the files is resolved, based on the authoritative packages that are determined, across the plurality of superclusters which have files with identical and similar contents, and generating the authoritative name. Any authoritative name collision is resolved.
[0012] In an embodiment, a hash of file contents of each of the plurality of files is used to determine which of the files have identical contents, and the clustering of the files in the superclusters with identical contents is determined based on the hashes of file contents.
[0013] In an embodiment, for each supercluster, the each supercluster includes an indication of a source within the ecosystem for each file of the files, and the breaking down into the package clusters is based on the indication of the source of the each file.
[0014] In an embodiment, an abstract syntax tree of file contents of each of the plurality of files is prepared, and the abstract syntax trees are used to determine whether contents of files are similar, and the determining of files with similar contents into the same supercluster is based on the abstract syntax tree of file contents,
[0015] In an embodiment, for each supercluster, the each supercluster includes an indication of a source within the ecosystem for each file of the files.
[0016] In yet another embodiment, breaking each supercluster down into package clusters includes generating package names and versions for members of the supercluster; aggregating package clusters on package name and counting unique changes to the package cluster; and determining, for each package cluster, the most change frequency among the package clusters.
[0017] In still another embodiment, the authoritative name is resolved by merging authoritative package outliers into groups which are merged into package cluster based on file name; and the resolved authoritative name and source are identified. [0018] In yet a further embodiment, whether the authoritative name source is correct is determined based on the ecosystem in which authoritative name source originated.
[0019] In still another embodiment, the ecosystem, in which the files are located which are clustered, includes at least one software repository in which the files are located.
[0020] A further embodiment is a computer-implemented method, according to one or more of the above embodiments.
[0021] Still another embodiment is a non-transitory computer-readable medium comprising instructions for execution by a computer, the instructions including a computer-implemented method as above, the instructions for implementing the method in a processor.
[0022] One, or a combination of more than one, or all, of the above embodiments, can be combined and provided as a single embodiment.
[0023] Moreover, the purpose of the foregoing abstract is to enable the U.S. Patent and Trademark Office and the public generally, and especially the scientists, engineers and practitioners in the art who are not familiar with patent or legal terms or phraseology, to determine quickly from a cursory inspection the nature and essence of the technical disclosure of the application. The abstract is neither intended to define the invention of the application, which is measured by the claims, nor is it intended to be limiting as to the scope of the invention in any way.
BRIEF DESCRIPTION OF THE DRAWINGS
[0024] The accompanying figures, where like reference numerals refer to identical or functionally similar elements and which together with the detailed description below are incorporated in and form part of the specification, serve to further illustrate various exemplary embodiments and to explain various principles and advantages in accordance with the embodiments.
[0025] FIG. 1 is a data flow diagram illustrating flow in a computer system for authoritative name analysis;
[0026] FIG. 2 is a block diagram illustrating a supercluster of files with identical and incrementally changed contents, broken down into package clusters; [0027] FIG. 3 is a simplified file listing of files by hash across multiple versions in a package cluster;
[0028] FIG. 4 is an overall flow chart illustrating a procedure for authoritative name analysis;
[0029] FIG. 5 is a block diagram illustrating relevant portions of a computer system;
[0030] FIG. 6 to FIG. 8 collectively are a flow chart illustrating a procedure to provide an authoritative name analysis.
DETAILED DESCRIPTION
[0031] I. Introduction
[0032] In overview, the present disclosure concerns observing a file in a packaged application and indicating what is known about said file; more particularly uniquely identifying a correct name for a file within an ecosystem(s) which has numerous files, and/or identifying the actual origin of the file within the ecosystem, in which a package which may be associated with the packaged application comprises different self-contained software components which are stored in the ecosystem, the ecosystem may include one or more software repositories which support different packages, and the software components and packages are used and re-used by developers. Even more particularly, the present disclosure concerns attempting to identify, from all of the files in that ecosystem, a package in which a file changes or is a new version each time the package is released, which package will be considered to be the authoritative source of the file; the authoritative name of the file can be identified from the package which is the
authoritative source. The present disclosure builds on a hypothesis that an original author of a file will not push a new package of that file unless that file is changed; whereas a developer that merely uses the package with that file will likely not change that file in every release of a package.
[0033] More particularly, various inventive concepts and principles are embodied in systems, devices, and methods therein for an authoritative name analysis that definitely determines, for a given file, the true origin of the file (a so-called authoritative package), independent of how the file is packaged in an ecosystem, and which determines the authoritative name of the file. The authoritative name comprises the name of the file and a canonical version. [0034] The approach discussed herein to component identification can provide superior support for component identification, e.g., Java component identification, compared to available techniques. The strength of this approach can be enhanced by use of a few known conventions A-D below in the Maven/Java ecosystem which are noted at the outset:
[0035] A. Clear distinction between release and development versions:
[0036] Maven includes the concept of a SNAPSHOT version that is used for development. It also includes numerous tools for release automation to create release binaries.
[0037] B. Large Centralized Repository:
[0038] These release binaries are typically published to the Central Repository, run and sponsored by Sonatype. The central repository contains all releases since the beginning of Maven usage as immutable binaries.
[0039] C. Standardized Rich Metadata Format:
[0040] The conventional POM format used for the pom.xml file for component metadata is well standardized and therefore suitable for automated parsing. It is also comprehensive enough to allow for detailed component and dependency information.
[0041] D. Typically Immutable Components :
[0042] The immutable release binaries in the Central Repository and other repositories are typically consumed and used by other applications, without being modified. While modifications from simple file renames, recompilation, tree shaking, shading and others are possible, they are not the common use case.
[0043] The above conventions A-D might be expanded to other repositories and/or ecosystems.
[0044] II. Problem Presentation and Observations
[0045] A. Problem Statement
[0046] Previously, in software repositories, partial matching and recognizing of third party system components has been performed. This approach was primarily Java-specific and works well for Java environments. In other environments and/or languages, such as NuGet, npm, Python, Ruby, etc. there is a package vs. component problem. Java uses JARs, and therefore the software repositories use JARs and are very well-behaved. Nevertheless, other languages and environments use files which contain components, e.g., DLL files and others. The ecosystems tend to be massively not well behaved. For example, in a NPM repository, developers are not using the proper build format for using JQuery (which is used as a convenient example) but instead incorporate their own version of JQuery. Complicating the problem in this example is that JQuery (as an example) changes in every release.
[0047] There are other problems in attempting to identify a name and authoritative source of a file, caused by something even as simple as files not being named properly by developers.
This complicates identification of the file name and/or file type.
[0048] All of this can occur in a Big Data environment with thousands of files.
[0049] Further, simply matching the text of an identical file name is easy, but confusing because a filename may not be the commonly recognized name.
[0050] As a simple example, the following steps will usually not identify the authoritative name:
[0051] 1. recognize a javascript file (this is a routine technique)
[0052] 2. determine the file name.
[0053] Nevertheless, it is difficult for the computer to determine whether the file is a form of some real name as known to humans.
[0054] Using a timeline so as to identify the first or earliest component in a software repository ordinarily is not helpful, because a component may be added to a software repository asynchronously, and/or without regard to whether the component is the ultimate source.
[0055] Furthermore, as the usage of repositories and repository managers is adopted by other ecosystems, less mature or suitable usage patterns emerge and have to be considered for component identification and software supply chain management efforts.
[0056] The typical enterprise usage also includes component usage that spans ecosystems. In fact, this behavior is the norm. Consequently, it is likely that a particular file did not originate in the same ecosystem in which it is being used. An effect is that it is probably erroneous to simply identify the earliest use of that file, or the earliest project corresponding to that file. [0057] All of these technical advances lead to numerous problems with precise component identification, which can cause problems with, for example, software supply chain management.
[0058] B. Problem Example— JavaScript and JQuery
[0059] Reference is now made to a real example to showcase some aspects of the problem.
[0060] JQuery is a very popular JavaScript framework used for web application
development. Even the official download page mentions numerous options and formats:
[0061] · Direct download of the compressed (=minified) file for production usage
[0062] · Direct download of the uncompressed file for development
[0063] · Download with npm
[0064] · Download with bower
[0065] · Download from/Reference to numerous CDN hosting options
[0066] Of course, there are numerous older releases of JQuery with three major versions currently available. There are also subprojects such as jquery mobile and jquery colors available. One will appreciate, even for the core jquery library, there are numerous ways to obtain the code and the library.
[0067] Now consider a typical usage. As a JavaScript library, JQuery designed for client side usage in a web browser is used in many web applications. These are written in various different development stacks such as Node.js, .Net and Java. Respectively, jquery files can be found in many web applications in the repositories for these stacks: not only in Maven repositories such as the Central Repository, in NuGet repositories used by .Net developers such as the
NugetGallery, in npmjs.org used by Node.js developers, but also in many others including internal repositories using the different formats. As a result, a developer might for example find a Java WAR file that contains a jquery js file in the a js or other folder inside the WAR archive.
[0068] As another complication, the libraries by themselves are often also packaged in the specific repository format to ease the usage. For example, JQuery is distributed via, among many others:
[0069] · npm https://www.npmj s dot com/package/j query
[0070] · NuGet https://www.nuget dot org/packages/j Query [0071] · Maven http://repol .maven dot org/maven2/org/webjars/j query/
[0072] These redistributions are often not managed by the actual JQuery project itself.
JQuery is also used by many other libraries, written in JavaScript or any other stacks, as a dependency that provides functionality as a foundation for further features and therefore is embedded in the relevant packages.
[0073] Keeping this in mind, a current analysis finds that a j query js file is found in roughly 72,000 packages across the various packaging systems and repositories in one ecosystem. The total number of distributions is even higher, and the number of packages continues to increase.
[0074] C. Challenges
[0075] The sheer amount of packages to analyze and the resulting data that needs to be sifted itself poses a challenge.
[0076] In addition, there other important challenges which include the following.
[0077] —How can the system figure out that the file j query js occurs in a specific package merely because it is simply used in that package?
[0078] —How can the system determine the specific version of j query which this package contains? And how can the system differentiate this package's version of j query from an original j query distribution itself in a specific packaging format?
[0079] —How can the system recognize that some file is actually the original j query despite j query having been included in 72,000 different packages, so that the system can provide the right metadata which corresponds to the original j query?
[0080] Solving these questions is necessary to be able to correctly associate the right metadata to the right packages, so as to provide the correct information downstream. For example, a correct identification of components within other components and their distribution supports the creation of a correct bill of materials of an application or the performance supply chain management without wasted efforts.
[0081] These challenges affect all software ecosystems and software packaging systems. Accordingly, solving the identification problem is not at all isolated to JavaScript usage.
[0082] D. State of the Conventional Art [0083] There are problems with current approaches. What is not working today, is that the identification problem has not been solved. Without solving the identification problem in detail, any further efforts are flawed. And that is exactly where the conventional art is.
[0084] Conventional systems which assert JavaScript support often mean that *.js files are identified as JavaScript and not much more beyond.
[0085] Some conventional systems can identify j query js as JQuery, but fail when the file is renamed. Some conventional systems fail when JQuery is embedded in other files nested in archives. Some conventional systems fail to identify the version of JQuery.
[0086] Although JavaScript support is regularly marketed as a feature of conventional products, the inventors have not observed truly working support necessary for efficiently and correctly identifying files and packages. In fact, similar issues are found in actual use of conventional Java/Maven support products.
[0087] III. Aspects of the Approach
[0088] Further in accordance with exemplary embodiments, there is provided a method and system that resolve the issues mentioned above.
[0089] As further discussed herein below, various inventive principles and combinations thereof are advantageously employed to allow determination of the authoritative name of a package.
[0090] A. Concept Summary
[0091] The overall concept is to identify the authoritative source of a file, and the authoritative name of a file. The point is to be able to identify that a component is a form of something authoritative, which is known to the developers. As a brief summary, the concept uses the following steps, in an ecosystem which has large numbers of files:
[0092] 1. Cluster the files in an ecosystem(s) into superclusters of files, where each supercluster has identical and partially matching components/files, while retaining an indication of the package source of each component/file. Each supercluster thus has all of the different packages which use and re-use the basically identical file (as that file incrementally evolves from time-to-time). [0093] 2. Within each supercluster, cluster the same packages together and look for the smallest package cluster, which is the package cluster in which the file incrementally evolves with the highest frequency. Consider the package cluster with the highest frequency of change to identify the package which is the authoritative source of a file, and from there ascertain the authoritative name of the file.
[0094] This solution is totally counter-intuitive to the usual use of clustering of files which relies on the highest confidence (largest) cluster instead of the smallest and thus ordinarily the lowest confidence cluster.
[0095] B. Authoritative Name and Authoritative Package Concept
[0096] A goal of the Authoritative Name analysis herein is to correctly determine the authoritative name of a package. The authoritative name is the identifier used for a package that ties the package to the original upstream release of a component and therefore the correct metadata.
[0097] The solution to the problem discussed in the above section is correct and precise component identification. The redistribution and nesting of components is handled by determining which packages were redistributed within another package, as distinguished from real distribution based on an original upstream project. As an advantage, attachment of the correct metadata to the component is possible when this is achieved. The process and system discussed herein makes this distinction possible.
[0098] There are several advantages of this approach, including the following examples. The concept behind the authoritative name identification can be independent of the packaging system(s) by which components are distributed. The concept of authoritative name identification enables a new quality of component identification in JavaScript and other ecosystems.
Authoritative name identification can enable further improvements, such as to the Java/Maven support and others.
[0099] Consider, as a simple example, the JavaScript library Clipper has a dependency to j query. The authoritative name analysis of any Clipper package should result in an authoritative name of "Clipper"; the authoritative name analysis of any "ApplicationX" that uses Clipper should result in an authoritative name of "ApplicationX". However, neither the Clipper package nor ApplicationX can result in an authoritative name of "j query".
[00100] On the other hand, authoritative name analysis of any redistribution of JQuery in npmjs.org, the NuGet Gallery or the Central Repository, should result in the authoritative name of "j query".
[00101] Authoritative name analysis of any usage of the identical j query file, or even a renamed or custom minified copy of the original j query js, within an application, should result in the identification of this component within an application as "j query"— not "Clipper" or any other authoritative name.
[00102] From a developer's perspective, the authoritative name analysis can work off just the distributable application archive or other specified group of files. The authoritative name analysis does not require any build time declaration or other context specific information to provide correct results. Consequently, a developer can provide an authoritative name analysis even of a binary running in a production environment.
[00103] All contents of an application distributable can be extracted and precisely identified for authoritative name and version. As a result, a developer can provide correct association of metadata, and a creation of a complete bill of materials or other usage of the metadata.
[00104] The Authoritative Name analysis discussed herein can provide support for the JavaScript ecosystem and/or other ecosystems.
[00105] The nature of the authoritative name analysis includes large data mining and analysis efforts because the ecosystems tend to have thousands of files.
[00106] IV. Details of Concepts and Variations
[00107] The following example and some variations are well suited to demonstrate various implementation details and advantages.
[00108] A. Overview
[00109] The following is an overview of the steps which can be followed to provide an authoritative name analysis. This example mentions Javascript, but it should be noted that the authoritative name analysis is intended to be applied and adapted (if necessary) to non- Javascript files as well.
[00110] 1. Identify the contents of every file in the ecosystem(s)— Collect the hash of every Javascript file across the various ecosystems
[00111] 2. Determine all files which have identical contents— Create file hash clusters (FHC) for all Javascript files, in which each cluster has only files with identical contents based on, e.g., hash of file contents
[00112] 3. Determine all files which have contents which are incrementally changed from the identical files— Aggregate/enlarge file hash clusters, e.g., based on Abstract Syntax Tree ("AST") similarity
[00113] 4. For a cluster of identical/incrementally changed files, determine the packages the files belong to, further break those packages down by versions, and identify the package with the "most change" frequency for that file— Create package clusters from file hash clusters
[00114] 5. Pull any outlying files back into the package version group in which they belong— Create package version groups from the package cluster based on authoritative package versions
[00115] 6. Resolve authoritative name collisions among the clusters of files— Generate AName from authoritative package version groups
[00116] The purpose of steps 1-3 is to find all of the different versions of a file and partially modified files from those versions, for example, to put all of j query files into a supercluster. The purpose of the next steps 4-6 is to sort the supercluster out, to determine the versions, the packages, the authoritative package and the authoritative name, for the file. The steps can handle variant cases to achieve a more correct result.
[00117] All of the above are discussed in more detail in the following section in connection with FIG. 1, a data flow diagram illustrating flow in a computer system for authoritative name analysis. As illustrated in FIG. 1, there are files in packages (not illustrated) in one or more ecosystems 103, here represented by Ecosystem 105 and ecosystem F 107. Files in ecosystem E 105 include File X 2.1.2 (plural copies), File X 2.0, and File Y 1.1 109-115. Files in ecosystem F 107 includes File X 2.1 (plural copies), File X 2.2 (plural copies), File X 2.3, and File Z 2.0 117-127. The ecosystem(s) have only those files of which the ecosystem is aware, and accordingly, there are gaps in versions and package releases in the ecosystem. The files are identified 101, and then from preferably all of the files in the ecosystems 103, the analysis clusters 131 together, into superclusters, all identical and incrementally changed files based on file contents, and remembers the source where the files originated. Here, each of supercluster A, B and C 141, 143, 145 has different files, and the files in one supercluster have identical and sufficiently similar (i.e., incrementally changed) contents to each other.
[00118] Then each supercluster 161, 163, 165 is broken down by package into package clustersl71-177, in which each package cluster has files from the same package. Then, for each supercluster, the analysis determines 181 which package cluster has the highest frequency of change for that file, which is the authoritative package for that file. For the authoritative package, the analysis generates 191 the authoritative name based on the source that was remembered. The analysis resolves 195 the authoritative name across authoritative packages for all of the superclusters in view of the possibility of collisions among authoritative names, possibility resulting in fewer authoritative names and authoritative packages 197, 199 when colliding superclusters are merged. The authoritative name and authoritative package are identified 197, 199 for each file, and the information resulting from the correct authoritative name can be associated with the file.
[00119] It should be noted that the steps are not necessarily performed strictly in the order listed above. In an implementation, it may be desirable to perform steps in parallel or in alternate orders. For example, the hashes of file contents can be collected while clustering the hashes of identical files, and even the similar file contents can be collected and even merged into clusters, in parallel to these steps. Indeed, it may be desirable to perform some of the steps in reverse order. However, the steps will be discussed as if they occur in order to avoid obscuring the inventive aspects.
[00120] FIG. 2 is a somewhat more detailed block diagram of the concept of using change frequency to identify the authoritative package, illustrating a supercluster 241 of files with identical and incrementally changed contents, broken down into package clusters 201, 221, 231. All of the files in the supercluster 241 have identical contents, or have incrementally changed contents (as further explained below); here the files are represented by File X 2.0 (multiple copies), File X 2.1 (multiple copies), File X 2.1.2 (multiple copies), File X 2.2 (multiple copies), and File X 2.3. These files are preliminarily clustered in the same supercluster by the analysis because they are considered to be basically the same files as they have been changed from time- to-time and released in packages. The files in the supercluster 241 have been broken into package clusters 201, 221, 231; each package cluster has the same package clustered by version. Package cluster P 201 has all of the packages P 1.2, P 1.2.1, P 1.3, P 1.5, and P 1.6 203-211 ; package cluster Q 221 has all of the packages Q 2.2, Q 2.3, and Q 2.6 223-227; and package cluster R 231 has all of the packages R 3.0, R 3.1, R 4.1, and R 4.2 233-239. It can be seen that package cluster P 201 has 5 different package releases, and has 2 different versions of file X; package cluster Q 221 has 3 different package releases, and has 3 different versions of file X; and package cluster R 231 has 4 different package releases and has 3 different versions of file X. Each package release of package Q 221 includes a different version of file X. Packages P and R were each released several times without a new version of file X. Accordingly, the most change frequency for file X across versions is in package Q, which is identified as the authoritative package.
[00121] B. Details
[00122] 1. Identify the contents of every file in the ecosystem(s)— Collect the hash of every Javascript file across the various ecosystems
[00123] The purpose of this step is to be able to identify the contents of every single file in the ecosystem. Recall that the higher level problem is to observe a file, such as a Javascript file, in a packaged application and tell the user what is known about the file. The first step is to recognize all the ecosystems that are supported (or are otherwise of interested), to recognize all of the files that are in the ecosystem, and then to identify which of those files have contents which are identical to each other.
[00124] To identify file contents, it is convenient and expeditious to hash the file contents. Hashes can be performed against file contents without regard to whether the file contents are source or binary, for example. Note that identical hashes are not discarded. Note that source information indicating the source where the file originated is remembered, such as the package and/or ecosystem in which the file is located. Source information where the file originated may be included in a package in which the file was distributed.
[00125] The ecosystems which are to be included can be determined in various ways. In an implementation, there is an ongoing process of tracking the ecosystems that the system supports, for example, where software is coming from (components from existing repositories which the system then goes to and ingests). In another implementation, customers tell system where the software is from; some software is already known to the system. There may be an ongoing re- evaluation as to the ecosystems which are included, for example, the system can pull in a newly located pocket of Javascript and see how it fits into already -known information. The ecosystem can include the entire world of things are relevant. By using a large ecosystem, the unknowns can be decreased by increasing the number of knowns. The system can auto-discover repositories of its customers; techniques are known to discover the ecosystems. Most of the ecosystems include known sources with known structure, and files can be retrieved or observed using known techniques.
[00126] Accordingly, the ecosystem can include hundreds of thousands of components, and probably thousands of new ones every day. This is a Big Data problem.
[00127] In a variation, the ecosystem is limited to a specified universe of files.
[00128] 2. Determine all files which have identical contents— Create file hash clusters (FHC) for all Javascript files, in which each cluster has only files with identical contents
[00129] The system tries to find all of the files that have identical contents. Conventionally, the file with the same contents has been distributed across thousands of packages. The system clusters together the files which have the same identical hash, which are known to exist at certain places.
[00130] Referring to a known Javascript ecosystem as an example, there are 42,000,000 files in that ecosystem (and increasing). However, accounting for uniqueness, there are only
6,000,000 unique files which have been distributed across packages. 36,000,000 files are just duplicates of the same file throughout the entire Javascript ecosystem. The present system identifies the unique hash, and lists all of the places that unique hash (all of the identical files) exists. In this example, the system identifies 6,000,000 unique groups, each of which is a cluster of files with the same identical file contents.
[00131] Any way to identify files with the same contents may be used. Conventional hashing is convenient to use. The purpose is to identify unique files.
[00132] The system can collect all of those hashes, including information where the hash is from which is used later to answer the question regarding which one of these multiple places that the unique file came from is most likely to be the authoritative source of the unique file.
[00133] A file hash cluster, per unique file, identifies all of the places that the unique file was located in the ecosystem.
[00134] Note, in conventional identification using hashing of a file, identical files
conventionally are discarded.
[00135] 3. Determine all files which have contents which are incrementally changed from the identical files— Aggregate/enlarge file hash clusters on AST similarity
[00136] The purpose of this step is to incorporate files that should be in a file hash cluster
(from the previous step) because they are semantically identical or incrementally different, but are not included because they have any change from the previous file.
[00137] Consider, for example, if the difference between files is even so small as a carriage return/line feed or white space, then the hash will not be identical even though the files are semantically identical.
[00138] A convenient way to identify semantically identical files is to prepare syntax abstraction of the structure of program code in the files to be compared, or more particularly, using an AST (abstract syntax tree) according to any conventional technique. An AST is known to represent the code structure in a way which ignores most non-syntax elements. An AST can be created of all of the files, and clusters which have files with identical ASTs can be combined. Furthermore, clusters which have files with sufficiently similar ASTs can be combined. An AST can be prepared from a binary file's machine code, or bytecode, or source code. ASTs prepared from a source code and binary code version of the same file should be considered to be highly similar
[00139] The file input to the AST can be normalized prior to preparing the AST, to will alleviate minor differences in the files. Techniques are known for normalizing files.
[00140] A group of files which are identical, or with sufficiently similar contents, is referred to as a "supercluster".
[00141] The intention is for the system to catch files which have almost the same contents but for some reason the contents are not exactly the same.
[00142] As an example, consider that the file j query will have incremental modification(s) across versions. The system intends to capture all of the j query files with those incremental modifications into one cluster because we want to capture all alike files and files with small changes, to be grouped into the same clusters. As the file jquery changes from 1.1 to 1.2 to 1.3, there is going to be enough of a structural similarity in the file contents between 1.1 and 1.2, and between 1.2 and 1.3, that the files will match (most of the time) as part of this step, which will enlarge the clusters by including such incrementally changed files in the supercluster with the identical files.
[00143] The AST is a known technique which is convenient to use to identify semantically identical and semantically similar file contents because similarity can be identified using the tree structure. For example, files with identical ASTs of their file contents can be placed in the same superstructure. In addition, the system can set a percentage of similarity of ASTs so that files with highly similar ASTs can be placed in the same superstructure.
[00144] One way to aggregate and enlarge the file hash clusters is to use AST similarity, and variations. Thus, this step can include, for each file hash cluster merge (iterative; where similarity disperses across versions):
[00145] (i). Perform FHC AST similarity comparison and merge similar FHC
[00146] (ii) Perform minified AST/File inclusion and merge similar FHC
[00147] (iii) Perform normalized AST inclusion and merge similar FHC
[00148] Each of these is further considered below. [00149] (i) Perform FHC AST similarity comparison and merge similar FHC
[00150] Consider an example of a first file hash cluster in which the members are identical (that is, they all have the same hash), such as JQuery l . l .js. The system will look to the other file hash clusters to identify files which are, e.g., 95% or more similar to the first file hash cluster. This might identify a second file hash cluster with JQuery 1.2 as being 95% or more similar, and the system will incorporate the second file hash cluster into the first file hash cluster. And then the system will take the 1.2 version (the second file hash cluster) and search for similarity for that version, possibly identifying a third file hash cluster with JQuery 1.3 which is changed a little bit and is 98% similar to 1.2 and incorporate the third file hash cluster with JQuery 1.3 into the first file hash cluster. Similarity between the original file JQuery 1.1 and JQuery 1.3 version might be 80%.
[00151] The purpose is not to put consecutive versions together as such. Instead, the purpose is to find files whose contents are incrementally modified versions of 1.1. The system intends to identify 1.1, 1.1 ', and so on, and pull them into a supercluster. For example, assume that a user is given a canonical version and makes a slight change. And another user makes another slight change to the second version. The resulting third version may not match the canonical version but it matches the second version. The system brings the versions together into a supercluster so as to be able to create the version groups (in step # 4) by pulling apart the supercluster.
[00152] Here, the system uses the clusters of files which have identical contents, and then finds files which are incrementally slightly different (using, for example, an AST to determine source files which are slightly different) and add those incrementally modified files are incorporated into the supercluster. The supercluster thus will include identically same files and incrementally different files. For example, in a situation where there are clusters A, B and C, each containing identical files, cluster BB is incrementally different from A, and cluster C is incrementally different from B. Cluster B is added to cluster A since the files of B are incrementally different from A, and then cluster C may be added to cluster A since the files of C are incrementally different from B, which creates a supercluster of A+B+C. Note that the files of C were not added originally to cluster A because C is too different from A and was only discovered via the inclusion of cluster B from which C is only incrementally different from A.
[00153] (ii) Perform minified AST/File inclusion and merge similar FHC
[00154] Minification is a technique used to shrink a total size of a file. Minification techniques are known to change a variable name which is too long into a smaller name;
minification removes white space; some minification algorithms perform optimization of code. Many files are distributed in a minified form. For example, because Javascript is usually downloaded with the webpage, it is should be distributed in a very small form. When a file is delivered to a machine, the human readable version is usually minified to a very small size while achieving equivalent functionality. A regular Javascript file is not identical to the same file minified. Nevertheless, the system intends to match the minified files to the non-minified file, and pull the minified files into the supercluster.
[00155] In this system, some files in the ecosystem have already been minified. When a package is distributed, conventionally the non-minified and minified Javascript file are in the package, and the minified file is conventionally what is used in the application. So, the system has access via the ecosystem to both the minified and non-minified version of the file. When the ASTs are matched, the AST of the file probably will not match the minified version of the file.
[00156] One way to include the minified version of a file in the cluster that has a non-minified version is to search for and locate the minified version of the file based on the file name, and pull the minified version(s) into the supercluster which includes the non-minified version of the file. Note that the minification algorithm generates a well-defined minified file name pattern, e.g., with a .min extension. The end result is to pull the minified files into the appropriate
supercluster.
[00157] (iii) Perform normalized AST inclusion and merge similar FHC
[00158] In an embodiment, the AST similarity and/or minification AST inclusion can be replaced by normalized AST inclusion. [00159] Normalization can be utilized to find superclusters. The AST allows the system to ignore, e.g., white space and comments which can be ignored because they don't mean anything semantically. Other elements which are semantically irrelevant should be ignored before creating the hash.
[00160] In this variation, the AST is used to generate the hash of the file. This is another embodiment for determining what is included in the AST for generating the fingerprint.
[00161] The point is to find files which are similar so as to create superclusters by aggregating incrementally similar files (identified via minified, AST with/or without normalization).
[00162] 4. For a cluster of identical/incrementally changed files, determine the packages the files belong to, further break those packages down by versions, and identify the package with the "most change" frequency for that file— Create package clusters from file hash clusters
[00163] Consider a situation that supercluster has been created pursuant to the previous steps #1 to #3, and in this example supercluster there are different javascript packages, e.g., a clipper package with j query inside of clipper; a foo package with j query, and another package is j query with jquery inside the jquery package, and so on. This supercluster has all of the identical and incrementally similar files across all of the different packages (in the ecosystem) in which that file occurs. For a normal ecosystem, one supercluster may have hundreds of different packages in which the identical and incrementally similar jquery file occurs.
[00164] From that supercluster which has all of the different packages, the analysis will determine which of these hundreds of different packages which have jquery inside, is the authoritative package, in this example, for jquery. In other words, the analysis intends to determine out of all of these packages with jquery in it, which is the original project that is responsible for that file, e.g., jquery.
[00165] The analysis breaks the supercluster down into all of the packages therein. For each one of these packages, the supercluster breaks the package down into versions. The analysis will determine which package in which that file has most change across those versions, which is therefore considered to be the project where that file originates. [00166] This analysis is based on the inventor's realization that one would expect when checking in a new j query that it is changed, which is the reason to create a new version of that file. Consequently, breaking up the supercluster into the packages and then into versions and then looking for the files most changed across each version should identify the package (and thus the project) where the file originates.
[00167] In order to break the supercluster into the packages and versions, and then determine the "most change" frequency, the following steps are taken:
[00168] 4. a. Generate package names and versions for each member
[00169] 4.b. Aggregate on package name to determine version count
[00170] 4.C. Determine "most change" frequency across versions for each package by file
Hash, and identify this as the authoritative package for that file.
[00171] Refer to the example of FIG. 3 which is representative of a j query hash across multiple versions. Assume that the files which are identical and incrementally similar to j query have all been pulled into the same supercluster. The analysis does not need know that these are all referred to as "j query" and indeed similarity of name is not used in the analysis. More importantly, without further analysis it is unknown which of these packages is the original.
[00172] In a supercluster, the file names are probably not all the same, the hashes probably are not the same, and the versions will probably vary widely (as in the over-simplified example of Table 1). This overall analysis intends to determine which of these files is the authoritative file. In this step #4, the analysis looks in one supercluster for the package which has the most change across the versions; this is considered the authoritative package.
[00173] Reference is now made to the example oversimplified supercluster of Table 1. The third column is the "package name". A supercluster may include a thousand packages all of which have the identical and incrementally similar files in it. In this step #4, the analysis looks at the packages in one supercluster, puts all of the j query packages into the same package cluster, and puts all of the Clipper packages into another package cluster, putting the webjar packages into yet another cluster, and so on, based on package name. Thus, the supercluster is broken down into package clusters, and each of the package clusters has the packages with the same package name.
[00174] The hypothesis is that the author of j query is pushing new packages that have the jquery file, in which the jquery file ideally changes with every released package. In other words, the original author of jquery is not going to release the package with the jquery file unless the jquery file is changed. However, if a developer is merely a user of some package with jquery, the developer is not going to change the version of jquery with every release of that package; the version of jquery may be changed in some releases but not every release. So the goal of step #4 is to determine, of the packages in the supercluster, which package has the file that changes with every release of that package. This is the authoritative file, because no one but the authoritative developer of that file will be creating a new version of the file with every release. This is what the "most change" is about.
[00175] In this step, all of the identical and incrementally similar files have been grouped into a supercluster, then the supercluster is sorted out into individual packages (each, a package cluster which has packages that have the same name), each package cluster is split into the version clusters (each version cluster has only the files with all the same version within the package cluster), and then from the frequency of change of version clusters within each package cluster, the analysis can determine which package cluster is the authoritative package.
[00176] "Change frequency" refers to how frequently the file in a package is changed, in relation to how frequently the package is released. The general concept is, in an ideal situation, every time a package is released the file is a new version; therefore this package must be the authoritative source. In reality, a file is not necessarily changed in a release of the authoritative package. Consequently, the package in which the file changes most frequently in relation to package releases is in the package which is the authoritative source. Identical files in a package cluster are considered to be only one "change" which is counted once; all changes to files in the package are counted. In determining change frequency, identical package releases in a package cluster are considered to be only one "change" which is counted once; all packages releases are counted. [00177] "Change frequency" (sometimes referred to as "frequency of change") may be implemented as a ratio of change (such as number of versions of that file in a package vs.
number of package releases of that package). The highest ratio of package releases to file changes is what is looked for. It is expected that this ratio of the package which is the authoritative source is close to 100 % in which each release (or almost each release) of that package has a change in that file. For consumers of the file, it is expected that the ratio is closer to 0-10%, e.g., for every 10 releases of a non-authoritative package, that package has a new j query.
[00178] 4.c.i. Example of jquery hash across multiple versions
[00179] Reference is now made to FIG. 3, which is representative of a hash across multiple versions of the same or incrementally changed file jquery. As illustrated in the simplified file listing 301, under each hash is a file which has identical contents. Note that each file is listed so as to identify where in the ecosystem the file was obtained from. The files are named according to naming conventions.
[00180] 4.c.ii. Examples of frequency of change across versions
[00181] In this context, a change means a "change to the javascript file itself." When a project uses, a file such as jquery, the file jquery might be used as a dependency in which case there is no change from the original file; or it may be checked it into the source control and possibly edited (or a copyright line change, etc.) and any new character will make the hash different. This is considered a "change" to the file.
[00182] In the following example cases, the frequency of change is used to determine which package is the authoritative package. In all of the following cases, JQ should be determined to be the authoritative name of the authoritative package.
[00183] Consider the following cases a, b and c which compare frequency of change of the file jquery across versions of project JQ (which is the project in which jquery is developed) and project Foo (in which a developer merely uses jquery):
[00184] Case a. JQ: 10 versions, 10 changes & Foo: 12 versions, 10 changes
[00185] Case b. JQ: 10 versions, 10 changes & Foo: 10 version 10 changes [00186] Case c. JQ: 10 versions, 8 changes & Foo: 10 version 10 changes
[00187] Case a is the normally expected case, in which every check-in is of a new version and in every check-in the file changes (in project JQ). There might be 12 versions of a
corresponding project (here, project Foo), but j query is not updated in every version of the corresponding project Foo; in this example j query is updated in only two versions of the corresponding project Foo. A developer who merely uses j query will release their project more frequently than the developer updates the file (e.g., j query) which they are merely using.
[00188] In Case a, JQ is identified as the authoritative package.
[00189] In Case b, it just happens that the number of changes is equal in both the file and the project, so that both have the same highest frequency of change. In this situation, the system can use the file name to resolve which project is authoritative. Alternatively, the file can be forward for human review to resolve which project is authoritative.
[00190] Case c is a hypothetical case which is speculated must exist which causes the incorrect result. In Case c, there are more changes in what would be the incorrect project; causing the system to incorrectly identify the authoritative package. This might happen if, for example, in every check-in the developer of Foo adds their initials to the file, thereby creating a change for every single file in Foo. In this hypothetical scenario, the system will identify the wrong project (Foo) as being the original project. The system can resolve some of these errors by making sure that the ecosystem is correct, e.g., fee can default to the javascript ecosystem. Another possibility is that ecosystems might be assigned in pre-determined priority. For example, it is unlikely that a javascript developer would release via NuGet, and so a file of type javascript which identifies a nugget package as the authoritative project will be indicated as incorrect and needing further resolution.
[00191] In Case c, Foo is identified as being the authoritative project, which is known to be incorrect because it is in the wrong ecosystem for a javascript-type file. Because Foo is the wrong system, the result can be forwarded for human review.
[00192] In a variation, to resolve package inclusion, node modules should not participate in the frequency count. [00193] 5. Pull any outlying files back into the package version group in which they belong— Create package version groups from the package cluster based on authoritative package versions
[00194] Once we have identified the authoritative package, we need to move all of the other files into their correct version slot. From the supercluster and the frequency of change across versions, the analysis in the above Case A has authoritatively determined that JQ is the authoritative package. We have these other files that are in the supercluster but are not in the JQ package, such as listed in Table 1 and Table 2, namely, Clipper, Webjar, and NuGet. These package clusters are all in the same supercluster, but each package cluster should be assigned to a package version group, so as to authoritatively indicate that a (in the package cluster) file is most similar to an authoritatively named file, e.g., JQuery 1.1. Step #5 is intended to pull in the outlying authoritative packages in the version cluster into the authoritative package version group.
[00195] This can be done by:
[00196] a. Merging authoritative package outliers into authoritative package version groups; and
[00197] b. Merging minified outliers based on file name and not AST
[00198] As an example, consider the simplified example in Table 1, which has 6 packages all with JQ. There are six files in this simplified supercluster, and assume that JQ has been determined as the authoritative package. Now, doing an AST similarity comparison, the analysis finds that Clipper version 4.5 is most similar to Pkg 1 version 1.1, so it is assigned to the version 1.1 version cluster as shown in Table 2. When we see that clipper 4.5 inside an application, we can give it the data from the project being jquery 1.1. This step is about, how do the outliers get moved into the package version groups.
[00199] This happens in two ways. The non-minified files are optionally normalized and merged based on AST. The minified files can be merged based on file name and not on AST similarity. [00200] TABLE 1 - Supercluster of 6 package clusters all with file JO
Figure imgf000029_0001
[00201] TABLE 2 - Versions Clusters Based on JO Being Authoritative Package
Figure imgf000029_0002
[00202] Collision resolution when assigning the outlying files may be handled. It is possible that the file did not change from 1.1 to 1.2, such as when a new release is created due to some other file in the package. If that is the case, then Clipper 4.5 might match both 1.1 and 1.2 in Table 2. The analysis can arbitrarily resolve the collision by assigning Clipper 4.5 to the earlier ("introduction") version. Accordingly, the analysis can resolve version collisions to introduction version.
[00203] 6. Resolve authoritative name collisions among the clusters of files— Generate AName from authoritative package version groups [00204] At this step, the analysis has all of the superclusters, and each supercluster has been assigned an authoritative name and an authoritative versions. Referring back to the examples of Tables 1 and 2, perhaps jquery versions 1.1 and 1.2 were in the same supercluster but j query 1.3 was in another supercluster because it was a major rewrite and thus insufficiently similar to be identified as an incremental change. In that situation, the authoritative name for the supercluster which includes jquery 1.1 is going to be "jquery" and the authoritative name for the supercluster which includes jquery 1.3 is also going to be "jquery." There is an authoritative name collision, which should be resolved. Because of the way that we generate the authoritative package name itself, we know that if a collision occurs, they came from the same package structure.
[00205 This step includes the following:
[00206 a. Use the authoritative package to generate the AName name
[00207 b. Use the authoritative package versions to generate AName_versions
[00208 c. Each member of the authoritative package version groups receives AName_(name, version
[00209 d. Collision Resolution
[00210 i. When the AName_name collides and the version does not collide
[00211 1. Create a new version in the authoritative package versions
[00212 ii. When AName_name collides and the version collides
[00213 1. Merge clusters
[00214 For example, if the AName is jquery for 1.1 and 1.2, and the AName is jquery for 1.3, the only way that those names could match is if the package format for 1.1, 1.2 and 1.3 is exactly the same. Accordingly, those two superclusters should be (and are) merged together. So in the case where we have a jquery 1.1 and 1.2 in one cluster and jquery 1.3 in another cluster, we need to merge those two superclusters to add the 1.3 version to the 1.1 and 1.2 versions.
[00215] In this example as explained above, jquery 1.3 was originally in a different supercluster. At the end of the day, we independently calculated that the ANames of two different superclusters are the same. This in effect realizes that 1.3 should have been in the same supercluster. The change between 1.2 and 1.3 was so significant that they didn't get merged into the same superclusters. This step addresses the problem that a change may be so significant that the relationship between the files was not previously realized.
[00216] This step recognizes that the analysis might not make the correct superclusters at step 1. Step 2 has localization files or ancillary files that are not going to change from version to version to version, and they will end up in a supercluster with one file. In this step #6, this analysis finds that the authoritative name of one superclusters collides with the name from another supercluster. These superclusters will be merged into the appropriate authoritative name. The analysis can include the information from those files as well.
[00217] Consider that a particular package has filel and file2, which are not similar at all and just perform different functions in the package. When the files are associated to an AName, we want the AName of both files to be the same as well as having the version resolution. By combining the ANames at the end, the analysis collapses filel and file 2 under the same AName.
[00218] The point of creating the supercluster is to pull in version history as well as to pull in other modifications in other packages. The point of this last step is to merge all of the ancillary files inside that package back together under the AName. The local additional files are another example, which should be under the AName.
[00219] The version assignments happen before they are collapsed. So when collapsed, they already have the versions assigned.
[00220] In another embodiment, step 6 might occur before step 5.
[00221] In the worst case scenario the outlier files might not match the version and might not have a AName and might need human review.
[00222] C. Flow Diagram
[00223] Reference is now made to FIG. 4, an overall flow chart illustrating a procedure for authoritative name analysis. The flow chart of FIG. 4 encompasses the flow discussed above.
[00224] By way of review, the follow features were discussed above:
[00225] Stepl, Step 2. Collect unique identifiers of files into clusters to create hash clusters, each hash cluster contains identical files (and indicates their sources). In the example of FIG. 4, at step 401, the analysis creates file hash clusters based on identical hash matches. At step 403, the analysis generates an AST fingerprint for each hash cluster.
[00226] Step 3. Include, to create superclusters, of similar files so as to capture incremental changes over time. In the example of FIG. 4, at step 405, the analysis aggregates and enlarges file hash clusters based on AST similarity. At step 407, the analysis performs the previous operation until the outlier set is exhausted. At step 409, the analysis pulls in outlier files (for example, outlier js files) where the AST fingerprints and the files' ASTs are a sufficiently good match. At step 411, for each member of the outlier set, the analysis measures AST similarity between the candidate file's AST and all hash cluster ASTs. At step 413, the analysis performs the previous operation until the outlier set is exhausted.
[00227] Step 4. Break supercluster down into package clusters. Within each of the
superclusters, discover which package cluster within a supercluster is the "most changed", which is the authoritative package. In the example of FIG. 4, at step 415, at this point we have a set of populated FHCs where the members are js files that are either identical or similar based on AST matches. At step 417, the analysis creates package clusters from the file hash clusters.
[00228] Step 5. Create package version groups from the authoritative packages and merge in outliers into packages. At step 419, for each version within an authoritative package group within a package cluster, the analysis evaluates AST similarity distances to other files that belong to low variance package groups within the same package cluster. Then, at step 421, the analysis identifies the authoritative package. At step 423, the analysis evaluates packages within each package cluster and identifies patterns where version variances within the same package are relatively higher than version variances of other packages. At step 425, the analysis assigns the version to each file that belongs to a lower version variant package, for example, propagate the version number from the most similar file in the high version variant package group.
[00229] Step 6. Generate authoritative name from authoritative package version groups and resolving collisions of authoritative names across the different superclusters (merging the superclusters which resolve into the same authoritative name). In the example of FIG. 4, at step 427, the analysis resolves A-name collisions. [00230] As a result, the authoritative package version and source of the file is identified.
Subsequently, post-identification processing can be performed using that information, for example, to associate that information based on the authoritative package version and source to other files that are resolved to the same authoritative package group. In the example of FIG. 4, at step 429, post-identification processing can assign the project URL, and/or license information and/or metadata information from the high version variant package group to all other members of the same package cluster. For example, in a package in which a developer merely uses a variation of j query, after analysis that variation of j query is associated with the license information and metadata information from the authoritative package version and source from the originator of j query.
[00231] V. Additional Example Implementations
[00232] This section will discuss additional concrete examples of implementation, which are well suited to demonstrate various implementation details.
[00233] FIG. 5 illustrates a computer system implementation. The procedure of FIG. 6 to FIG. 8 conveniently may be implemented on the computer system of FIG. 5, or any another apparatus which is appropriately configured and arranged.
[00234]
[00235] Referring now to FIG. 5, a block diagram illustrating relevant portions of a computer system 501 will be discussed and described. A computer system 501 may include one or more controllers 503, a processor 505, an network interface 509 for communication such as with a network 507, a memory 511, a display 515 (optional), and/or a user input device such as a keyboard 517. Alternatively, or in addition to the keyboard 517, a user input device may comprise one or more of various known input devices, such as a pointing device, a keypad, a computer mouse, a touchpad, a touch screen, a trackball, and/or a keyboard. The display 515 is representative of a display that may present information to the user by way of a conventional liquid crystal display (LCD) or other visual display, and/or by way of a conventional audible device (e.g., a speaker) for playing out audible messages. Portions of the computer system 501 are well understood to those of skill in this area and have been omitted to avoid obscuring the discussion.
[00236] The processor 505 may comprise one or more microprocessors and/or one or more digital signal processors. The memory 511 may be coupled to the processor 505 and may comprise a read-only memory (ROM), a random-access memory (RAM), a programmable ROM (PROM), and/or an electrically erasable read-only memory (EEPROM). The memory 511 may include multiple memory locations for storing, among other things, an operating system, data and variables 533 for programs executed by the processor 505; such programs can include one or more of the following: to cluster 535 files in the ecosystem into superclusters based on identical file contents; determine 537 which files have contents which are similar yet incrementally changed, and merge their superclusters, to capture incremental changes over time to the same file in one supercluster; for each supercluster 539: break down into package clusters which cluster together files from the same package, determine which of the package clusters has the most change frequency across versions (as the authoritative package); resolve 541 authoritative name for files based on authoritative packages across superclusters, and generate the authoritative name; resolve 543 any authoritative name collision; use 545 a hash of file contents to determine files with identical contents; use 549 an AST of file contents to determine files with similar contents; move 551 a minified file into a cluster of the non-minified equivalent; and a database 553 for other information and/or instructions used by the processor 505. The computer programs may be stored, for example, in ROM or PROM and may direct the processor 505 in controlling the operation of the computer system 1001. Each of these functions is considered in more detail herein, to the extent that it is not detailed elsewhere in this document.
[00237] Responsive to manual signaling from the user input device represented by the keyboard 517, in accordance with instructions stored in memory 511, and/or automatically upon receipt of certain information via the network interface 509, the processor 505 may direct the execution of the stored programs.
[00238] The computer system 501 can access one or more ecosystems, here represented by ecosystem E 567 on which is stored one or more files, probably stored in connection with packages, here represented by package P and package Q 569, 571. Although the files are illustrated as accessed over the network interface 509, the files 569, 571 may be remotely and/or locally accessible from the computer system 501, over a wired and/or wireless connection. The illustrated architectural environment for this runs into the cloud, represented by network 507. The files and packages 569, 571 do not need to be limited to a database or a software repository 567. The software repositories conventionally have well formatted descriptions of contents, and the computer system 501 herein can be adapted to software repositories in the cloud. Note that the computer system 501 can be distributed over multiple computers. Techniques are known for accessing files and packages and information regarding the packages and versions, which may be located in a software repository 567; packages also are commonly known to include package identifying information.
[00239] Much of the details of the programs have been discussed above, and the following is provided to expand understanding without necessarily repeating what is discussed above, and to possibly explore variations.
[00240] The processor 505 may be programmed to cluster 535 files in the ecosystem into superclusters based on identical file contents; determine which files have contents which are similar yet incrementally changed, and merge their superclusters, which is intended to capture incremental changes over time to the same file in one supercluster. The ecosystem can be preliminarily identified as being one or more of the following, by way of example: those ecosystems which the computer system is aware of, and/or those ecosystems which have been identified to the computer system, a pre-identified subset of one or more of the foregoing, and variations thereof. Note that the determination about whether the files are identical is based on file contents, possibly using conventional techniques. A simple method to determine which files have identical contents is to create hashes of file contents; files having identical hashes have identical contents. Any minor change to file contents, even a change which has no semantic significance (such as a comment), will result in a different hash. A simple method to determine which files have semantically identical contents uses AST, for which various techniques are available. Also, techniques are known for comparing AST trees to determine whether source code is identical (for example, by omitting semantically insignificant characters from an AST) or similar (for example, by defining how much of the AST trees should be identical). The intention is to capture the idea that differences between a file which is released in a first version and a second version of that same file (in a package) are due to incremental changes, and furthermore that such files (in a package) which have been incrementally changed should be grouped together to determine whether the package in which the file was found is released as frequently as the file is released. In addition, techniques may be used to normalize file contents prior to preparing a hash or AST. Techniques will be known to those of skill in the art for determining whether file contents are semantically identical or semantically similar. In this instance, it is desirable for the computer system to retain identifying information regarding where the file is located in the ecosystem 567, for example, a package 569, 571 where the file was located. Thus, the system can include an indication of a source within the ecosystem for each of the files in the
supercluster; the indication of the source within the ecosystem can be used later to retrieve additional information from the authoritative package (based on the indication of the source within the ecosystem of the file) regarding the authoritative file. Information regarding the superclusters, the files which are clustered together into superclusters, and the information used to determine whether the files are identical/similar (e.g., file hash and file AST), package clusters, and so on, can be stored, e.g., temporarily, e.g., in storage 553. As further discussed herein, note that some superclusters may be merged together (sometimes also referred to as being aggregated) for further processing, such as when the analysis determines that files in
superclusters belong in the same supercluster. Note that there may be a very large amount of data which is processed, and accordingly, distributed processing across multiple processors 505 and/or storage in the cloud may be contemplated by some implementations.
[00241] The processor 505 may be programmed to perform the following, for each
supercluster 539 determined to be identical or incrementally changed: break down into package clusters which cluster together files from the same package, determine which of the package clusters has the most change frequency across versions (as the authoritative package). This has been discussed in detail elsewhere. The intention is to determine all of the packages (each, a package cluster) in which the file has been released; and to determine how many versions of the file exist within each of the packages. The breakdown can be based on the indication of source within the ecosystem of each file, or other identification of a package to which each file belongs. Then, the frequency of changing the version of the file vs. the frequency of changing the version of the package is determined. Ideally, in the authoritative package, a file's version changes with every version of the package. As discussed elsewhere, the analysis can be adapted to determine whether a file which is non-identical (and thus appears be a different version), is actually no more than adding comments, or inserting initials, to a semantically identical file, for example. In this sense, a "version" refers not to a canonical version of a file, but version which is a variation of the file and which might (or might not) have been a canonical version as released.
[00242] The processor 505 may be programmed to resolve 541 the authoritative name for files based on authoritative packages across superclusters, and generate the authoritative name. This has been discussed in detail above.
[00243] The processor 505 may be programmed to resolve 543 any authoritative name collision. This also is discussed in detail above
[00244] The processor 505 may be programmed to use 545 a hash of file contents to determine files with identical contents. Various techniques are known to prepare a hash of file contents. A comparison of such hashes of file contents may be made to determine whether files have identical contents.
[00245] The processor 505 may be programmed to use 549 an AST of file contents to determine files with similar contents. Techniques are conventionally available to prepare an AST of file contents. Techniques are known to determine whether AST trees of file contents are identical, and/or whether AST trees of file contents are sufficiently similar (for example, given a pre-determined threshold). Techniques are known to normalize file contents (for example, to remove comments, white content, and the like) prior to or subsequent to preparing an AST tree of file contents.
[00246] The processor 505 may be programmed to move 551 a minified file into a cluster of the non-minified equivalent file. Any conventional technique may be used to identify a minified file and the non-minified equivalent, for example, association in a download package, or starting with a non-minified equivalent from which a minified file is prepared according to conventional techniques. A minified file and its non-minified equivalent file are intended to be treated as if they are the same version, and thus may be included in the same supercluster and package cluster.
[00247] The memory 511 also can include other miscellaneous information in a misc.
database 1057, along with the usual temporary storage and other instructions for other programs not considered herein.
[00248] The computer system 501 can accommodate one or more disk drives or removable storage (not illustrated). Typically, these might be one or more of the following: a flash memory, a floppy disk drive, a hard disk drive, a CD ROM, a digital video disk, an optical disk, and/or a removable storage device such as a USB memory stick, variations and evolutions thereof. The number and type of drives and removable storage may vary, typically with different computer configurations. Disk drives may be options, and for space considerations, may be omitted from the computer system used in conjunction with the processes described herein. The computer may also include a CD ROM reader and CD recorder, which can be interconnected by a bus along with other peripheral devices supported by the bus structure and protocol (not illustrated). The bus can serves as the main information highway interconnecting other components of the computer, and can be connected via an interface to the computer. A disk controller (not illustrated) can interface disk drives to the system bus. These may be internal or external. In some embodiments, the computer system 501 can access a virtualized infrastructure commonly referred to as a "cloud" or "cloud storage." The processor 505, memory 511, a disk drive, removable storage medium, and/or cloud storage are referred to as "computer-readable storage media" and provide non-transitory storage of computer programs and data.
[00249] It should be understood that FIG. 5 is described in connection with logical groupings of functions or resources. One or more of these logical groupings may be omitted from one or more embodiments. For example, an embodiment may omit the resolution of authoritative name collision, or an embodiment may use a method other than hashing to determine identical file contents, or an embodiment may use a method other than AST to determine similar file contents, and so on. Likewise, functions may be grouped differently, combined, or augmented without parting from the scope. Similarly the present description may describe various databases or collections of data and information. One or more groupings of the data or information may be omitted, distributed, combined, or augmented, or provided locally and/or remotely and/or in a virtualized infrastructure commonly referred to as a "cloud" without departing from the scope.
[00250] FIG. 6 to FIG. 8 collectively are a flow chart illustrating a procedure to provide an authoritative name analysis. The procedure can conveniently be implemented on a computer system, such as illustrated in FIG. 5, or other computer system appropriately arranged.
[00251] The procedure for authoritative name analysis 601 will determine 603, for all files in the ecosystem(s), which of the files have identical file contents, and will cluster identical files into superclusters. It is anticipated that the contents of such files are components, for example, including source code. Accordingly, the procedure 601 has prepared superclusters so that the files in each supercluster of the plurality of superclusters have identical contents.
[00252] The procedure 601 will get 605 get the first supercluster or the next supercluster. For this supercluster 607, the procedure will determine 609 which of the other superclusters have files which, in comparison to the file in the present supercluster, have file contents which is incrementally changed; and if one of the other superclusters has files with files contetns that is incrementally changed in comparison to the files in the present supercluster, both the present supercluster and the one of the other superclusters will be merged, so that there is one supercluster which includes the identical files and the files which were incrementally changed. The procedure repeats 611 until all of the superclusters have been handled. There may be fewer superclusters after performing this step 609. Accordingly, the procedure 601 has prepared superclusters so that the files in each supercluster of the plurality of superclusters have identical and incrementally changed filed contents. Consequently, the procedure has determined, of the files in the ecosystem which are clustered into the plurality of superclusters, which of the files have similar contents to each other, and merged the files which have similar contents to each other into the same supercluster, to capture possibly incremental changes to the files over time in one of the superclusters which has the files with identical contents and similar contents.
[00253] FIG. 6 then proceeds 613 to FIG. 7 at 701.
[00254] Then the procedure 601 will break each supercluster down into package clusters, and determine which of the package clusters has the most change frequency across versions, as the authoritative package. In more detail, the procedure 601 gets 703 the first (or next) supercluster. For this supercluster 705, the following are performed. The procedure breaks 707 the supercluster down by packages, where files were released in a package. Accordingly, each supercluster is broken down into package clusters, based on packages to which the files belong, each of the package clusters has the files from a same package. Then, the procedure determines 709 the frequency of change for each of the package clusters, and identifies the package with the highest change frequency which the procedure considers to be the authoritative package of this superclusters. Frequency of change is described herein elsewhere in more detail. This supercluster now has an authoritative name and version for its file. This is repeated 713 so long as there is another supercluster to handle. Accordingly, for each of the superclusters, the procedure has determined which of the package clusters has the most change frequency across versions as the authoritative package.
[00255] FIG. 7 then proceeds 715 to FIG. 8 at 801.
[00256] Then the procedure 601 will get 803 the first (or next) supercluster. For this supercluster 805, the procedure 601 will determine 807 whether there is any authoritative name collision, for example, where a version of a file was so substantial than it was not included in a same supercluster with other versions of the same file, and will collapse 809 authoritative name collisions to merge ancillary files inside a package back together under the same authoritative name. The procedure 601 will handle all of the superclusters 811 in the same way. At the end of this sequence, there may be fewer superclusters than at the beginning of this sequence, due to authoritative name collisions. Consequently, the procedure 601 has resolve an authoritative name for the files, based on the authoritative packages that are determined, across the plurality of superclusters which have files with identical and similar contents, and generated the authoritative name; and has resolved any authoritative name collisions.
[00257] In operation of such an authoritative name analysis, the authoritative name and authoritative package of the file have been determined with much greater accuracy than conventional systems. That is, the original name of a file which appears in different packages is correctly identified, in combination with the original package which originated that component. Accordingly, visibility and understanding of packages and the software components has been greatly improved, despite the possibility that the ecosystem has numerous files which are essentially the same but with minor variations in content and/or name, and despite the likelihood that many of these components might have originated elsewhere, possibly not even in the ecosystem. Use of such correct information in post-identified processing will be appreciated, such as assigning license information and/or metadata information to all members of the same package cluster.
[00258] VI. Glossary
[00259] Terms as used herein are intended to be interpreted first, as understood to one of skill in the art at a first level, of software repositories; and if not interpretable at the first level, than at a second level as understood by one skilled in the science of tools that support and manage software development; and if not interpretable at the first level and second level, then at a third level as understood to one of skill in the art of computer science; and then if not interpretable according to the first, second and third levels, according to a general dictionary.
[00260] The claims may use the following terms (with or without capitalization), which are defined to have the following meanings for the purpose of the claims herein. Other definitions may be specified in this document.
[00261] The designation "File Hash Cluster" (sometimes referred to as FHC), when used in a claim, is defined as a collection of plural files where the contents of all of the files, as determined from hashes of the contents of the files, are identical. Techniques are available for creating a hash, including a hash of contents of a file. [00262] The designation "Abstract Syntax Tree" (sometimes referred to as AST) is defined as a representation of the abstract syntactic structure of source code written in a programming language, wherein the nodes of the tree each denote a construct occurring in the source code. Techniques are available for creating an abstract syntax tree from source code.
[00263] The designation "Package Cluster" is defined herein as a collection of files, all of which are from the same file hash cluster (and therefore have identical contents), and file hash clusters which have files which are determined to be incrementally different from those in the same file hash cluster, in which the collection of files in the package cluster all have the same package name.
[00264] The designation "package" as used herein is defined as a container (which is a file or a folder) that bundles together components intended for use by a particular application, and/or to assist in installing and/or de-installing, and/or running the particular application, and/or which are used by the particular software application and/or which are used in a build of the particular software application; the package also includes manifest data which identify the package and which uniquely identify the constituent files that enable the package to function. By way of explanation and not definition, the package may contain, as a non-limiting example, one or more of the following: content needed to reference an external library, source code, binaries, executable files, classes, interfaces, scripts, documentation, components used during installation, components used for running the particular application itself, other packages, components and/or related items. The manifest metadata in a package generally indicates the following or similar: the software's name, description of its purpose, version number, vendor, integrity information such as a checksum, and an enumerated list of dependencies on other components necessary for the software to run properly. Package managers which consume packages include, by way of example, NuGet, Node Package Manager, PyPi, RubyGems, PHP Composer, Android, Alpine Linux, Windows 8 and later, Windows Phone, Debian and its derivatives, Gentoo Linux, ORB Launcher, Pardus, OSDX, iOX, PlaysStation 3, Solaris, SunOS, UNIX System V, Symbian, BeOS, Apple Netwon, Puppy Linux, Red Hat Enterprise Linux, Fedora and its derivatives, Ubuntu, Slitaz, Tiny Core Linux, Ach Linux's Pacman, Slackware, and evolutions and extensions thereof. Formats of packages have internal structures and file name extensions consistent with one or more package formats defined by, for example, APK, APPX,
APPXBundle, Deb, ebuild, ORB, PISI, PKG, PUP, PET, RPM, SNAP, TAZPKG, TCZ, Tar archives, and evolutions and extensions thereof.
[00265] The designation "Package Version Cluster" is defined herein as a collection of files, all of which are from the same package, in which the collection of files all have the same version number.
[00266] The designation "Authoritative Package" as used herein is defined as the package, in a package version cluster, that has the most change across versions.
[00267] The designation "Authoritative Name" as used herein refers to the name and version that represents the project responsible for the package creation and maintenance of the authoritative package.
[00268] The designation "Collision Resolution" refers to an algorithmic choice to determine direction when two items resolve to the same thing due to similar data.
[00269] The designation "minifi cation" or "minifying" refers to a process of removing unnecessary characters from source code without changing the functionality of the source code; the unnecessary characters may include, by way of example, one or more of white space characters, new line characters, comments, and/or block delimiters, and similar characters, all of which are not required for the code to execute, but which typically are intended to add readability to the code.
[00270] The designation "minified" refers to code which resulted from minification of source code.
[00271] By way of explanation and not definition, an AST of minified source code typically is different from an AST of the same source code which is not minified.
[00272] The designation "normalized AST" or "normalized Abstract Syntax Tree" refers to an AST in which the name and/or structure variants within the source code have been removed or replaced to allow comparison of functionally equivalent source code. Techniques are known to create a normalized AST, which can be created from code which has been normalized, and/or by normalizing the AST itself.
[00273] The term "byte code" as used herein is defined to mean an intermediate operational code which was generated by translating an input programming language, and then the byte code can be interpreted at the time the byte code is executed by the virtual machine which has its own instruction set independent of the native machine code for the hardware on which the virtual machine executes. Examples of computer languages which use "byte code" include, without limitation, Java, .NET, Scala, jython, groovy, and Pascal
[00274] The term "component" used herein is defined to be a specific version (which may be a canonical version) of pre-existing software, or a reusable pre-existing self-contained software code building block which is not a complete stand-alone finished product ready for use, which is source code, software or run-time executable code; a component can comprise one or more nested components within the component itself; a component can be the subject of a risk such as a license or a target of a security vulnerability.
[00275] By way of explanation and not as a definition, a component which is part of a standalone product can be understood to be a self-contained bit of code which a developer does not wish to write himself/herself as part of the stand-alone product, and so the developer uses a previously existing component for which the functionality likely was previously vetted as a part of another stand-alone product. As a non-limiting example of components which are nested, a Java web application packaged as a WAR component might contain various JAR components and JavaScript libraries, each of which is a component themselves.
[00276] The term "computer system" or "computer" used herein denotes a device sometimes referred to as a computer, laptop, personal computer, tablet computer, handheld computer, smart phone, personal digital assistant, notebook computer, personal assignment pad, server, client, mainframe computer, minicomputer, or evolutions and equivalents thereof.
[00277] "Open source" software is defined herein to be source code that allows distribution as source code as well as compiled form and/or binary form, with a well-publicized and indexed means of obtaining the source, optionally with a license that allows modifications and derived works.
[00278] The term "repository" or "software repository" used herein are defined to mean an electronic storage system that stores components (sometimes referred to as an "artifact") and dependencies for later retrieval, to which artifacts are published in accordance with procedures which are well known to those in the field, so that artifacts made by one software developer are published to be available for further use by other software developers, to be incorporated as building blocks to build software products which can be executed; a repository can include a computer server by which the stored electronic copies of artifacts are made available for use by software developers to be incorporated as building blocks to build software products which can be executed; the repository typically has a unique identifier that indicates the software developer (an individual or a group) that contributed the artifact.
[00279] By way of explanation and not definition, a repository can be remote or local; some embodiments of a repository might be stored in a virtualized infrastructure commonly referred to as a "cloud." Examples of conventional software repositories include, by way of example but without limitation: the Central Repository (also known as Maven Central), the NuGet Gallery, RubyGems.org, npmjs.org, and many others. Repositories tend to rely on pre-defined formats and tools, for example, the Maven repository format, REST API interactions, different directory structures with format specific files for metadata, and the like. Software repositories are accessed by tools, including by way of example but without limitation: build tools such as Maven, Gradle, rake, grunt, and others; package managers such as npm, nugget, gem, and others; Integrated Development Environments such as Eclipse, IntelliJ, and many others.
[00280] The term "software build" used herein specifically is defined to mean a process as pre-defined in an executable build program of converting a plurality of components (some or all of which may be obtained from a repository) and combining the results into an executable standalone computer program or a software component for use in a further software build, including at least compiling components and linking compiled components and possibly binary components (which can be from the repository), in a pre-determined order as defined in the build program. [00281] The term "compiler" is used herein specifically to mean a computer program(s) that transforms source code written in a programming language into a target language that is readable by a computer, often in the form of binary code or bytecode, so as to create an executable program.
[00282] The phrase "automatically without manual intervention," when used in a claim, is defined to mean that the particular step occurs after the step is initiated until limitations recited in the step are finished without requiring a user to provide input to a processor.
[00283] VII. Implementation and Technical Notes
[00284] The above discussion has assumed that the reader has a sufficient technical background for appreciating the points made. This section provides some supplementary implementation and/or technical notes which discuss some technical information that may be relevant.
[00285] The instant disclosure is provided to further explain in an enabling fashion the best modes of performing one or more embodiments. The disclosure is further offered to enhance an understanding and appreciation for the inventive principles and advantages thereof, rather than to limit in any manner the invention. The invention is defined solely by the appended claims including any amendments made during the pendency of this application and all equivalents of those claims as issued.
[00286] It is further understood that the use of relational terms such as first and second, and the like, if any, are used solely to distinguish one from another entity, item, or action without necessarily requiring or implying any actual such relationship or order between such entities, items or actions. It is noted that some embodiments may include a plurality of processes or steps, which can be performed in any order, unless expressly and necessarily limited to a particular order; i.e., processes or steps that are not so limited may be performed in any order.
[00287] Much of the inventive functionality and many of the inventive principles when implemented, are best supported with or in software or integrated circuits (ICs), such as a digital signal processor and software therefore, and/or application specific ICs. It is expected that one of ordinary skill, notwithstanding possibly significant effort and many design choices motivated by, for example, available time, current technology, and economic considerations, when guided by the concepts and principles disclosed herein will be readily capable of generating such software instructions or ICs with minimal experimentation. Therefore, in the interest of brevity and minimization of any risk of obscuring principles and concepts, further discussion of such software and ICs, if any, will be limited to the essentials with respect to the principles and concepts used by the exemplary embodiments.
[00288] The various embodiments which demonstrate a method and/or system for providing an authoritative name analysis have been discussed in detail above. It should be further noted that the above-described processes can be stored as instructions in computer-readable storage medium. When the instructions are executed by a computer, for example after being loaded from a computer-readable storage medium, the process(es) are performed. The detailed descriptions, which appear herein, may be presented in terms of program procedures executed on a computer or a network of computers. These procedural descriptions and representations herein are the means used by those skilled in the art to most effectively convey the substance of their work to others skilled in the art.
[00289] Further, an embodiment has been discussed in certain examples as if it is used by a single developer or administrator at a single site. An embodiment may be used by numerous developers, administrators and/or related users, if preferred, at one or more sites.
[00290] A procedure is generally conceived to be a self-consistent sequence of steps leading to a desired result. These steps are those requiring physical manipulations of physical quantities. Usually, though not necessarily, these quantities take the form of electrical or magnetic signals capable of being stored on non-transitory computer-readable media, transferred, combined, compared and otherwise manipulated. It proves convenient at times, principally for reasons of common usage, to refer to these signals as bits, values, elements, symbols, characters, terms, numbers, or the like. It should be noted, however, that all of these and similar terms are to be associated with the appropriate physical quantities and are merely convenient labels applied to these quantities. [00291] Further, the manipulations performed are often referred to in terms such as adding, determining, or comparing, which are commonly associated with mental operations performed by a human operator. While the discussion herein may contemplate the use of an operator, a human operator is not necessary, or desirable in most cases, to perform the actual functions described herein; the operations are machine operations.
[00292] Various computers or computer systems may be programmed with programs written in accordance with the teachings herein, or it may prove more convenient to construct a more specialized apparatus to perform the required method steps. The required structure for a variety of these machines will be apparent from the description given herein.
[00293] A computer-readable storage medium is tangible and non-transitory; a computer- readable storage medium can be any of the memory or storage devices, such as those examples described above, or other removable or fixed storage medium, provided such computer-readable storage medium is tangible and non-transitory.
[00294] Furthermore, any communication network implicated in an embodiment can include, by way of example but not limitation, data and/or packet communications networks, which can provide wireless communications capability and/or utilize wireline connections such as cable and/or a connector, or similar. Any appropriate communication protocol may be used.
[00295] The computer and/or system embodied in connection herewith may (or may not) rely on the integration of various elements including, as appropriate and/or if desired, by way of example but not limitation, hardware and software servers, applications software, database engines, server area networks, conventional firewall and SSL security, production back-up systems, and/or applications interface software. An embodiment may be, by way of example but not by way of limitation, network-based and may (or may not) utilize a network such as the Internet or other network as an exemplary interface with the user for any information delivery.
[00296] One or more databases implicated by the above discussion may be, by way of example but not limitation, in a relational database format, but other standard data formats may also be used. Optionally, the various databases may include a known conversion system capable of receiving data in various standard formats. [00297] One or more displays for the system may be developed in connection with, by way of example but not limitation, HTML display format, using XML. Although HTML, and XML, may be a preferred display format, it is possible to utilize alternative display formats for interacting with a user and obtaining user instructions.
[00298] This disclosure is intended to explain how to fashion and use various embodiments in accordance with the invention rather than to limit the true, intended, and fair scope and spirit thereof. The invention is defined solely by the appended claims, as they may be amended during the pendency of this application for patent, and all equivalents thereof. The foregoing description is not intended to be exhaustive or to limit the invention to the precise form disclosed. Modifications or variations are possible in light of the above teachings. The embodiment(s) was chosen and described to provide the best illustration of the principles of the invention and its practical application, and to enable one of ordinary skill in the art to utilize the invention in various embodiments and with various modifications as are suited to the particular use contemplated. All such modifications and variations are within the scope of the invention as determined by the appended claims, as may be amended during the pendency of this application for patent, and all equivalents thereof, when interpreted in accordance with the breadth to which they are fairly, legally, and equitably entitled.

Claims

CLAIMS What is claimed is:
1. A method for providing an authoritative name source for files within an ecosystem, comprising the following performed by at least one processor:
clustering the files in the ecosystem into a plurality of superclusters, in which the files in each supercluster of the plurality of superclusters have identical contents; then
determining, of the files in the ecosystem which are clustered into the plurality of superclusters, which of the files have similar contents to each other, and merging the files which have similar contents to each other into the same supercluster, to capture possibly incremental changes to the files over time in one of the superclusters which has the files with identical contents and similar contents;
for each supercluster which has the files with identical and similar contents:
breaking the each supercluster down into package clusters, based on packages to which the files belong, each of the package clusters has the files from a same package; and determining which of the package clusters has most change frequency across versions, as the authoritative package; then
resolving an authoritative name for the files, based on the authoritative packages that are determined, across the plurality of superclusters which have files with identical and similar contents, and generating the authoritative name; and
resolving any authoritative name collision.
2. The method of claim 1, wherein
a hash of file contents of each of the plurality of files is used to determine which of the files have identical contents,
the clustering of the files in the superclusters with identical contents is determined based on the hashes of file contents,
for the each supercluster, the each supercluster includes an indication of a source within the ecosystem for each file of the files,
the breaking down into the package clusters is based on the indication of the source of the each file.
3. The method of claim 1, wherein
an abstract syntax tree of file contents of each of the plurality of files is used to determine whether contents of files are similar,
the determining of files with similar contents into the same supercluster is based on the abstract syntax tree of file contents,
for the each supercluster, the each supercluster includes an indication of a source within the ecosystem for each file of the files.
4. The method of claim 1, wherein breaking each supercluster down into package clusters includes
generating package names and versions for members of the supercluster, aggregating package clusters on package name and counting unique changes to the package cluster, and
determining, for each package cluster, the most change frequency among the package clusters.
5. The method of claim 1, wherein
the authoritative name is resolved by
merging authoritative package outliers into groups which are merged into package cluster based on file name,
the resolved authoritative name and source are identified.
6. The method of claim 1, further comprising
determining whether the authoritative name source is correct based on ecosystem in which authoritative name source originated.
7. The method of claim 1, wherein the ecosystem, in which the files are located which are clustered, includes at least one software repository in which the files are located.
8. A non-transitory computer readable medium comprising instructions for execution by a computer, the instructions including a computer-implemented method for providing an authoritative name source for files within an ecosystem, the instructions for implementing: clustering the files in the ecosystem into a plurality of superclusters, in which the files in each supercluster of the plurality of superclusters have identical contents; then
determining, of the files in the ecosystem which are clustered into the plurality of superclusters, which of the files have similar contents to each other, and merging the files which have similar contents to each other into the same supercluster, to capture possibly incremental changes to the files over time in one of the superclusters which has the files with identical contents and similar contents;
for each supercluster which has the files with identical and similar contents:
breaking the each supercluster down into package clusters, based on packages to which the files belong, each of the package clusters has the files from a same package; and determining which of the package clusters has most change frequency across versions, as the authoritative package; then
resolving an authoritative name for the files, based on the authoritative packages that are determined, across the plurality of superclusters which have files with identical and similar contents, and generating the authoritative name; and
resolving any authoritative name collision.
9. The non-transitory computer-readable medium of claim 8, further comprising instructions for implementing:
a hash of file contents of each of the plurality of files is used to determine which of the files have identical contents,
the clustering of the files in the superclusters with identical contents is determined based on the hashes of file contents,
for the each supercluster, the each supercluster includes an indication of a source within the ecosystem for each file of the files,
the breaking down into the package clusters is based on the indication of the source of the each file.
10. The non-transitory computer-readable medium of claim 8, wherein
an abstract syntax tree of file contents of each of the plurality of files is used to determine whether contents of files are similar,
the determining of files with similar contents into the same supercluster is based on the abstract syntax tree of file contents,
for the each supercluster, the each supercluster includes an indication of a source within the ecosystem for each file of the files.
11. The non-transitory computer-readable medium of claim 8, wherein breaking each supercluster down into package clusters includes instructions for implementing:
generating package names and versions for members of the supercluster,
aggregating package clusters on package name and counting unique changes to the package cluster, and determining, for each package cluster, the most change frequency among the package clusters.
12. The non-transitory computer-readable medium of claim 8, wherein
the authoritative name is resolved by instructions for implementing:
merging authoritative package outliers into groups which are merged into package cluster based on file name,
identifying the resolved authoritative name and source.
13. The non-transitory computer-readable medium of claim 8, further comprising further comprising instructions for implementing:
determining whether the authoritative name source is correct based on ecosystem in which authoritative name source originated.
14. The non-transitory computer-readable medium of claim 8, wherein the ecosystem, in which the files are located which are clustered, includes at least one software repository in which the files are located.
15. A computer system that provides an authoritative name source for files within an ecosystem, comprising:
at least one processor, the at least one processor is configured to: identify the ecosystem;
cluster the files in the ecosystem into a plurality of superclusters, in which the files in each supercluster of the plurality of superclusters have identical contents; then
determine, of the files in the ecosystem which are clustered into the plurality of superclusters, which of the files have similar contents to each other, and merge the files which have similar contents to each other into the same supercluster, to capture possibly incremental changes to the files over time in one of the superclusters which has the files with identical contents and similar contents;
for each supercluster which has the files with identical and similar contents: break the each supercluster down into package clusters, based on packages to which the files belong, each of the package clusters has the files from a same package; and determine which of the package clusters has most change frequency across versions, as the authoritative package; then
resolve an authoritative name for the files, based on the authoritative packages that are determined, across the plurality of superclusters which have files with identical and similar contents, and generate the authoritative name; and
resolve any authoritative name collision.
16. The computer system of claim 15, wherein
a hash of file contents of each of the plurality of files is used to determine which of the files have identical contents, the clustering of the files in the superclusters with identical contents is determined based on the hashes of file contents,
for the each supercluster, the each supercluster includes an indication of a source within the ecosystem for each file of the files,
the processor is further configured to
break down the each supercluster into the package clusters based on the indication of the source of the each file.
17. The computer system of claim 15, wherein
an abstract syntax tree of file contents of each of the plurality of files is used to determine whether contents of files are similar,
the determining of files with similar contents into the same supercluster is based on the abstract syntax tree of file contents,
for the each supercluster, the each supercluster includes an indication of a source within the ecosystem for each file of the files.
18. The computer system of claim 15, wherein the processor is further configured to break down the each supercluster into the package clusters, to:
generate package names and versions for members of the supercluster,
aggregate package clusters on package name and counting unique changes to the package cluster, and determine, for each package cluster, the most change frequency among the package clusters.
19. The computer system of claim 15, wherein the processor is further configured to resolve the authoritative name, to:
merge authoritative package outliers into groups which are merged into package cluster based on file name,
identify the resolved authoritative name and source.
20. The computer system of claim 15, wherein the processor is further configured to determine whether the authoritative name source is correct based on ecosystem in which authoritative name source originated.
PCT/US2017/043006 2016-08-16 2017-07-20 Method and system for authoritative name analysis WO2018034785A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CA3028785A CA3028785C (en) 2016-08-16 2017-07-20 Method and system for authoritative name analysis of origin of a file
EP17841817.4A EP3469497A4 (en) 2016-08-16 2017-07-20 Method and system for authoritative name analysis

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US15/238,008 2016-08-16
US15/238,008 US9971594B2 (en) 2016-08-16 2016-08-16 Method and system for authoritative name analysis of true origin of a file

Publications (1)

Publication Number Publication Date
WO2018034785A1 true WO2018034785A1 (en) 2018-02-22

Family

ID=61191700

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2017/043006 WO2018034785A1 (en) 2016-08-16 2017-07-20 Method and system for authoritative name analysis

Country Status (4)

Country Link
US (1) US9971594B2 (en)
EP (1) EP3469497A4 (en)
CA (1) CA3028785C (en)
WO (1) WO2018034785A1 (en)

Families Citing this family (19)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10540176B2 (en) 2015-11-25 2020-01-21 Sonatype, Inc. Method and system for controlling software risks for software development
US10055198B1 (en) * 2017-06-13 2018-08-21 Sap Se Systems and methods for probably approximate intent matching of procurement rules
US11397707B2 (en) 2017-10-30 2022-07-26 AtomBeam Technologies Inc. System and method for computer data type identification
US11023426B1 (en) * 2017-11-02 2021-06-01 Comodo Security Solutions, Inc. Method and system for detection of open source web application version
US10776331B2 (en) * 2017-11-27 2020-09-15 Red Hat, Inc. Normalizing compound artifact dependency data
CN110308908B (en) * 2018-03-20 2023-07-18 北京小米移动软件有限公司 Method and device for generating configuration file of application and displaying application page and storage medium
US10613846B2 (en) * 2018-04-13 2020-04-07 International Business Machines Corporation Binary restoration in a container orchestration system
CN109284125A (en) * 2018-08-14 2019-01-29 中国平安人寿保险股份有限公司 Dependence packet configuration method, device, equipment and medium in big data platform
US10891217B2 (en) * 2018-12-10 2021-01-12 Sap Se Optimizing test coverage based on actual use
CN109683954A (en) * 2018-12-29 2019-04-26 北京小米移动软件有限公司 The library lib integrated approach, device and storage medium
US11886390B2 (en) * 2019-04-30 2024-01-30 JFrog Ltd. Data file partition and replication
US11386233B2 (en) 2019-04-30 2022-07-12 JFrog, Ltd. Data bundle generation and deployment
US10972289B2 (en) 2019-07-19 2021-04-06 JFrog, Ltd. Software release verification
KR20210042752A (en) * 2019-10-10 2021-04-20 삼성전자주식회사 Computing system performing image backup and image backup method
CN111294397A (en) * 2020-01-21 2020-06-16 北京乐学帮网络技术有限公司 npm packet management method, device, electronic equipment and storage medium
US11080044B1 (en) 2020-08-03 2021-08-03 HCL America, Inc. System, method, and GUI client for publishing node package manager (NPM) packages on NPM repository
US11860680B2 (en) 2020-11-24 2024-01-02 JFrog Ltd. Software pipeline and release validation
CN112631607B (en) * 2020-12-31 2023-09-26 东北大学 Method for detecting dependency conflict in python environment
CN113312056B (en) * 2021-06-16 2022-04-19 浪潮云信息技术股份公司 Internationalization implementation method of angular large-scale integration project, electronic device and storage medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020055942A1 (en) * 2000-10-26 2002-05-09 Reynolds Mark L. Creating, verifying, managing, and using original digital files
US7386531B2 (en) * 2002-12-19 2008-06-10 Mathon Systems, Inc. System and method for managing content
US20110296396A1 (en) * 2010-05-28 2011-12-01 Aleksandar Dragomirov Kurtakov Mechanism for Dynamically Generating Spec Files for Software Package Managers
US20140222758A1 (en) * 2009-08-14 2014-08-07 Ic Manage, Inc. Coherent File State Maintained Among Confederated Repositories By Distributed Workspace Apparatuses Backed Up By a File State Ledgerdemain Store

Family Cites Families (179)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5615400A (en) 1993-06-30 1997-03-25 Apple Computer, Inc. System for object oriented dynamic linking based upon a catalog of registered function set or class identifiers
US6460036B1 (en) * 1994-11-29 2002-10-01 Pinpoint Incorporated System and method for providing customized electronic newspapers and target advertisements
US5758257A (en) * 1994-11-29 1998-05-26 Herz; Frederick System and method for scheduling broadcast of and access to video programs and other data using customer profiles
US6275976B1 (en) * 1996-03-15 2001-08-14 Joseph M. Scandura Automated method for building and maintaining software including methods for verifying that systems are internally consistent and correct relative to their specifications
US5748884A (en) 1996-06-13 1998-05-05 Mci Corporation Autonotification system for notifying recipients of detected events in a network environment
US6167535A (en) 1997-12-09 2000-12-26 Sun Microsystems, Inc. Object heap analysis techniques for discovering memory leaks and other run-time information
US6282698B1 (en) 1998-02-09 2001-08-28 Lucent Technologies Inc. Detecting similarities in Java sources from bytecodes
US6931544B1 (en) 1998-12-18 2005-08-16 The Sco Group, Inc. Method and apparatus for executing multiple JAVA(™) applications on a single JAVA(™) virtual machine
US6754883B2 (en) * 1999-08-24 2004-06-22 Ge Medical Systems Information Technologies, Inc. Modular analysis and standardization system
US6701440B1 (en) 2000-01-06 2004-03-02 Networks Associates Technology, Inc. Method and system for protecting a computer using a remote e-mail scanning device
US6725214B2 (en) 2000-01-14 2004-04-20 Dotnsf Apparatus and method to support management of uniform resource locators and/or contents of database servers
US6963975B1 (en) 2000-08-11 2005-11-08 Microsoft Corporation System and method for audio fingerprinting
US20040039921A1 (en) 2000-10-17 2004-02-26 Shyne-Song Chuang Method and system for detecting rogue software
US7657872B2 (en) 2000-10-23 2010-02-02 Nintendo Of America Inc. Product testing and bug tracking system
EP1202168A3 (en) 2000-10-30 2006-08-23 Microsoft Corporation System and method for dynamically veryfying the compatibility of a user interface resource
EP1207454A1 (en) 2000-11-15 2002-05-22 International Business Machines Corporation Java run-time system with modified linking identifiers
US7234131B1 (en) 2001-02-21 2007-06-19 Raytheon Company Peer review evaluation tool
US7149734B2 (en) 2001-07-06 2006-12-12 Logic Library, Inc. Managing reusable software assets
US7080355B2 (en) 2001-07-06 2006-07-18 Logiclibrary, Inc. Targeted asset capture, identification, and management
WO2003058375A2 (en) * 2001-10-26 2003-07-17 Zeosoft Corporation Development, management of distributed clients and servers
US7483970B2 (en) 2001-12-12 2009-01-27 Symantec Corporation Method and apparatus for managing components in an IT system
US8412813B2 (en) 2002-03-18 2013-04-02 Logiclibrary, Inc. Customizable asset governance for a distributed reusable software library
US20070118899A1 (en) 2002-05-17 2007-05-24 Satyam Computer Services Limited Of Mayfair Centre System and method for automated safe reprogramming of software radios
US20040010786A1 (en) 2002-07-11 2004-01-15 Microsoft Corporation System and method for automatically upgrading a software application
US7240325B2 (en) 2002-09-11 2007-07-03 International Business Machines Corporation Methods and apparatus for topology discovery and representation of distributed applications and services
CA2421825C (en) * 2002-09-20 2012-07-10 Mks Inc. Version control system for software development
US7159206B1 (en) 2002-11-26 2007-01-02 Unisys Corporation Automated process execution for project management
US7519630B2 (en) 2002-12-16 2009-04-14 Dell Products L.P. Method and system for automated testing of versioned information handling system applications
US7320129B2 (en) 2003-05-14 2008-01-15 Hewlett-Packard Development Company, L.P. Native language verification system and method
US20040243968A1 (en) 2003-05-27 2004-12-02 Sun Microsystems, Inc. System and method for software methodology evaluation and selection
US20060037000A1 (en) 2003-10-10 2006-02-16 Speeter Thomas H Configuration management data model using blueprints
US7448070B2 (en) 2003-10-17 2008-11-04 Microsoft Corporation Network fingerprinting
GB0326626D0 (en) 2003-11-14 2003-12-17 Filewave International Holding A method in a network of the delivery of files
US9489687B2 (en) 2003-12-04 2016-11-08 Black Duck Software, Inc. Methods and systems for managing software development
US7333985B2 (en) * 2003-12-15 2008-02-19 Microsoft Corporation Dynamic content clustering
US7277904B2 (en) 2003-12-18 2007-10-02 International Business Machines Corporation Method and system for managing intellectual property aspects of software code
US7340719B1 (en) 2003-12-24 2008-03-04 Sun Microsystems, Inc. Methods and apparatus to preserve software modifications
US20050204340A1 (en) 2004-03-10 2005-09-15 Ruminer Michael D. Attribute-based automated business rule identifier and methods of implementing same
US7788641B2 (en) 2004-03-17 2010-08-31 International Business Machines Corporation System and method for identifying concerns
GB0406663D0 (en) 2004-03-24 2004-04-28 Cavendish Kinetics Ltd Information management and tracking system (IMTS)
EP1771785A2 (en) 2004-07-21 2007-04-11 Softricity, Inc. System and method for extraction and creation of application meta-information within a software application repository
US8631386B2 (en) 2004-08-25 2014-01-14 Mohit Doshi System and method for automating the development of web services
JP2008533544A (en) 2004-09-20 2008-08-21 コダーズ,インコーポレイテッド Method and system for operating a source code search engine
US7373554B2 (en) 2004-09-24 2008-05-13 Oracle International Corporation Techniques for automatic software error diagnostics and correction
US20060083119A1 (en) 2004-10-20 2006-04-20 Hayes Thomas J Scalable system and method for predicting hit music preferences for an individual
JP2006134214A (en) 2004-11-09 2006-05-25 Hitachi Ltd File version management method and computing system
US20060150153A1 (en) 2004-12-04 2006-07-06 Micah Altman Digital object verification method
GB0428487D0 (en) 2004-12-30 2005-02-02 Ibm Method and apparatus for managing recommendations in a group resource environment
US7426571B2 (en) * 2005-01-06 2008-09-16 Dell Products L.P. Providing files to an information handling system using a remote access controller
US7716636B2 (en) 2005-01-10 2010-05-11 Microsoft Corporation User interface for accessing and loading software components of a development set on a computer while other software components of the set are loading
US7343386B2 (en) 2005-01-31 2008-03-11 International Business Machines Corporation Techniques supporting collaborative product development
US7653893B2 (en) 2005-03-04 2010-01-26 Microsoft Corporation Methods and apparatus for implementing checkin policies in source code control systems
US7788632B2 (en) 2005-06-02 2010-08-31 United States Postal Service Methods and systems for evaluating the compliance of software to a quality benchmark
US7814078B1 (en) * 2005-06-20 2010-10-12 Hewlett-Packard Development Company, L.P. Identification of files with similar content
US9129038B2 (en) 2005-07-05 2015-09-08 Andrew Begel Discovering and exploiting relationships in software repositories
US7555573B2 (en) 2005-08-05 2009-06-30 Microsoft Corporation Initiating software responses based on a hardware action
US7895572B2 (en) 2005-08-15 2011-02-22 Sap Aktiengesellschaft Systems and methods for enterprise software management
US20070050232A1 (en) 2005-08-26 2007-03-01 Hung-Yang Chang Method and system for enterprise monitoring based on a component business model
JP5105802B2 (en) 2005-09-07 2012-12-26 株式会社リコー Information processing device
US7644403B2 (en) 2005-09-12 2010-01-05 Oracle International Corporation Method and system for automated root-cause analysis for class loading failures in java
US20070074187A1 (en) 2005-09-29 2007-03-29 O'brien Thomas E Method and apparatus for inserting code fixes into applications at runtime
US7735068B2 (en) 2005-12-01 2010-06-08 Infosys Technologies Ltd. Automated relationship traceability between software design artifacts
US8903810B2 (en) 2005-12-05 2014-12-02 Collarity, Inc. Techniques for ranking search results
US7716649B2 (en) 2005-12-15 2010-05-11 International Business Machines Corporation Activity-based software traceability management method and apparatus
US8359571B2 (en) 2005-12-19 2013-01-22 International Business Machines Corporation Computer method and apparatus for activity-based version selection in a configuration management system
US8370794B2 (en) * 2005-12-30 2013-02-05 Sap Ag Software model process component
US9038023B2 (en) * 2005-12-30 2015-05-19 Sap Se Template-based configuration architecture
US8316344B2 (en) * 2005-12-30 2012-11-20 Sap Ag Software model deployment units
US8745583B2 (en) 2006-03-31 2014-06-03 Sap Ag Method and system for managing development components
EP2011015B1 (en) 2006-04-21 2018-10-03 Cirba IP Inc. Method and system for determining compatibility of computer systems
US8069182B2 (en) 2006-04-24 2011-11-29 Working Research, Inc. Relevancy-based domain classification
US7971179B2 (en) 2006-05-23 2011-06-28 Microsoft Corporation Providing artifact lifespan and relationship representation
US20080028371A1 (en) 2006-07-26 2008-01-31 William Brothers Method and system for using application development data to instantiate support information
US20080028378A1 (en) 2006-07-27 2008-01-31 Microsoft Corporation Utilizing prior usage data for software build optimization
US7962499B2 (en) 2006-08-18 2011-06-14 Falconstor, Inc. System and method for identifying and mitigating redundancies in stored data
US7917890B2 (en) 2006-08-31 2011-03-29 Jon Barcellona Enterprise-scale application development framework utilizing code generation
US9047164B2 (en) 2006-09-12 2015-06-02 Opshub, Inc. Calculating defect density by file and source module
US8037453B1 (en) 2006-09-13 2011-10-11 Urbancode, Inc. System and method for continuous software configuration, test and build management
US8479159B2 (en) 2006-10-20 2013-07-02 International Business Machines Corporation System and method for automatically determining relationships between software artifacts using multiple evidence sources
GB0621300D0 (en) 2006-10-26 2006-12-06 Ibm Configuring a software product
US8938732B2 (en) 2006-11-06 2015-01-20 International Business Machines Corporation Dynamically generating installable software artifacts in a canonical form
US7707162B2 (en) 2007-01-08 2010-04-27 International Business Machines Corporation Method and apparatus for classifying multimedia artifacts using ontology selection and semantic classification
US8561024B2 (en) 2007-01-23 2013-10-15 International Business Machines Corporation Developing software components and capability testing procedures for testing coded software component
US8065675B2 (en) 2007-03-21 2011-11-22 Yahoo! Inc. In-page installer
US8327318B2 (en) 2007-04-13 2012-12-04 International Business Machines Corporation Software factory health monitoring
US7958494B2 (en) 2007-04-13 2011-06-07 International Business Machines Corporation Rapid on-boarding of a software factory
US8359566B2 (en) 2007-04-13 2013-01-22 International Business Machines Corporation Software factory
US20080270374A1 (en) 2007-04-25 2008-10-30 Chengkai Li Method and system for combining ranking and clustering in a database management system
US20080281904A1 (en) 2007-05-11 2008-11-13 Va Software Corporation Associating service listings with open source projects
IL183391A (en) 2007-05-24 2011-06-30 Peretz Shoval Ontology-content-based filtering method for personalized newspapers
US8341595B2 (en) 2007-05-30 2012-12-25 Roam Data Inc System and method for developing rich internet applications for remote computing devices
US8006223B2 (en) 2007-06-13 2011-08-23 International Business Machines Corporation Method and system for estimating project plans for packaged software applications
US9298417B1 (en) * 2007-07-25 2016-03-29 Emc Corporation Systems and methods for facilitating management of data
US8464228B2 (en) 2007-08-23 2013-06-11 Accenture Global Services Limited Binary library
US8539437B2 (en) 2007-08-30 2013-09-17 International Business Machines Corporation Security process model for tasks within a software factory
US8161470B2 (en) 2007-08-31 2012-04-17 International Business Machines Corporation Systems, methods, and computer products for automated injection of java bytecode instructions for java load time optimization via runtime checking with upcasts
US8060855B2 (en) 2007-10-09 2011-11-15 Microsoft Corporation Artifact sharing from a development environment
US8280755B2 (en) 2007-10-30 2012-10-02 Sap Ag Context-specific modeling of collaborative business process
US8495100B2 (en) 2007-11-15 2013-07-23 International Business Machines Corporation Semantic version control system for source code
US8336028B2 (en) 2007-11-26 2012-12-18 International Business Machines Corporation Evaluating software sustainability based on organizational information
US8627287B2 (en) 2007-11-29 2014-01-07 Microsoft Corporation Prioritizing quality improvements to source code
US8005788B2 (en) 2008-01-28 2011-08-23 International Business Machines Corporation System and method for legacy system component incremental migration
US20090193210A1 (en) 2008-01-29 2009-07-30 Hewett Jeffrey R System for Automatic Legal Discovery Management and Data Collection
US7506312B1 (en) 2008-01-31 2009-03-17 International Business Machines Corporation Method and system for automatically determining risk areas to retest
US8539050B2 (en) 2008-04-28 2013-09-17 Applied Olap, Inc. Method for distributing update modules for computer software over a network
TWI476610B (en) * 2008-04-29 2015-03-11 Maxiscale Inc Peer-to-peer redundant file server system and methods
US7930596B2 (en) 2008-05-29 2011-04-19 International Business Machines Corporation Managing execution stability of an application carried out using a plurality of pluggable processing components
US8495568B2 (en) 2008-06-10 2013-07-23 International Business Machines Corporation System and method of identifying and tracking software pattern software recipes
US8117589B2 (en) 2008-06-26 2012-02-14 Microsoft Corporation Metadata driven API development
US8452629B2 (en) 2008-07-15 2013-05-28 International Business Machines Corporation Work packet enabled active project schedule maintenance
US20100023920A1 (en) 2008-07-22 2010-01-28 International Business Machines Corporation Intelligent job artifact set analyzer, optimizer and re-constructor
US8140367B2 (en) 2008-07-22 2012-03-20 International Business Machines Corporation Open marketplace for distributed service arbitrage with integrated risk management
US8375370B2 (en) 2008-07-23 2013-02-12 International Business Machines Corporation Application/service event root cause traceability causal and impact analyzer
US9477570B2 (en) 2008-08-26 2016-10-25 Red Hat, Inc. Monitoring software provisioning
US8370796B2 (en) 2008-08-26 2013-02-05 International Business Machines Corporation Development tooling enablement for audit event generation
US8381184B2 (en) 2008-09-02 2013-02-19 International Business Machines Corporation Dynamic test coverage
US8499284B2 (en) 2008-09-11 2013-07-30 Microsoft Corporation Visualizing relationships among components using grouping information
US8271974B2 (en) * 2008-10-08 2012-09-18 Kaavo Inc. Cloud computing lifecycle management for N-tier applications
US8156120B2 (en) 2008-10-22 2012-04-10 James Brady Information retrieval using user-generated metadata
US9235572B2 (en) 2008-10-31 2016-01-12 Disney Enterprises, Inc. System and method for updating digital media content
US8949788B2 (en) 2008-12-17 2015-02-03 Red Hat, Inc. Building and packaging software
US8225281B1 (en) 2009-02-04 2012-07-17 Sprint Communications Company L.P. Automated baseline deployment system
WO2010116676A1 (en) 2009-03-30 2010-10-14 日本電気株式会社 Service providing apparatus, service providing system, service providing apparatus data processing method and computer program
US8484625B2 (en) 2009-04-01 2013-07-09 Motorola Mobility Llc Method and apparatus to vet an executable program using a model
US20120110039A1 (en) 2009-05-08 2012-05-03 Invizion Pty Ltd System and Method for Storage and Retrieval of Electronic Documents
US8296251B1 (en) 2009-06-12 2012-10-23 Symantec Corporation Method and apparatus for generating collective intelligence to automate resource recommendations for improving a computer
US8438544B2 (en) 2009-06-18 2013-05-07 International Business Machines Corporation Open systems developer portal and managing software development projects
US8484617B2 (en) 2009-06-25 2013-07-09 International Business Machines Corporation Process-driven feedback of digital asset re-use
US8752001B2 (en) 2009-07-08 2014-06-10 Infosys Limited System and method for developing a rule-based named entity extraction
US9146735B2 (en) 2009-07-23 2015-09-29 International Business Machines Corporation Associating workflows with code sections in a document control system
US8229984B2 (en) 2009-07-24 2012-07-24 Ensequence, Inc. Method for application authoring employing a pre-certified multi-platform master application template
US8386482B2 (en) 2009-09-02 2013-02-26 Xurmo Technologies Private Limited Method for personalizing information retrieval in a communication network
JP5428668B2 (en) 2009-09-07 2014-02-26 株式会社リコー License management server, license management method and program
US8341175B2 (en) 2009-09-16 2012-12-25 Microsoft Corporation Automatically finding contextually related items of a task
US8359285B1 (en) 2009-09-18 2013-01-22 Amazon Technologies, Inc. Generating item recommendations
US20110119289A1 (en) 2009-11-17 2011-05-19 Research In Motion Limited Automatic detection and application of assistive technology features
KR101316681B1 (en) 2009-12-08 2013-10-10 한국전자통신연구원 Model-based customized eco system and method for design of the eco system
US20110161938A1 (en) 2009-12-30 2011-06-30 International Business Machines Corporation Including defect content in source code and producing quality reports from the same
US9934018B2 (en) 2010-03-21 2018-04-03 International Buisness Machines Corporation Artifact deployment
US8694533B2 (en) 2010-05-19 2014-04-08 Google Inc. Presenting mobile content based on programming context
WO2011146750A2 (en) 2010-05-19 2011-11-24 Google Inc. Bug clearing house
US9417865B2 (en) 2010-05-28 2016-08-16 Red Hat, Inc. Determining when to update a package manager software
US8438541B2 (en) 2010-06-15 2013-05-07 International Business Machines Corporation Software change management extension for uniformly handling artifacts with relaxed contraints
US8719784B2 (en) 2010-09-06 2014-05-06 International Business Machines Corporation Assigning runtime artifacts to software components
US9792429B2 (en) 2010-10-06 2017-10-17 Red Hat, Inc. Detection of malicious software packages
US8645905B2 (en) 2010-11-15 2014-02-04 Sap Ag Development artifact searching in an integrated development environment
US8661426B2 (en) 2010-12-31 2014-02-25 International Business Machines Corporation Method frame aggregation for latest user-defined class loader identification
US8683430B2 (en) 2011-01-07 2014-03-25 International Business Machines Corporation Synchronizing development code and deployed executable versioning within distributed systems
US8712947B2 (en) 2011-01-27 2014-04-29 International Business Machines Corporation Collaborative system for capture and reuse of software application knowledge and a method of realizing same
US8762944B2 (en) 2011-03-23 2014-06-24 International Business Machines Corporation Build process management system
US8438532B2 (en) 2011-04-19 2013-05-07 Sonatype, Inc. Method and system for scoring a software artifact for a user
JP5629239B2 (en) 2011-05-23 2014-11-19 インターナショナル・ビジネス・マシーンズ・コーポレーションInternational Business Machines Corporation Apparatus and method for testing operation of software
US8612936B2 (en) 2011-06-02 2013-12-17 Sonatype, Inc. System and method for recommending software artifacts
US8914784B2 (en) 2011-06-10 2014-12-16 International Business Machines Corporation Method and system for checking the consistency of application jar files
US8627280B2 (en) 2011-06-20 2014-01-07 Microsoft Corporation Multi-tenant collaborative review service
US8856724B2 (en) 2011-06-20 2014-10-07 Ebay Inc. Systems and methods for incremental software development
US8745572B2 (en) 2011-06-22 2014-06-03 Microsoft Corporation Software development automated analytics
US8683433B2 (en) 2011-06-22 2014-03-25 Business Objects Software Limited Adaptive change management in computer system landscapes
US9595009B2 (en) 2011-06-29 2017-03-14 International Business Machines Corporation Code reviewer selection in a distributed software development environment
US8826222B2 (en) 2011-08-02 2014-09-02 International Business Machines Corporation Pre-merge conflict avoidance
US8881103B2 (en) 2011-08-15 2014-11-04 International Business Machines Corporation Comparing component weights between builds
US8863082B2 (en) * 2011-09-07 2014-10-14 Microsoft Corporation Transformational context-aware data source management
US8473894B2 (en) 2011-09-13 2013-06-25 Sonatype, Inc. Method and system for monitoring metadata related to software artifacts
US8627270B2 (en) 2011-09-13 2014-01-07 Sonatype, Inc. Method and system for monitoring a software artifact
US9141378B2 (en) 2011-09-15 2015-09-22 Sonatype, Inc. Method and system for evaluating a software artifact based on issue tracking and source control information
US8978124B2 (en) 2011-10-17 2015-03-10 Raytheon Company Service oriented secure collaborative system for compartmented networks
US8656343B2 (en) 2012-02-09 2014-02-18 Sonatype, Inc. System and method of providing real-time updates related to in-use artifacts in a software development environment
US8978137B2 (en) 2012-02-29 2015-03-10 Cisco Technology, Inc. Method and apparatus for retroactively detecting malicious or otherwise undesirable software
US8881104B2 (en) * 2012-04-09 2014-11-04 Accenture Global Services Limited Component discovery from source code
US8825689B2 (en) 2012-05-21 2014-09-02 Sonatype, Inc. Method and system for matching unknown software component to known software component
US9141408B2 (en) 2012-07-20 2015-09-22 Sonatype, Inc. Method and system for correcting portion of software application
US9529821B2 (en) * 2012-09-28 2016-12-27 International Business Machines Corporation Coordinated access to a clustered file system's shared storage using shared-lock architecture
US9135263B2 (en) 2013-01-18 2015-09-15 Sonatype, Inc. Method and system that routes requests for electronic files
US9354865B2 (en) 2013-02-18 2016-05-31 Software Ag System and method for controlling the development of a software application
US9224103B1 (en) 2013-03-13 2015-12-29 Google Inc. Automatic annotation for training and evaluation of semantic analysis engines
US8973134B2 (en) 2013-05-14 2015-03-03 International Business Machines Corporation Software vulnerability notification via icon decorations
US9100424B1 (en) 2014-07-10 2015-08-04 Real Innovations International Llc System and method for secure real-time cloud services
US9767002B2 (en) 2015-02-25 2017-09-19 Red Hat Israel, Ltd. Verification of product release requirements
US9697092B2 (en) * 2015-08-27 2017-07-04 International Business Machines Corporation File-based cluster-to-cluster replication recovery

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020055942A1 (en) * 2000-10-26 2002-05-09 Reynolds Mark L. Creating, verifying, managing, and using original digital files
US7386531B2 (en) * 2002-12-19 2008-06-10 Mathon Systems, Inc. System and method for managing content
US20140222758A1 (en) * 2009-08-14 2014-08-07 Ic Manage, Inc. Coherent File State Maintained Among Confederated Repositories By Distributed Workspace Apparatuses Backed Up By a File State Ledgerdemain Store
US20110296396A1 (en) * 2010-05-28 2011-12-01 Aleksandar Dragomirov Kurtakov Mechanism for Dynamically Generating Spec Files for Software Package Managers

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
See also references of EP3469497A4 *

Also Published As

Publication number Publication date
EP3469497A1 (en) 2019-04-17
EP3469497A4 (en) 2019-07-17
CA3028785C (en) 2019-12-31
US9971594B2 (en) 2018-05-15
CA3028785A1 (en) 2018-02-22
US20180052682A1 (en) 2018-02-22

Similar Documents

Publication Publication Date Title
CA3028785C (en) Method and system for authoritative name analysis of origin of a file
US10740093B2 (en) Advanced packaging techniques for improving work flows
US20200167143A1 (en) Systems and methods for automated retrofitting of customized code objects
US11327744B2 (en) Equivalency of revisions on modern version control systems
US9892122B2 (en) Method and apparatus for determining a range of files to be migrated
WO2015195418A1 (en) Software package management
US10241759B2 (en) Detecting open source components built into mobile applications
US20230168888A1 (en) Code analysis method and system, and computing device
Mathur et al. An empirical study of license violations in open source projects
Li et al. Juxtapp and dstruct: Detection of similarity among android applications
CN110990051B (en) Maintenance method, device, medium and equipment for software package dependency relationship
EP3855334B1 (en) Management system, acquisition device and management method
Rinnone et al. NetMatchStar: an enhanced Cytoscape network querying app
JP2015527686A (en) Efficient virtual machine deployment method
CN110659063A (en) Software project reconstruction method and device, computer device and storage medium
CN103646055A (en) Method and device for obtaining program configuration information
Jansen et al. Searchseco: A worldwide index of the open source software ecosystem
Tsuru et al. Type-2 code clone detection for Dockerfiles
US8938424B2 (en) System and method of assessing the state of a database product for installation consistency
Whitehouse et al. FOX et al.
Wurmus et al. Reproducible genomics analysis pipelines with GNU Guix
CN111651531A (en) Data import method, device, equipment and computer storage medium
Fraternali et al. Almost rerere: An approach for automating conflict resolution from similar resolved conflicts
US11256602B2 (en) Source code file retrieval
Berglund Gradle Beyond the Basics: Customizing Next-Generation Builds

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 17841817

Country of ref document: EP

Kind code of ref document: A1

ENP Entry into the national phase

Ref document number: 3028785

Country of ref document: CA

ENP Entry into the national phase

Ref document number: 2017841817

Country of ref document: EP

Effective date: 20190114

NENP Non-entry into the national phase

Ref country code: DE