Patch2QL: Discover Cognate Defects in Open Source Software Supply Chain With Auto-generated Static Analysis Rules. (arXiv:2401.12443v2 [cs.CR] UPDATED)

In the open source software (OSS) ecosystem, there exists a complex software
supply chain, where developers upstream and downstream widely borrow and reuse
code. This results in the widespread occurrence of recurring defects, missing
fixes, and propagation issues. These are collectively referred to as cognate
defects, and their scale and threats have not received extensive attention and
systematic research. Software composition analysis and code clone detection
methods are unable to cover the various variant issues in the supply chain
scenario, …

analysis arxiv auto code developers discover ecosystem fixes generated missing open source open source software supply open source software supply chain oss results reuse rules software software supply chain static analysis supply supply chain upstream