PyRadar: Towards Automatically Retrieving and Validating Source Code Repository Information for PyPI Packages

Document detail
ID

oai:arXiv.org:2404.16565

Topic
Computer Science - Software Engine...
Author
Gao, Kai Xu, Weiwei Yang, Wenhao Zhou, Minghui
Category

Computer Science

Year

2024

listing date

5/1/2024

Keywords
retrieve packages package tools existing releases retriever source code information
Metrics

Abstract

A package's source code repository records the development history of the package, providing indispensable information for the use and risk monitoring of the package.

However, a package release often misses its source code repository due to the separation of the package's development platform from its distribution platform.

Existing tools retrieve the release's repository information from its metadata, which suffers from two limitations: the metadata may not contain or contain wrong information.

Our analysis shows that existing tools can only retrieve repository information for up to 70.5% of PyPI releases.

To address the limitations, this paper proposes PyRadar, a novel framework that utilizes the metadata and source distribution to retrieve and validate the repository information for PyPI releases.

We start with an empirical study to compare four existing tools on 4,227,425 PyPI releases and analyze phantom files (files appearing in the release's distribution but not in the release's repository) in 14,375 correct package-repository links and 2,064 incorrect links.

Based on the findings, we design PyRadar with three components, i.e., Metadata-based Retriever, Source Code Repository Validator, and Source Code-based Retriever.

In particular, the Metadata-based Retriever combines best practices of existing tools and successfully retrieves repository information from the metadata for 72.1% of PyPI releases.

The Source Code Repository Validator applies common machine learning algorithms on six crafted features and achieves an AUC of up to 0.995.

The Source Code-based Retriever queries World of Code with the SHA-1 hashes of all Python files in the release's source distribution and retrieves repository information for 90.2% of packages in our dataset with an accuracy of 0.970.

Both practitioners and researchers can employ the PyRadar to better use PyPI packages.

;Comment: This paper has been accepted at FSE 2024

Gao, Kai,Xu, Weiwei,Yang, Wenhao,Zhou, Minghui, 2024, PyRadar: Towards Automatically Retrieving and Validating Source Code Repository Information for PyPI Packages

Document

Open

Share

Source

arXiv

Articles recommended by ES/IODE AI

Computer Science
Recall Them All: Retrieval-Augmented Language Models for Long Object List Extraction from Long Documents
 language recall
BMJ Neurology Open
Monash-Alfred protocol for assessment of atypical parkinsonian syndromes (MAP-APS)
 clinical aps
Biology
An Updated Overview of Existing Cancer Databases and Identified Needs
 advancements insights assess review lipidomics glycomics proteomics databases research cancer