Canonicalization for Unreproducible Builds in Java

• URL: http://arxiv.org/abs/2504.21679v1
• Date: Wed, 30 Apr 2025 14:17:54 GMT
• Title: Canonicalization for Unreproducible Builds in Java
• Authors: Aman Sharma, Benoit Baudry, Martin Monperrus,
• Abstract summary: We introduce a conceptual framework for reproducible builds, analyze a large dataset from Reproducible Central, and develop a novel taxonomy of six root causes of unreproducibility.<n>We present Chains-Rebuild, a tool that raises success from 9.48% to 26.89% on 12,283 unreproducible artifacts.
• Score: 11.367562045401554
• License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
• Abstract: The increasing complexity of software supply chains and the rise of supply chain attacks have elevated concerns around software integrity. Users and stakeholders face significant challenges in validating that a given software artifact corresponds to its declared source. Reproducible Builds address this challenge by ensuring that independently performed builds from identical source code produce identical binaries. However, achieving reproducibility at scale remains difficult, especially in Java, due to a range of non-deterministic factors and caveats in the build process. In this work, we focus on reproducibility in Java-based software, archetypal of enterprise applications. We introduce a conceptual framework for reproducible builds, we analyze a large dataset from Reproducible Central, and we develop a novel taxonomy of six root causes of unreproducibility. We study actionable mitigations: artifact and bytecode canonicalization using OSS-Rebuild and jNorm respectively. Finally, we present Chains-Rebuild, a tool that raises reproducibility success from 9.48% to 26.89% on 12,283 unreproducible artifacts. To sum up, our contributions are the first large-scale taxonomy of build unreproducibility causes in Java, a publicly available dataset of unreproducible builds, and Chains-Rebuild, a canonicalization tool for mitigating unreproducible builds in Java.

Related papers

• Build Code Needs Maintenance Too: A Study on Refactoring and Technical Debt in Build Systems [2.189169499230464]
  In modern software engineering, build systems play the crucial role of facilitating the conversion of source code into software artifacts.<n>Recent research has explored high-level causes of build failures, but has largely overlooked the structural properties of build files.
  arXiv  Detail & Related papers  (2025-04-02T17:07:38Z)
• Does Functional Package Management Enable Reproducible Builds at Scale? Yes [4.492444446637857]
  Reproducible Builds (R-B) guarantee that rebuilding a software package from source leads to bitwise identical artifacts.<n>We perform the first large-scale study of bitwise in the context of the Nix functional package manager.<n>We obtain very high bitwise rates, between 69 and 91% with an upward trend, and even higher rebuildability rates, over 99%.
  arXiv  Detail & Related papers  (2025-01-27T10:11:27Z)
• CodeTree: Agent-guided Tree Search for Code Generation with Large Language Models [106.11371409170818]
  Large language models (LLMs) can act as agents with capabilities to self-refine and improve generated code autonomously. We propose CodeTree, a framework for LLM agents to efficiently explore the search space in different stages of the code generation process. Specifically, we adopted a unified tree structure to explicitly explore different coding strategies, generate corresponding coding solutions, and subsequently refine the solutions.
  arXiv  Detail & Related papers  (2024-11-07T00:09:54Z)
• Levels of Binary Equivalence for the Comparison of Binaries from Alternative Builds [1.1405827621489222]
  Build platform variability can strengthen security as it facilitates the detection of compromised build environments.<n>The availability of multiple binaries built from the same sources creates new challenges and opportunities.<n>To answer such questions requires a notion of equivalence between binaries.
  arXiv  Detail & Related papers  (2024-10-11T00:16:26Z)
• Codev-Bench: How Do LLMs Understand Developer-Centric Code Completion? [60.84912551069379]
  We present the Code-Development Benchmark (Codev-Bench), a fine-grained, real-world, repository-level, and developer-centric evaluation framework. Codev-Agent is an agent-based system that automates repository crawling, constructs execution environments, extracts dynamic calling chains from existing unit tests, and generates new test samples to avoid data leakage.
  arXiv  Detail & Related papers  (2024-10-02T09:11:10Z)
• Local Software Buildability across Java Versions (Registered Report) [0.0]
  We will try to automatically build every project in containers with Java versions 6 to 23 installed. Success or failure will be determined by exit codes, and standard output and error streams will be saved.
  arXiv  Detail & Related papers  (2024-08-21T11:51:00Z)
• CodeRAG-Bench: Can Retrieval Augment Code Generation? [78.37076502395699]
  We conduct a systematic, large-scale analysis of code generation using retrieval-augmented generation.<n>We first curate a comprehensive evaluation benchmark, CodeRAG-Bench, encompassing three categories of code generation tasks.<n>We examine top-performing models on CodeRAG-Bench by providing contexts retrieved from one or multiple sources.
  arXiv  Detail & Related papers  (2024-06-20T16:59:52Z)
• JailbreakBench: An Open Robustness Benchmark for Jailbreaking Large Language Models [123.66104233291065]
  Jailbreak attacks cause large language models (LLMs) to generate harmful, unethical, or otherwise objectionable content. evaluating these attacks presents a number of challenges, which the current collection of benchmarks and evaluation techniques do not adequately address. JailbreakBench is an open-sourced benchmark with the following components.
  arXiv  Detail & Related papers  (2024-03-28T02:44:02Z)
• On the Security Blind Spots of Software Composition Analysis [46.1389163921338]
  We present a novel approach to detect vulnerable clones in the Maven repository. We retrieve over 53k potential vulnerable clones from Maven Central. We detect 727 confirmed vulnerable clones and synthesize a testable proof-of-vulnerability project for each of those.
  arXiv  Detail & Related papers  (2023-06-08T20:14:46Z)
• Do code refactorings influence the merge effort? [80.1936417993664]
  Multiple contributors frequently change the source code in parallel to implement new features, fix bugs, existing code, and make other changes. These simultaneous changes need to be merged into the same version of the source code. Studies show that 10 to 20 percent of all merge attempts result in conflicts, which require the manual developer's intervention to complete the process.
  arXiv  Detail & Related papers  (2023-05-10T13:24:59Z)
• Automatic Specialization of Third-Party Java Dependencies [3.7973152331947815]
  Large-scale code reuse significantly reduces both development costs and time. Massive share of third-party code in software projects poses new challenges, especially in terms of maintenance and security. We propose a novel technique to specialize dependencies of Java projects, based on their actual usage.
  arXiv  Detail & Related papers  (2023-02-16T15:37:49Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.