Refine ScanCode.io d2d pipeline for JavaScript using symbol mapping (#1622)

* Add d2d step to map javascript using symbols

- Map source and deployed javascript files based on Jensen–Shannon divergence

Signed-off-by: Keshav Priyadarshi <git@keshav.space>

* Use simple set operation for symbol mapping

Signed-off-by: Keshav Priyadarshi <git@keshav.space>

* Use JSD for precise JavaScript symbol matching

Signed-off-by: Keshav Priyadarshi <git@keshav.space>

* Add test for javascript symbol matching

Signed-off-by: Keshav Priyadarshi <git@keshav.space>

* Update test fixture

Signed-off-by: Keshav Priyadarshi <git@keshav.space>

* Add the missing unit tests

Signed-off-by: Keshav Priyadarshi <git@keshav.space>

* Fix docstring

Signed-off-by: Keshav Priyadarshi <git@keshav.space>

---------

Signed-off-by: Keshav Priyadarshi <git@keshav.space>

Author: keshav-space

scanpipe/filters.py

@@ -483,6 +483,7 @@ def filter(self, qs, value):
     ("about_file", "about file"),
     ("java_to_class", "java to class"),
     ("jar_to_source", "jar to source"),
+    ("javascript_symbols", "js symbols"),
     ("js_compiled", "js compiled"),
     ("js_colocation", "js colocation"),
     ("js_path", "js path"),

scanpipe/pipelines/deploy_to_develop.py

@@ -71,6 +71,7 @@ def steps(cls):
             cls.map_java_to_class,
             cls.map_jar_to_source,
             cls.map_javascript,
+            cls.map_javascript_symbols,
             cls.map_elf,
             cls.map_go,
             cls.map_rust,
@@ -196,6 +197,11 @@ def map_javascript(self):
         """
         d2d.map_javascript(project=self.project, logger=self.log)
 
+    @optional_step("JavaScript")
+    def map_javascript_symbols(self):
+        """Map deployed JavaScript, TypeScript to its sources using symbols."""
+        d2d.map_javascript_symbols(project=self.project, logger=self.log)
+
     @optional_step("Elf")
     def map_elf(self):
         """Map ELF binaries to their sources."""

scanpipe/pipes/d2d.py

@@ -1960,3 +1960,98 @@ def map_rust_paths(project, logger=None):
             map_type="rust_symbols",
             logger=logger,
         )
+
+
+def map_javascript_symbols(project, logger=None):
+    """Map deployed JavaScript, TypeScript to its sources using symbols."""
+    project_files = project.codebaseresources.files()
+
+    javascript_to_resources = (
+        project_files.to_codebase()
+        .has_no_relation()
+        .filter(extension__in=[".ts", ".js"])
+    )
+
+    javascript_from_resources = (
+        project_files.from_codebase()
+        .exclude(path__contains="/test/")
+        .filter(extension__in=[".ts", ".js"])
+    )
+
+    if not (javascript_from_resources.exists() and javascript_to_resources.exists()):
+        return
+
+    symbols.collect_and_store_tree_sitter_symbols_and_strings(
+        project=project,
+        logger=logger,
+        project_files=javascript_from_resources,
+    )
+
+    symbols.collect_and_store_tree_sitter_symbols_and_strings(
+        project=project,
+        logger=logger,
+        project_files=javascript_to_resources,
+    )
+
+    javascript_from_resources_withsymbols = javascript_from_resources.exclude(
+        extra_data={}
+    )
+    javascript_to_resources_withsymbols = javascript_to_resources.exclude(extra_data={})
+
+    javascript_from_resources_count = javascript_from_resources_withsymbols.count()
+    javascript_to_resources_count = javascript_to_resources_withsymbols.count()
+    if logger:
+        logger(
+            f"Mapping {javascript_to_resources_count:,d} JavaScript resources using"
+            f" symbols against {javascript_from_resources_count:,d} from/ codebase."
+        )
+
+    resource_iterator = javascript_to_resources_withsymbols.iterator(chunk_size=2000)
+    progress = LoopProgress(javascript_to_resources_count, logger)
+
+    resource_mapped = 0
+    for to_resource in progress.iter(resource_iterator):
+        resource_mapped += _map_javascript_symbols(
+            to_resource, javascript_from_resources_withsymbols, logger
+        )
+
+    if logger:
+        logger(f"{resource_mapped:,d} resource mapped using symbols")
+
+
+def _map_javascript_symbols(to_resource, javascript_from_resources, logger):
+    """
+    Map a deployed JavaScript resource to its source using symbols and
+    return 1 if match is found otherwise return 0.
+    """
+    to_symbols = to_resource.extra_data.get("source_symbols")
+
+    if not to_symbols or symbolmap.is_decomposed_javascript(to_symbols):
+        return 0
+
+    best_matching_score = 0
+    best_match = None
+    for source_js in javascript_from_resources:
+        from_symbols = source_js.extra_data.get("source_symbols")
+        if not from_symbols:
+            continue
+
+        is_match, similarity = symbolmap.match_javascript_source_symbols_to_deployed(
+            source_symbols=from_symbols,
+            deployed_symbols=to_symbols,
+        )
+
+        if is_match and similarity > best_matching_score:
+            best_matching_score = similarity
+            best_match = source_js
+
+    if best_match:
+        pipes.make_relation(
+            from_resource=best_match,
+            to_resource=to_resource,
+            map_type="javascript_symbols",
+            extra_data={"jsd_similarity_score": similarity},
+        )
+        to_resource.update(status=flag.MAPPED)
+        return 1
+    return 0

scanpipe/pipes/symbolmap.py

@@ -22,6 +22,8 @@
 
 from collections import Counter
 
+from scipy.spatial.distance import jensenshannon
+
 from aboutcode.pipeline import LoopProgress
 from scanpipe.models import CodebaseRelation
 from scanpipe.pipes import flag
@@ -37,6 +39,11 @@
 SMALL_FILE_SYMBOLS_THRESHOLD = 20
 MATCHING_RATIO_RUST_SMALL_FILE = 0.4
 
+MATCHING_RATIO_JAVASCRIPT = 0.7
+SMALL_FILE_SYMBOLS_THRESHOLD_JAVASCRIPT = 30
+MATCHING_RATIO_JAVASCRIPT_SMALL_FILE = 0.5
+JAVASCRIPT_DECOMPOSED_SYMBOLS_THRESHOLD = 0.5
+
 
 def map_resources_with_symbols(
     to_resource, from_resources, binary_symbols, map_type, logger=None
@@ -162,3 +169,69 @@ def match_source_paths_to_binary(
             extra_data=match_stats,
         )
         yield rel_key, relation
+
+
+def is_decomposed_javascript(symbols):
+    """Return whether given set of symbols represents decomposed JavaScript code."""
+    meaningful_symbols = sum(1 for k in symbols if len(k) > 3)
+    ratio = meaningful_symbols / len(symbols) if meaningful_symbols > 0 else 0
+
+    return ratio < JAVASCRIPT_DECOMPOSED_SYMBOLS_THRESHOLD
+
+
+def get_symbols_probability_distribution(symbols, unique_symbols):
+    """Compute probability distribution of symbols based on their frequency."""
+    counter = Counter(symbols)
+    total_count = len(symbols)
+
+    probability_dist = [
+        (counter.get(symbol) / total_count) if symbol in counter else 0
+        for symbol in unique_symbols
+    ]
+
+    return probability_dist
+
+
+def get_similarity_between_source_and_deployed_symbols(
+    source_symbols,
+    deployed_symbols,
+    matching_ratio,
+    matching_ratio_small_file,
+    small_file_threshold,
+):
+    """
+    Compute similarity between source and deployed symbols based on Jensen-Shannon
+    Divergence and return whether they match based on provided threshold.
+    """
+    unique_symbols = set(source_symbols).union(set(deployed_symbols))
+
+    source_probability_dist = get_symbols_probability_distribution(
+        source_symbols, unique_symbols
+    )
+    deployed_probability_dist = get_symbols_probability_distribution(
+        deployed_symbols, unique_symbols
+    )
+
+    divergence = jensenshannon(source_probability_dist, deployed_probability_dist)
+    similarity = 1 - divergence
+
+    matching_threshold = matching_ratio
+    if len(deployed_symbols) <= small_file_threshold:
+        matching_threshold = matching_ratio_small_file
+
+    is_match = similarity >= matching_threshold
+
+    return is_match, similarity
+
+
+def match_javascript_source_symbols_to_deployed(source_symbols, deployed_symbols):
+    """Match source and deployed symbols using Jensen-Shannon Divergence."""
+    is_match, similarity = get_similarity_between_source_and_deployed_symbols(
+        source_symbols=source_symbols,
+        deployed_symbols=deployed_symbols,
+        matching_ratio=MATCHING_RATIO_JAVASCRIPT,
+        matching_ratio_small_file=MATCHING_RATIO_JAVASCRIPT_SMALL_FILE,
+        small_file_threshold=SMALL_FILE_SYMBOLS_THRESHOLD_JAVASCRIPT,
+    )
+
+    return is_match, similarity

scanpipe/pipes/symbols.py

@@ -139,7 +139,7 @@ def collect_and_store_tree_sitter_symbols_and_strings(
     if logger:
         logger(
             f"Getting source symbols and strings from {resources_count:,d}"
-            " from/ resources using tree-sitter."
+            " resources using tree-sitter."
         )
 
     resource_iterator = resources.iterator(chunk_size=2000)

scanpipe/tests/data/d2d-javascript/symbols/cesium.ABOUT

@@ -0,0 +1,8 @@
+about_resource: cesium
+name: cesium
+version: 1.125
+download_url: https://github.com/CesiumGS/cesium/archive/refs/tags/1.125.zip
+homepage_url: https://github.com/CesiumGS/cesium
+license_expression: apache-2.0
+attribute: yes
+package_url: pkg:github/CesiumGS/cesium@1.125