Code Comments: A Way of Identifying Similarities in the Source Code

Abstract

This study investigates whether analyzing the code comments available in the source code can effectively reveal functional similarities within software. The authors explore how both machine-readable comments (such as linter instructions) and human-readable comments (in natural language) can contribute towards measuring the code similarity. For the former, the work is relying on computing the cosine similarity over the one-hot encoded representation of the machine-readable comments, while for the latter, the focus is on detecting similarities in English comments, using threshold-based computations against the similarity measurements obtained using models based on Levenshtein distances (for form-based matches), Word2Vec (for contextual word representations), as well as deep learning models, such as Sentence Transformers or Universal Sentence Encoder (for semantic similarity). For evaluation, this research has analyzed the similarities between different source code versions of the open-source code editor, VSCode, based on existing ESlint-specific directives, as well as applying natural language processing techniques on incremental releases of Kubernetes, an open-source system for automating containerized application management. The experiments outlines the potential for detecting code similarities solely based on comments, and observations indicate that models like Universal Sentence Encoder are providing a favorable balance between recall and precision. This research is integrated into Project Martial, an open-source project for automatic assistance in detecting plagiarism in software.

1. Introduction

The research aims to expand automated methods for detecting software code similarities, designing tools that facilitate collaboration between human experts and software. This will support informed plagiarism decisions through an interactive process where the broader context of the code, including comments and coding style, is automatically analyzed. To this end, this research introduces two novel models for identifying code similarities based solely on source code comments: one targeting machine-readable comments and the other focusing on human-readable comments.

There are several methods that have been used for detecting software code similarities, with the most common being fingerprint-based techniques [1,2,3,4], which aim to create distinctive “signatures” of code sections, allowing for automatic comparison. The main downside of these is that they lack the ability to fully explain flagged similarities, thus necessitating in-depth human review. Software birthmarks aim to address these limitations by extracting more robust identifying features and can work on both source code [4,5,6,7] and binary code [6,8,9,10]. Advanced birthmark techniques may incorporate machine learning to improve accuracy in complex programs. Finally, code embeddings-based solutions are another promising technique, as they are able to capture semantic meaning, as well as enabling similarity detection based on functionality. While these have primarily been applied to source code [11,12,13], they hold potential for binary code [14] analysis as well.

Ultimately, even if these techniques offer varying degrees of automation and explainability, human judgment remains essential for determining true plagiarism [15,16]. The current research focuses solely on the detection part of code similarities.

This paper continues with Section 2, which aims to classify and analyze comments in code, based on the target audience. Section 3 underscores the importance of comments as part of software development, and Section 4 proposes a formal method to represent comments within the source code as multisets, allowing analysis of comment structures within their local context. Later, Section 5 investigates whether code comments alone can reveal similarities between programs. It demonstrates how to analyze machine-readable comments, to detect similarities across different releases, with examples from ESLint instructions available in VSCode, and it explores the successful application of natural language processing techniques to human-readable comments, highlighting the superior balance of recall and precision achieved by the Universal Sentence Encoder [17] model. Section 6 discusses the implementation of the techniques in Project Martial, an open-source project for detecting software plagiarism. Section 7 discusses the interpretation of the results presented in this paper and finally, Section 8 summarizes the contributions of this paper, draws some conclusions and outlines potential future research directions.

2. Classification of Comments

Donald Knuth concluded in [18] that computer programming is an art, because it applies accumulated knowledge to the world, which requires skill and ingenuity, and especially because it produces objects of beauty. Such a powerful statement uplifts the merits of software developers but comes with a not-so-obvious pitfall when viewing software in the context of continuous development with contributions from a set of ever-changing engineers. In order to help the readers and reviewers comprehend the structure and purpose of the code, developers would provide lasting explanations, in the form of code comments, to the main program’s source code. Programming languages all agreed on the importance of providing such mechanisms, and for pioneer programming languages such as Fortran, the convention was that any line beginning with either the C character or an * in the first column is a comment. The Fortran basics guide states that well-written comments are crucial to program readability. Even in assembly languages, comments have been introduced to allow the developers explain, in a human-readable statement, the outcome. In x86 assembly, comments are usually denoted by the use of the semicolon (;) symbol, but variations also allow for shell-like (#) or C-like (//, /*) structures.

While often perceived as elements irrelevant to the computer, comments were historically only dropped from automatic analysis due to language specification limitations. For example, in early Fortran, when punch cards were prevalent, a comment character in the first column would designate the entire card as a comment, causing the execution to completely ignore it.

Kernighan and Ritchie reinforced this notion in their influential book [19] describing C specifications, which stated that any characters between /* and */ are ignored by the compiler; they may be used freely to make a program easier to understand. An example of a grammar implementation of this statement is presented in the appendix, Code Listing A.1.

Predictably, programming languages and software development technologies have evolved, introducing new complexities and requirements. Consequently, “code comments” have gained significance in various stages of the life-cycle of a program, moving beyond their traditionally overlooked role. For instance, in some languages including Python, specifying a custom encoding requires adding a special comment line at the very beginning of the file, as illustrated in Code Listing A.2. Another example, presented in Code Listing A.3, covers operating system directives, but there are also cases where code comments, while not directly affecting program execution or interpretation, provide guidance for external analysis tools, such as instructions for linters (Code Listings A.4 and A.5) or static analyzers (Code Listing A.6). Nonetheless, they can also provide hints, instructing compilers or interpreters to alter the behavior of the program.

Therefore, even if the primary use of comments was and remains to indicate explanations for software engineers that are reviewing existing codebases, there are quite a few exceptional cases where it is reasonable for commentaries to be designed in a way that they are machine-readable, in order to allow actions to be automatically performed, by various systems.

Moreover, there are other machine-readable expressions, besides comment statements, that do not directly influence the functionality of the executable code. Pragma statements within libraries or languages are an example; they modify the binary only if the compiler supports them. Consider OpenMP: if the compiler does not support its pragmas, they are discarded, ensuring the resulting binary still functions as intended (Code Listing A.7). While analyzing such pragmas could potentially assist in determining code similarities, that analysis is outside of the scope of this paper.

3. Statistics on Open-Source Projects

Because open-source projects promote transparency, by releasing the source code within a project, they are a good source of analysis, as opposed to proprietary software provided in binary format, where past traces of comments have already been eliminated. This paper analyzed the evolution of the commentary in code, for notable open-source projects, such as, but not limited to, Kubernetes [20] (Go), Visual Studio Code (TypeScript) and Linux [21] (C).

Table 1. Quantitative analysis of comment distribution for various open-source projects (including projects written in Go, TypeScript, Java, C and C++), employing code analysis tools to measure comment density, length and the ratio of English words (defined as words composed entirely of alphabetical characters from the English alphabet).

Project (Main Programming Language)	Total Lines of Comments | Code (Ratio)	Total Number of Single- | Multi- Line Comments	Number of Comments Chars (RATIO)	Number of Comments Words (Ratio)	Number of English Words | Total Number of Words Based on Alphabet
kubernetes-1.1.1 (Go)	167k|780k (21.51%)	84k|2k	8.2M (32.24%)	972k (35.53%)	831k|900k (92.34%)
VSCode-1.1.0 (TS)	64k|474k (13.52%)	12k|16k	3.6M (21.48%)	452k (27.33%)	410k|426k (96.11%)
VSCode-1.40.0 (TS)	66k|704k (9.49%)	24k|13k	3.6M (14.55%)	387k (16.62%)	336k|353k (95.36%)
VSCode-1.78.0 (TS)	109k|1.2M (8.92%)	44k|20k	6.1M (12.98%)	656k (15.44%)	572k|600k (95.41%)
docker-cli-24.0.0 (Go)	166k|780k (21.33%)	87k|461	7.4M (28.56%)	983k (32.36%)	655k|725k (90.37%)
guava-32.0.0 (Java)	175k|804k (21.84%)	24k|20k	8.9M (31.56%)	1.1M (42.95%)	1.0M|1.1M (95.47%)
moby-24.0.0 (Go)	278k|1.7M (16.38%)	201k|1.8k	13.8M (26.28%)	1.8M (29.85%)	1.4M|1.5M (92.66%)
elasticsearch-8.1.0 (Java)	304k|3.0M (9.90%)	73k|48k	18.4M (14.08%)	2.1M (23.91%)	1.9M|2.0M (95.37%)
tensorflow-2.13.0 (C++)	333k|2.5M (13.00%)	224k|49k	16.9M (16.86%)	2.1M (26.42%)	1.8M|1.9M (95.16%)
linux-3.0 (C)	1.1M|10.9M (10.20%)	42k|695k	62.8M (21.10%)	8.3M (26.11%)	6.9M|7.4M (93.62%)
linux-4.0 (C)	1.3M|14.3M (9.53%)	31k|819k	76.3M (19.75%)	10.3M (25.05%)	8.6M|9.2M (93.69%)
linux-5.0 (C)	1.6M|18.5M (8.88%)	46k|970k	92.1M (18.37%)	12.4M (23.70%)	10.3M|11.1M (93.44%)
linux-6.0 (C)	1.7M|22.4M (8.00%)	80k|1M	101M (16.61%)	13.5M (21.64%)	11.2M|12.0M (92.98%)

summarizes quantitative data for all the analyzed projects, with the ratio of total lines of comments to code varying anywhere between 8% and 22% across different projects, but the percentages increases even further if the reporting switches towards counting the total number of characters (between 16% and 33%) or words (between 21% and 43%), that are contained in the comments against the total corpus.

Kubernetes v1.1.1 was released in 2015, and in January 2023, v1.26.1 has been released. Figure 1 presents the ratio of comments w.r.t. the total lines of code. Between these versions, comments have been ranging between $15\%$ and $25\%$ of the total number of lines in the source code, peaking to about $1.5$M of lines of comments (out of a total of $5.5$M) in the last analysed release. Even if the proportion of comments to total lines of code fluctuates within consecutive versions, the overall long-term trend is ascendant, which could indicate an increased emphasis on code readability, maintainability, or collaboration within the Kubernetes development community. If the investigation is char-wise (counting the ratio of characters appearing in comments against the total number of characters appearing in the source code) or word-wise (counting the ratio of space-separated words) focused, the percentages are even bigger; $35\%$ for chars and $41\%$ for the words. Figure 2 captures the evolution of these percentages against different versions of Kubernetes. Moreover, these data suggest a clear upward trend in the use of code comments within large-scale open-source projects, with both the relative and absolute amounts of comment words increasing over time, and indicate that comments are becoming essential tools for navigating and comprehending the complexities of large-scale open-source projects to make the source code more accessible and understandable.

4. Formalizing Code Comments Analysis

Let $\mathcal{A}$ be the text representation of the source code. By $\mathcal{C}$ it is denoted the set of all blocks of comments from $\mathcal{A}$. All single-line comments are mapped to an element of $\mathcal{C}$. For languages that support multi-line comments, for simplicity, multi-line blocks are also modelled as a single element of $\mathcal{C}$.

An important statement is that $\mathcal{C}$ is finite. Given that all source codes are finite sets of instructions of the programming language, $\mathcal{A}$ is also finite. As $\mathcal{C}$ is built exclusively as a subset of $\mathcal{A}$, $\mathcal{C}$ is also finite.

Let $C =(\mathcal{C},m)$ be the multiset of all blocks of comments from $\mathcal{A}$, where $m\left(c_i\right)$ provides the multiplicity of the element $c_i$ in $\mathcal{A}$. The multiset representation helps in capturing the count of duplicated comments.

There is one aspect that is yet not covered, regarding the fact that a logical comment may not spawn over one single line. One proposal would be to aim to concatenate multiple line-independent comments when performing the analysis.

Let ${\mathcal{C}}^{*}=\{\overline{c_{i_1}{c}_{i_2}\dots c_{i_k}}\mid c_{i_1}{c}_{i_2}\dots c_{i_k}\in \mathcal{C},i_x\ne i_y,\forall x\ne y\}$, and denote by ${C }^{*}=({\mathcal{C}}^{*},m^{*})$ the multiset of all concatenated blocks of comments from $\mathcal{A}$, where $m^{*}\left(\overline{c_{i_1}{c}_{i_2}\dots c_{i_k}}\right)=m\left(c_{i_1}\right)·m\left(c_{i_2}\right)·\dots ·m\left(c_{i_k}\right)$.

While ${C }^{*}$ provides the most extensive set to search in, it is impractical to analyze all possible concatenations, as the cardinality grows over powers rule. To allow room for a meaningful analysis, the cardinality of this set can be reduced by analyzing multi-line comments based on their locality.

Let the function $line\left(c_i\right)$ return a set of lines where comment $c_i$ was found in $\mathcal{A}$, and let ${\mathcal{C}}^{+}=\{\overline{c_{i_1}{c}_{i_2}\dots c_{i_k}}\mid \exists l_{i_1}\in line\left(c_{i_1}\right),l_{i_2}\in line\left(c_{i_2}\right),l_{i_k}\in line\left(c_{i_k}\right),l_{i_z}<l_{i_t}\forall z<t,c_{i_1}{c}_{i_2}\dots c_{i_k}\in \mathcal{C},i_x\ne i_y,\forall x\ne y,\nexists c_q\in \mathcal{C},q\notin i_j,\nexists l_q\in line\left(c_q\right)s.t.l_{i_z}<l_q<l_{i_t}\}$, and denote by ${C }^{+}=({\mathcal{C}}^{+},m^{+})$ the multiset of all locally concatenated blocks of comments from $\mathcal{A}$. It is important to note that $m^{+}$ exists, and it is equal to the total number of possible combinations of $l_{i_j},j\in \overline{1\dots k}$.

In practice, the cardinality of ${\mathcal{C}}^{+}$ is a scaling issue for automatic detection, so let the subset ${\mathcal{C}}_r^{+}$ be defined, with the additional constraint from ${\mathcal{C}}^{+}$ that allows for maximum r single line comments concatenation, i.e., any element $\overline{c_{i_1}{c}_{i_2}\dots c_{i_k}}\in {\mathcal{C}}_r^{+}$ must have $k\le r$. Likewise, let ${C }_r^{+}=({\mathcal{C}}_r^{+},m_r^{+})$ be the multiset of all locally concatenated blocks of comments of maximum length of r from $\mathcal{A}$ and $m_r^{+}$ be the total number of possible combinations of $l_{i_j},j\in \overline{1\dots k}$.

By convention, ${C }_{\infty }^{+}={C }^{+}$.

An important note to make is that, for any given finite $\mathcal{A}$, ${\mathcal{C}}^{+}$ will also be finite.

To prove this, let $r_0={\sum }_{i=1}^{|{\mathcal{C}}^{+}|}m\left(r_i\right)$. Therefore, the set ${C }_{r_0}^{+}$ will contain the maximum possible length concatenation of comments, $\overline{c_{i_1}{c}_{i_2}\dots c_{i_{r_0}}}$, this set representing the concatenation of all comments from the source code. Therefore, $\forall r_x\ge r_0,{C }_{r_x}^{+}={C }_{r_0}^{+}$ and ${C }^{+}={C }_{r_0}^{+}$.

Modeling Repetitive Comments

Because duplicated comments are a frequent phenomenon in code (Code Listing A.9 presents such an example), a worthwhile analysis would investigate the necessity of both repetition detection and locality context searching for code similarity analysis. This property will be explicitly used in subsequent sections related to the investigation of machine-readable comments, where the multiplicity of lint comments has a key role in computing the similarity.

To address situations where duplicate comments appear in different locations and to better capture the importance of locality context, the model requires an extension for repetitive comments.

The multiplicity is covered in the model via the multiplicity function $m_r^{+}$ of the multiset $({\mathcal{C}}_r^{+},m_r^{+})$. Code Listing A.8 demonstrates how seemingly isolated single-line comments, when considered together, form a cohesive explanation requiring locality context for accurate analysis.

Locality context searching will be enforced in the models via the r-parameter of ${C }_r^{+}$. Due to computational constraints, the research will only focus on ${C }_r^{+}$, with a finite r. To pick an appropriate value of r, the authors have empirically evaluated the capabilities of detecting similarities with respect to r. Choosing a finite smaller value for r makes the approach prone to missing true positives, as well as not defending against willful changes between the analyzed versions. An improvement can be made if more computational resources are available by increasing the value of r, or using ${C }_{\infty }^{+}$. The proposed models runs two main algorithms: one algorithm is optional and it is only applied for generating the embeddings for models that need one, such as transformers and sentence encoders, and the other algorithm is mandatory and it process the comments (or their associated embeddings) from different sources, one pair at a time. The complexity of the former algorithm grows linearly with r, while the latter algorithm is quadratic in r. Figure 3 presents some practical results, which outline the two dependencies of these algorithms with respect to the increase in r.

Choosing this particular value was, in this research, based on empirical tests on Kubernetes releases, where $r=6$ was considered to be the right trade-off. For any $r\ge 6$, the numbers of similarities identified remained constant, and large chunks of similar comments identified were also covered by analyzing subsets. When evaluating the model, the increase from $r=1$ to $r=3$ led to several more matches, but the the growth from $r=3$ to $r=6$ slowed considerably. Because the only downside of choosing a larger value for r is the increase in the computational expense, it is recommended to adopt a value that fits the available physical resources, as well as potential time constraints of the application. Please consult Figure 3 for the performance implications associated with choosing $r=6$, for the scenario analysed in this paper.

5. Analyzing Code Similarity

Section 2 and Section 3 have emphasized the importance of comments to any non-trivial software project and, given their relevance, this research investigates if whether analyzing the comments from a source code can provide sufficient information to perform relevant measurements of code similarity. The presented approach would involve combining natural language processing techniques with the analysis of comment structure and their placement within the code. This paper will separately treat machine- and human-readable comments in the next two subsections.

5.1. Machine-Readable Comments

In order to validate whether machine-readable comments may help in measuring code similarity to some degree, the research presents the evolution of ESlint [22] traces for the VSCode Project [23]. It is worth noting that because currently VScode releases happen monthly, with the notable exception that there is no release in December, this provides plenty of resources to analyse.

Figure 4 captures a subset of ESlint-identified issues in the VSCode Project, where some similarities between incremental versions of this software will be analysed. For analyzing the similarity for a particular use case, ${C }_1^{+}$ suffices for identifying all the ESlint suppressions.

Let $\mathcal{L}$ be the set of all lint overrides identified in $\mathcal{A}$. $\forall l\in \mathcal{L}$ $\exists c_i\in {\mathcal{C}}_1^{+}$, such that l appears in $c_i$. The occurrences of l are tracked by modeling the multiset $\mathcal{L}=(\mathcal{L},m_l)$, where $m_l=\sum m\left(c_i\right)\forall i$, such that l appears in $c_i,c_i\in {C }_1^{+}=({\mathcal{C}}_1^{+},m)$.

In order to compute a metric that captures the similarity of the two algorithms, defined by ${\mathcal{A}}_1$ and ${\mathcal{A}}_2$, based on the linter findings, the research uses the cosine similarity. Let ${\mathcal{L}}_1$ and ${\mathcal{L}}_2$ be the multisets that describe the lint overrides identified in ${\mathcal{A}}_1$ and ${\mathcal{A}}_2$ and let $\mathcal{L}={\mathcal{L}}_1\bigcup {\mathcal{L}}_2$. The method attaches to each algorithm $\mathcal{A}$ a vector embedding $v_{\mathcal{A}}$ that corresponds to the hot-encoding of the set of lint issues present in an $\mathcal{A}$, weighted by their occurrence.

$v_{\mathcal{A}}=[\bigcup m^{\#}\left(l_i\right)],\forall l_i\in \mathcal{L}$, where

$$m^{\#}\left(l_i\right)=\left\{\begin{array}{cc}0,\hfill & l_i\notin {\mathcal{L}}_{\mathcal{A}}\hfill \\ m\left(l_i\right),\hfill & l_i\in {\mathcal{L}}_{\mathcal{A}}\hfill \end{array}\right.$$

Figure 5 presents the results of computing the cosine-based similarity based on ESlint suppressions in various VSCode releases by computing the value $cos\left(\theta \right)={\displaystyle \frac{v_{{\mathcal{A}}_1}·v_{{\mathcal{A}}_2}}{{∥v_{{\mathcal{A}}_1}∥}_2{∥v_{{\mathcal{A}}_2}∥}_2}}$. This score contains more linter issues (27) than the ones presented in Figure 4 (a subset of 15 linter issues).

Of particular note are the similarity scores presented in Figure 5 are built entirely based on the cosine similarity of the resulting one-hot encodings obtained from the data available in Figure 4, and each square in the heatmap obtained in Figure 5 corresponds to the cosine similarity between the vectors available in the latter. For example, as the vectors defining the lint issues in VSCode versions v$1.48$ and v$1.49$ are equal, their cosine similarity score will be 1 and, therefore, matched with the highest intensity square in the heat-map.

It is worth mentioning that the closer the versions are, in general, the higher the similarity observed by this algorithm. Comparing v$1.42$ with v$1.43$, the similarity score obtained is around $0.991$, while v$1.42$ with v$1.44$, the similarity is 0.947. Finally, v$1.42$ with v$1.77$ yields a similarity score of 0.867. The similarity is, however, not described by a strictly monotonic function. For example, v$1.42$ with v$1.78$ yields a similarity score of $0.870$, greater than the one obtained against v$1.77$.

Please note that earlier than v$1.42$, there were no lint issues in the code of VSCode, so $v_{\mathcal{A}}$ is a nil-vector and, therefore, cosine similarity is nil for each comparison. This research therefore excludes versions below v$1.42$ from the analysis, for which the current method does not provide any meaningful inputs. This is a known limitation of this model model, which is irrelevant for similarity analysis for any two source codes that lack machine-readable comments.

5.2. Human Comments

Because the intend is to leverage established natural language processing technologies for computing code similarity through comment analysis, as a prerequisite, the research aims to evaluate the applicability of such techniques to code comments. by analyzing the percentage of actual English words found within comments. To approximate whether a word belongs to the English lexicon, it will be cross-referenced against the nltk’s corpus of words, enchant’s US_en dictionary and wordnet’s corpus.

Figure 6 shows that for Kubernetes, between 91 and 93 percent of all the alpha (contains only a–z letters) words from comments are words belonging to the English lexicon. Some coding style guides may actually enforce the proper use of grammar and vocabulary in the code-base. For example, the Google Style Guide for writing code in languages such as C++, Go or Java state that comments that are complete sentences should be capitalized and punctuated like standard English sentences [24] and comments should be as readable as narrative text, with proper capitalization and punctuation [25].

English dominates open-source software development as the most frequently used human-readable language. This simplifies the analysis, as understanding the percentage of meaningful English words provides a close approximation of the total percentage of words belonging to the lexicon of a human-spoken language. This concept is illustrated in Listing A.10. However, comments might not always adhere strictly to natural language syntax, even when intended to convey meaning similar to spoken language, which may be a limitation of the presented solution. In Listing A.11, even if the name of the flag is not part of any lexicon, it is easier for humans to understand the meaning of that value.

To analyze the similarity between two algorithms, defined by ${\mathcal{A}}_1$ and ${\mathcal{A}}_2$, the model will investigate ${C }_{6_1}^{+}=({\mathcal{C}}_{6_1}^{+},m_{6_1}^{+})$ and ${C }_{6_2}^{+}=({\mathcal{C}}_{6_2}^{+},m_{6_2}^{+})$, the multiset containing locally concatenated blocks of comments of maximum length of 6 from ${\mathcal{A}}_1$ and ${\mathcal{A}}_2$. The models are detecting similarities in code comments by computing a similarity function $s(c_1,c_2)\in [0,1]$ against each two elements of these sets and a threshold value $t\in (0,1]$. If $s(c_1,c_2)\ge t$, the model considers $c_1$, $c_2$ to have a similarity and labels the pair accordingly.

There are trade-offs in choosing an appropriate value of t. At limit cases, $t\to 0$ will make all comments look similar, while $t\to 1$ will enforce that only exact comments are labeled with similarities.

The choice of similarity function is crucial to this approach. Since obtaining definitively similar code samples is challenging [26], this study constructs the analysis dataset using incremental versions of the same program. The assumption is that recent versions represent a high degree of similarity. To validate whether comments can indicate similarity between different releases, this model is evaluated against the evolution of comments in various Kubernetes versions. The research explores a wide range of techniques: from basic string matching and fuzzy matching with rapidfuzz [27], to advanced NLP approaches. These include cosine similarity calculations based on word2vec embeddings [28], as well as models based on deep contextualized of word representations, which aim to create vector embeddings from the code comments.

A Levenshtein-based similarity function will typically provide higher precision scores but will be prone not to detect changes of form without substance, while a contextualized word representation may be able to generalize for more complex cases but is at risk of triggering false positives. More details backing up this statement will be available in Section 7 and  Section 8.

It is important to consider that the model treats consecutive comments as potentially connected and analyzes them accordingly (up to r). In reality, they could be related, or they may not be related at all. That is not a limitation of the approach, because if the model matches the entire group as similar, with a distinct group of consecutive comments obtained from the analyzed source, related or not locally, they result in a similarity that is worth analyzing. In the context of plagiarism detection, as per the argument of [15], “after specific sections of the programs have been flagged as similar, it shouldn’t matter whether the questionable code was initially uncovered by software or by a person” and that “the argument for plagiarism should stand on its own”.

Another consideration in choosing the optimal model is the associated complexity of the method. In

Table 2. Time statistics (obtained on a 2.3 GHz Dual-Core Intel Core i5 processor) for generating and processing embeddings on over 12,000 Go lines, obtained from a subset of Kubernetes v1.2.1 and v1.3.1 and v1.25.1 repositories. The Levenshtein-based models require no prior work for generating embeddings, and the processing step simply involves evaluating the text-based similarity of the two analyzed comments.

Model	Generating Embeddings	Computing Similarities
Levenshtein	n/a	39 s
Word2Vec	32 s	1 m 44 s
ELMo	12 h 14 m	1 h 57 m
RoBERTa	28 m 48 s	1 h 58 m
Universal Sentence Encoder	6 s	2 h 12 m

, it is presented the total time required to perform the two tasks (generating and processing the similarities) on a dataset of over 12 thousands lines of Go code. The total time of the analysis is the sum of these intervals. Simpler models like Word2Vec are faster for both generating and processing embeddings, while more complex models (such as ELMo or RoBERTa) are computationally demanding. The Universal Sentence Encoder demonstrates significant efficiency in embedding generation but incurs a longer computational cost during the subsequent processing stage. Levenshtein-based models are notable outliers in the presented table, as their extremely good performance in terms of speed, but come with the trade-off of missing broader semantic understanding.

For analyzing the performance of the models, the authors have compared the predictions of similarity of the models against a human-labeled dataset obtained from over 12,000 lines of Go code from the source code of Kubernetes “/pkg/api” directories versions v1.2.1 (April, 2016), v1.3.1 (July 2016) and v1.25.1 (September 2021). The dataset contains 3594 comments, and the ground truth contains 49573 identified similarities between pairs of comments (including 3594 identity similarities). This dataset has a big class imbalance: the total number of ‘not similar’ matches on the code comments is nearly 6 million, compared to ‘similar’ classes, which are on the order of 50 thousands. As a result, to obtain the most reliable assessment of the model’s performance, in this analysis the evaluation based on the F1-Score will be prioritize. This is because a high F1-Score indicates the model performs well in both minimizing both false positives and false negatives, even if the dataset is unbalanced.

The performance of the models on this dataset is also summarized in

Table 3. A performance comparison of different models tested against around 35 thousand comments from three versions of Kubernetes source code. The presence of numerous trivial similarity examples within the dataset, such as identical or nearly identical comments, can lead to artificially inflated performance metrics, even for relatively simplistic models. Optimizing for the long tail provides a more realistic measure of a model’s capabilities in real-world code analysis. The ELMo-based model is being ignored when computing the most appropriate model for optimizing a certain metric because of the low F1-Score.

Model	Metric	Precision	Recall	F1-Score
Levenshtein	not similar	0.99823	0.99999	0.99912
	similar	0.99979	0.77115	0.87071
	macro avg	0.99901	0.88557	0.93491
	weighted avg	0.99824	0.99824	0.99813
	accuracy	0.99824
Word2Vec	not similar	0.99996	0.99923	0.99959
	similar	0.90861	0.99469	0.94970
	macro avg	0.95428	0.99696	0.97465
	weighted avg	0.99926	0.99919	0.99921
	accuracy	0.99919
ELMo 1	not similar	0.99999	0.46312	0.63306
	similar	0.01420	0.99984	0.02800
	macro avg	0.50710	0.73148	0.33053
	weighted avg	0.99243	0.46724	0.62841
	accuracy	0.46724
RoBERTa	not similar	0.99832	0.99871	0.99852
	similar	0.82492	0.78297	0.80339
	macro avg	0.91162	0.89084	0.90096
	weighted avg	0.99699	0.99706	0.99702
	accuracy	0.99706
USE	not similar	0.99986	0.99998	0.99992
	similar	0.99856	0.98162	0.99002
	macro avg	0.99921	0.99081	0.99497
	weighted avg	0.99985	0.99985	0.99985
	accuracy	0.99985

¹ The ELMo model is not taken into account for optimizing a certain metric because of the low overall F1-score.

by evaluating the models using precision, recall and F1-Score as metrics. It also computes the macro and weighted average, as well as the accuracy. The model based on the Universal Sentence Encoder seems to achieve the best quantitative results, maintaining a good balance between precision and recall on the analyzed Kubernetes-based test dataset described above.

Because the dataset contains many comments that are either identical or have very minor changes across consecutive versions, even simple models will easily identify them as similar. This artificially inflates accuracy, precision and recall. It is therefore critical to optimize the long tail of misses in the data presented in Table 3, as spotting trivial similarities is far less valuable than pinpointing the more subtle similarities that require a deeper understanding of the natural language used.

5.2.1. Levenshtein-Based Models

Rapidfuzz [27] is an implementation of an approximate string matching algorithm, which aims to only approximately find strings that match a given pattern based on Levenshtein distance. While matches in this approach are high quality and clear indications on similarity [29,30,31], produced by making a variety of minor changes of inserting, deleting or substituting words, the method has a low hit rate [32] on more advanced cases, where structural changes are involved.

The results seem to be of high quality due to the number of false positive matches being minimal compared to other methods. For high values of t, the number of false positive matches is almost nonexistent (for $t=1$, only exact matching will be performed). Some qualitative examples are described in Appendix B.1, in Examples B1 towards B6. However, overall, the match perspective is bounded in identifying true positives. It works really well in identifying form changes, such as typos, refactoring or (almost) duplicated code comments.

5.2.2. Word2Vec-Based Models

Spacy’s approach to computing similarity involves assigning each word a vector representation derived from a pre-trained model. This model has been trained on large corpora using the Word2Vec technique [28], enabling the creation of contextual embeddings. To calculate the similarity between full sentences, Spacy averages the word embeddings and computes the cosine difference. While generally useful [33], this method can yield unexpected results. False positives may arise due to the “canceling out” effect within the averaged embeddings or from the model misinterpreting similarities between unrelated words.

This method can identify the very vast majority of similarities that Levenshtein-based models can, as seen in Appendix B.2, example B7, but it can also find more complex sequence paraphrases, as seen in examples B8 and B9. Examples B10 and B11 capture more cases, including complete rephrases and rewording of the original statements. Example B12 is a debatable case if the similarity is correctly identified by the current model. While the two comments refer to similar things (bind addresses, IP addresses, 0.0.0.0, servers and serving), it is rather difficult to state their exact similarity, even for a human expert.

5.2.3. ELMo-Based Models

ELMo [34] is a model that computes the embeddings from the states of a two-layer bi-directional language model [35]. In practice, running the ELMo-based model for large projects is expensive computationally. The risk of false positives can be addressed either by increasing the value of t, or by human judgement. Even when performing the detection with a very high value for the threshold ($t=0.98$), in the presented experiments, the model identified a really high number of false positive matches, consequently leading to inefficiency.

The suitability of ELMo-based models for this specific task appears questionable. Analysis of the examples reveals shortcomings, as presented by the qualitative analysis on the examples from Appendix B.3. The only similarity in example B13 is that both comments reference the same GenericAPIServer, but the context in which it is referenced appears to be completely different (creation | usage of IP). Examples B14–B16 seem completely unrelated, and the matches are not particularly helpful in helping the manual labor involved by the operators.

5.2.4. Sentence Transformers

In the research, the authors have used the RoBERTa [36] model implementation from the SentenceTransformers framework, which is a BERT [37]-based model to create embeddings from text, as developed in [38]. These neural networks use Siamese structures to convert semantically meaningful embeddings from sentences. Given the output embeddings generated from ${C }_6^{+}$, the research computed the cosine similarity and chose $t=0.90$ for the experiments. Overall, the quality of the matches is pretty high.

As shown in examples B17–B19 from Appendix B.4, the model has thus proven good capabilities of identifying similarities, as it can identify pretty well changes in the phrases, as well as similar meaning within multiple different statements.

5.2.5. Universal Sentence Encoder

The Universal Sentence Encoder [17] is yet another model that the authors have selected for evaluating for encoding sentences into embedding vectors. The model (available online, open-source, at: https://tfhub.dev/google/universal-sentence-encoder/4, accessed on 16 March 2024) has been trained with a deep averaging network encoder [35]. Similar to the Sentence Transformers model, the use of the Universal Sentence Encoder seems to provide a better balance concerning the ratio of true to false positives than the rest of the analyzed methods. Examples B20–B22, referenced in Appendix B.5, show several qualitative similarities identified by the model.

Qualitatively, the most notable misclassifications of this model, which are not observed in simpler methods such as Levenshtein or Word2vec models, happens in comments that contain numerical values. For example, between Kubernetes v1.2.1 and v1.25.1, a change observed around the code-base is that “Copyright 2016” comments got replaced by “Copyright 2021”. The model fails to identify in many cases such similarities, as exemplified in example B23.

This paper evaluated the performance of the algorithm for multiple values of r and summarized the results in Figure 3. According to the results displayed, the generation part of the embeddings is very fast for this particular model, as it can generate more than 700 embeddings per second on a 2.3 GHz Dual-Core Intel Core i5 processor, and the time efficacy grows linearly with larger inputs. In terms of the processing, as mentioned in Section 4, the performance is quadratic because the required number of evaluations is quadratic in the total number of embeddings, and practical experiments have observed that, on the same architecture, it executes about 2800 similarity evaluations per second.

6. Implementation Details and Reproducibility

The techniques presented in this paper have been incorporated into Project Martial, an open-source initiative for automated software plagiarism detection (source code available at https://github.com/raresraf/project-martial, accessed on 16 March 2024). The implementation includes a user interface that visually highlights potentially similar code sections, as identified by the similarity functions described within the presented models. The authors acknowledge the valuable insights provided by the work in [35] for the analysis of human-readable comments, as well as the detailed implementation details that have been provided.

The natural language processing components of the models are being implemented in Python, utilizing libraries such as scikit-learn and Matplotlib for the presentation of the data and frameworks such as TensorFlow and PyTorch for importing, loading and running the transformer-based models presented in this paper. A review of the dependencies used for the processing of human-based comments can be consulted within the project-martial code, under the comments drivers from the “modules/”.

For syntactic and semantic code parsing, the software stack uses ANTLR (ANother Tool for Language Recognition), a parser generator that uses a top-down LL-based algorithm for parsing.

The data presented in Table 1 and in Figure 1, Figure 2 and Figure 6 are reproducible using the modules associated with the project-martial code, under “grammars/”. The data presented in Figure 4 and Figure 5 are reproducible using the modules under “parsers/”. The raw data numbers are also available under “dataset/”. Figure 3 is reproducible running the executables provided under “scripts/”.

For the plots, Figure 1, Figure 2, Figure 5 and Figure 6 are built using datawrapper, an online data visualization product. Figure 3 and Figure 5 are generated using the Matplotlib library.

The web-based user interface is developed in TypeScript, providing a responsive and intuitive experience for code review. Figure 7 illustrates how the software highlights potentially similar comments identified, aiding users in identifying areas of interest for code similarity. For a review of the implementation, please consult the resources under ui/.

The back-end server is built in Python, using the Flask framework, which is capable of serving API requests over HTTP, and the source code is accessible in the root directory of the project, under main.py.

7. Discussion

For the proposed solutions, this research observed that Levenshtein-based models offer excellent precision but may miss broader semantic similarities, while contextualized word embeddings such as Word2Vec or Universal Sentence Encoders perform better by capturing some of these complexities. However, these models might have some more false positives than Levenshtein-based, which minimizes almost to zero this metric.

The dataset used for evaluation was extracted from a subset of three Kubernetes versions, accumulating over 12 thousands lines of code and around 50 thousands identified similarities in comments. The best (Based on the F1-Score achieved on the dataset presented in this paper, from collected commentaries from three Kubernetes versions) model was based on the Universal Sentence Encoder [17], achieving a strong balance between precision and recall, but it showed some limitations when operating with sentences containing numerical values.

In addition, the Universal Sentence Encoder-based model stands out with efficient embedding generation, though processing of the embeddings is slower, due to their increased size. As expected, simpler models such as Levenshtein- and Word2Vec-based are significantly faster (see Table 2). Due to their still good performance, Word2Vec-based models can provide feasible alternatives to Universal Sentence Encoders, as they only use a fraction of the computational power required to run the analysis.

8. Conclusions and Future Work

This study aimed to develop practical methods for detecting code similarities by analyzing various types of software comments, and the results confirm the valuable contribution of comments in revealing code similarities.

Machine-readable comments (like ESlint directives) proved surprisingly effective when using techniques like cosine similarity and one-hot encoding, while the investigation of human-readable English comments demonstrated the power of semantic similarity models (Sentence Transformers, Universal Sentence Encoder) over form-based matching techniques (Levenshtein-based approaches). The former model can be classified in the collection of software birthmarks approaches, while the latter is an embedding-based model.

The research, performed on a diverse set of open-source projects, confirms the predominance of English in open-source code comments, making NLP methods highly applicable. However, a further area of research can be analyzing the potential deviations from strict natural language syntax, which should be considered when analyzing non-machine-readable comments, as this case exists in software projects, as pointed out in Table 1 and Figure 2. The quantitative analysis of comment distribution has been captured in Table 1 for various open-source projects (including projects written in Go, TypeScript, Java, C and C++), aiming to uncover language-specific commenting practices, readability trends and potential correlations with project maturity.

Integrating this research into Project Martial adds practical value by enhancing the capabilities of software plagiarism detection tools. The two proposed models are used in an ensemble manner, meaning that their predictions are combined in the score of similarity to achieve a more accurate and robust outcome.

As future work, it would be useful to extend this analysis beyond the analyzed datasets of Kubernetes and VSCode repositories in order to capture a larger variety of software languages and project types. This assesses the wider applicability of comment-based similarity detection, as well as performing further human-assisted validations, on the utility of these tools, to make the right trade-offs between precision and recall while fine-tuning the parameters. Nonetheless, as the state-of-the-art pre-trained language models improve, it becomes possible to update detectors to generate more sophisticated sentence-level representations for similarity checks than the capabilities of the current models.

Additionally, future work could explore the fine-tuning of models like RoBERTa or other Sentence Transformers on large-scale code comment datasets. This fine-tuning has the potential to improve the models’ sensitivity to the nuances of programming language and domain-specific terminology often found in comments.

Finally, the model’s reliance on comments presents a clear limitation, hindering its use on code-bases which have minimal documentation or for which comments have been intentionally removed. Future research, as part of the development of Project Martial, will investigate hybrid approaches that synergistically combine comment-based analysis with structural code analysis techniques. This would provide a more robust similarity detection solution applicable to a wider range of software.