华东师范大学学报(自然科学版) ›› 2022, Vol. 2022 ›› Issue (5): 90-99.doi: 10.3969/j.issn.1000-5641.2022.05.008

• 供应链平台评测方法与工具 • 上一篇    下一篇

数据驱动的开源软件供应链可维护性风险分析方法

孙晴1,2, 梁冠宇1,3, 武延军1,3, 武斌1,3, 田春岐2,*(), 王伟4   

  1. 1. 中科南京软件技术研究院, 南京 210000
    2. 同济大学 电子与信息工程学院, 上海 201804
    3. 中国科学院软件研究所, 北京 100190
    4. 华东师范大学 数据科学与工程学院, 上海 200062
  • 收稿日期:2022-07-07 出版日期:2022-09-25 发布日期:2022-09-26
  • 通讯作者: 田春岐 E-mail:tianchunqi@tongji.edu.cn

Data-driven open source software supply chain maintenance risk analysis method

Qing SUN1,2, Guanyu LIANG1,3, Yanjun WU1,3, Bin WU1,3, Chunqi TIAN2,*(), Wei WANG4   

  1. 1. Nanjing Institute of Software Technology, Nanjing 210000, China
    2. College of Electronic and Information Engineering, Tongji University, Shanghai 201804, China
    3. Institute of Software Chinese Academy of Science, Beijing 100190, China
    4. School of Data Science and Engineering, East China Normal University, Shanghai 200062, China
  • Received:2022-07-07 Online:2022-09-25 Published:2022-09-26
  • Contact: Chunqi TIAN E-mail:tianchunqi@tongji.edu.cn

摘要:

软件供应链的使用始终穿插在软件系统研发过程当中, 近年来关于软件供应链的安全事件频发, 软件供应链安全已然成为了一个全球性问题. 软件可维护性作为软件质量的重要属性之一, 反映了软件维护活动的难易程度. 软件供应链的开源趋势逐渐流行, 但对开源软件供应链的可维护性研究还处于起步阶段. 基于以上考虑, 本文结合传统软件维护性风险研究方法, 探究了开源软件维护性风险特有的分析视角, 并提出了一个开源软件供应链维护性质量模型. 该模型通过16种度量指标分别对团队健康、软件活跃度、依赖影响力、测试完整度、外部依赖度和可理解性等9种软件属性类进行度量以反映开源软件供应链的可维护性. 同时基于GitHub托管平台和npm (Node.js 标准的软件包管理器) 子生态数据 (包括软件信息、依赖关系、各个软件在开发过程中产生的行为数据等), 对同一时间内不同软件的可维护性指标进行对比计算, 验证了本文所提出方法的合理性. 因此, 使用本文所提出的可维护性质量模型可以有效地对开源软件供应链进行可维护性评估, 帮助和指导软件的设计与重构, 进而开发出更高质量的软件系统.

关键词: 开源软件供应链, 风险评估, 可维护性, 评估模型

Abstract:

The use of the software supply chain has been continuously interspersed throughout the software system development process. In recent years, security incidents related to the software supply chain have frequently occurred, and its security has become a global issue. Software maintainability, as one of the important attributes of software quality, reflects the difficulty of software maintenance activities. Although the trend of an open source software supply chain has gradually become popular in recent years, research into its maintainability remains extremely limited. Based on the above considerations and combined with a traditional research approach to software maintainability risk, this paper explores a unique analysis perspective regarding the maintainability risk of open source software and proposes a quality model of open source supply chain software maintainability. The model measures nine software attributes, including team health, activity, dependency influence, test integrity, external dependency, and understandability, based on 16 metrics for reflecting the maintainability of the open source software supply chain. At the same time, based on the GitHub hosting platform and npm sub-ecological data (this includes software information, dependencies, behavioral data generated during the development of each software, and so on), the maintainability indicators of different projects at the same time and within different time periods for the same project are compared and calculated, confirming the rationality of the proposed method. Using the model proposed herein, the quality maintainability of the open source software supply chain can be effectively evaluated, thereby guiding software design and reconstruction and the development of a higher quality software system.

Key words: open source software supply chain, risk evaluation, maintainability, evaluation models

中图分类号: