供应链平台评测方法与工具

数据驱动的开源软件供应链可维护性风险分析方法

  • 孙晴 ,
  • 梁冠宇 ,
  • 武延军 ,
  • 武斌 ,
  • 田春岐 ,
  • 王伟
展开
  • 1. 中科南京软件技术研究院, 南京 210000
    2. 同济大学 电子与信息工程学院, 上海 201804
    3. 中国科学院软件研究所, 北京 100190
    4. 华东师范大学 数据科学与工程学院, 上海 200062

收稿日期: 2022-07-07

  网络出版日期: 2022-09-26

Data-driven open source software supply chain maintenance risk analysis method

  • Qing SUN ,
  • Guanyu LIANG ,
  • Yanjun WU ,
  • Bin WU ,
  • Chunqi TIAN ,
  • Wei WANG
Expand
  • 1. Nanjing Institute of Software Technology, Nanjing 210000, China
    2. College of Electronic and Information Engineering, Tongji University, Shanghai 201804, China
    3. Institute of Software Chinese Academy of Science, Beijing 100190, China
    4. School of Data Science and Engineering, East China Normal University, Shanghai 200062, China

Received date: 2022-07-07

  Online published: 2022-09-26

摘要

软件供应链的使用始终穿插在软件系统研发过程当中, 近年来关于软件供应链的安全事件频发, 软件供应链安全已然成为了一个全球性问题. 软件可维护性作为软件质量的重要属性之一, 反映了软件维护活动的难易程度. 软件供应链的开源趋势逐渐流行, 但对开源软件供应链的可维护性研究还处于起步阶段. 基于以上考虑, 本文结合传统软件维护性风险研究方法, 探究了开源软件维护性风险特有的分析视角, 并提出了一个开源软件供应链维护性质量模型. 该模型通过16种度量指标分别对团队健康、软件活跃度、依赖影响力、测试完整度、外部依赖度和可理解性等9种软件属性类进行度量以反映开源软件供应链的可维护性. 同时基于GitHub托管平台和npm (Node.js 标准的软件包管理器) 子生态数据 (包括软件信息、依赖关系、各个软件在开发过程中产生的行为数据等), 对同一时间内不同软件的可维护性指标进行对比计算, 验证了本文所提出方法的合理性. 因此, 使用本文所提出的可维护性质量模型可以有效地对开源软件供应链进行可维护性评估, 帮助和指导软件的设计与重构, 进而开发出更高质量的软件系统.

本文引用格式

孙晴 , 梁冠宇 , 武延军 , 武斌 , 田春岐 , 王伟 . 数据驱动的开源软件供应链可维护性风险分析方法[J]. 华东师范大学学报(自然科学版), 2022 , 2022(5) : 90 -99 . DOI: 10.3969/j.issn.1000-5641.2022.05.008

Abstract

The use of the software supply chain has been continuously interspersed throughout the software system development process. In recent years, security incidents related to the software supply chain have frequently occurred, and its security has become a global issue. Software maintainability, as one of the important attributes of software quality, reflects the difficulty of software maintenance activities. Although the trend of an open source software supply chain has gradually become popular in recent years, research into its maintainability remains extremely limited. Based on the above considerations and combined with a traditional research approach to software maintainability risk, this paper explores a unique analysis perspective regarding the maintainability risk of open source software and proposes a quality model of open source supply chain software maintainability. The model measures nine software attributes, including team health, activity, dependency influence, test integrity, external dependency, and understandability, based on 16 metrics for reflecting the maintainability of the open source software supply chain. At the same time, based on the GitHub hosting platform and npm sub-ecological data (this includes software information, dependencies, behavioral data generated during the development of each software, and so on), the maintainability indicators of different projects at the same time and within different time periods for the same project are compared and calculated, confirming the rationality of the proposed method. Using the model proposed herein, the quality maintainability of the open source software supply chain can be effectively evaluated, thereby guiding software design and reconstruction and the development of a higher quality software system.

参考文献

1 梁冠宇, 武延军, 吴敬征, 等. 面向操作系统可靠性保障的开源软件供应链. 软件学报, 2020, 31 (10): 3056- 3073.
2 KHONDHU J, CAPILUPPI A, STOL K J. Is it all lost? A study of inactive open source projects [C]// Open Source Software: Quality Verification-9th IFIP WG 2.13 International Conference, OSS 2013. 2013: 61-79.
3 COELHO J, VALENTE M T, MILEN L, et al. Is this GitHub project maintained? Measuring the level of maintenance activity of open-source projects [EB/OL]. (2020-03-09)[2022-06-18]. https://arxiv.org/pdf/2003.04755v1.pdf.
4 杨德宇. 面向微服务架构的软件可维护性质量模型研究 [D]. 南京: 南京大学, 2020.
5 王伟, 周添一. 全球开源生态发展现状研究. 信息通信技术与政策, 2020, (5): 38- 44.
6 董国伟. 软件供应链安全现状分析与对策建议. 中国信息安全, 2021, (10): 34- 37.
文章导航

/