Journal of East China Normal University(Natural Science) ›› 2022, Vol. 2022 ›› Issue (5): 90-99.doi: 10.3969/j.issn.1000-5641.2022.05.008

• Evaluation Methods and Tools for Supply Chain Platform • Previous Articles     Next Articles

Data-driven open source software supply chain maintenance risk analysis method

Qing SUN1,2, Guanyu LIANG1,3, Yanjun WU1,3, Bin WU1,3, Chunqi TIAN2,*(), Wei WANG4   

  1. 1. Nanjing Institute of Software Technology, Nanjing 210000, China
    2. College of Electronic and Information Engineering, Tongji University, Shanghai 201804, China
    3. Institute of Software Chinese Academy of Science, Beijing 100190, China
    4. School of Data Science and Engineering, East China Normal University, Shanghai 200062, China
  • Received:2022-07-07 Online:2022-09-25 Published:2022-09-26
  • Contact: Chunqi TIAN


The use of the software supply chain has been continuously interspersed throughout the software system development process. In recent years, security incidents related to the software supply chain have frequently occurred, and its security has become a global issue. Software maintainability, as one of the important attributes of software quality, reflects the difficulty of software maintenance activities. Although the trend of an open source software supply chain has gradually become popular in recent years, research into its maintainability remains extremely limited. Based on the above considerations and combined with a traditional research approach to software maintainability risk, this paper explores a unique analysis perspective regarding the maintainability risk of open source software and proposes a quality model of open source supply chain software maintainability. The model measures nine software attributes, including team health, activity, dependency influence, test integrity, external dependency, and understandability, based on 16 metrics for reflecting the maintainability of the open source software supply chain. At the same time, based on the GitHub hosting platform and npm sub-ecological data (this includes software information, dependencies, behavioral data generated during the development of each software, and so on), the maintainability indicators of different projects at the same time and within different time periods for the same project are compared and calculated, confirming the rationality of the proposed method. Using the model proposed herein, the quality maintainability of the open source software supply chain can be effectively evaluated, thereby guiding software design and reconstruction and the development of a higher quality software system.

Key words: open source software supply chain, risk evaluation, maintainability, evaluation models

CLC Number: