Abstract:

The use of the software supply chain has been continuously interspersed throughout the software system development process. In recent years, security incidents related to the software supply chain have frequently occurred, and its security has become a global issue. Software maintainability, as one of the important attributes of software quality, reflects the difficulty of software maintenance activities. Although the trend of an open source software supply chain has gradually become popular in recent years, research into its maintainability remains extremely limited. Based on the above considerations and combined with a traditional research approach to software maintainability risk, this paper explores a unique analysis perspective regarding the maintainability risk of open source software and proposes a quality model of open source supply chain software maintainability. The model measures nine software attributes, including team health, activity, dependency influence, test integrity, external dependency, and understandability, based on 16 metrics for reflecting the maintainability of the open source software supply chain. At the same time, based on the GitHub hosting platform and npm sub-ecological data (this includes software information, dependencies, behavioral data generated during the development of each software, and so on), the maintainability indicators of different projects at the same time and within different time periods for the same project are compared and calculated, confirming the rationality of the proposed method. Using the model proposed herein, the quality maintainability of the open source software supply chain can be effectively evaluated, thereby guiding software design and reconstruction and the development of a higher quality software system.

Key words: open source software supply chain, risk evaluation, maintainability, evaluation models