CN112487366A - Method and device for determining software open source risk - Google Patents
Method and device for determining software open source risk Download PDFInfo
- Publication number
- CN112487366A CN112487366A CN202011515718.6A CN202011515718A CN112487366A CN 112487366 A CN112487366 A CN 112487366A CN 202011515718 A CN202011515718 A CN 202011515718A CN 112487366 A CN112487366 A CN 112487366A
- Authority
- CN
- China
- Prior art keywords
- open source
- source software
- software
- determining
- software module
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 47
- 238000004590 computer program Methods 0.000 claims description 5
- 238000010586 diagram Methods 0.000 description 9
- 238000013475 authorization Methods 0.000 description 8
- 238000004891 communication Methods 0.000 description 5
- 239000002184 metal Substances 0.000 description 3
- 230000008676 import Effects 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 238000011161 development Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/10—Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
- G06F21/105—Arrangements for software license management or administration, e.g. for managing licenses at corporate level
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/10—Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
- G06F21/12—Protecting executable software
- G06F21/121—Restricting unauthorised execution of programs
- G06F21/125—Restricting unauthorised execution of programs by manipulating the program code, e.g. source code, compiled code, interpreted code, machine code
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q10/00—Administration; Management
- G06Q10/06—Resources, workflows, human or project management; Enterprise or organisation planning; Enterprise or organisation modelling
- G06Q10/063—Operations research, analysis or management
- G06Q10/0635—Risk analysis of enterprise or organisation activities
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- Business, Economics & Management (AREA)
- Human Resources & Organizations (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computer Security & Cryptography (AREA)
- Entrepreneurship & Innovation (AREA)
- General Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Technology Law (AREA)
- Multimedia (AREA)
- Economics (AREA)
- Strategic Management (AREA)
- Development Economics (AREA)
- Game Theory and Decision Science (AREA)
- Educational Administration (AREA)
- Marketing (AREA)
- Operations Research (AREA)
- Quality & Reliability (AREA)
- Tourism & Hospitality (AREA)
- General Business, Economics & Management (AREA)
- Stored Programmes (AREA)
Abstract
The application provides a method and a device for determining software open source risk. The method comprises the following steps: scanning a software source code library of the software to obtain a code file; scanning the content of each code file, and determining an open source software module referenced by the code file; acquiring an open source software authorization protocol corresponding to the determined open source software module based on a preset open source software authorization protocol library; counting the number of open source software modules corresponding to the appointed open source software authorization protocol; and determining the risk of the open source software module and the risk of the software according to the acquired open source software authorization protocol and the counted number of the open source software modules. The method can accurately evaluate the risks of the software and the open source software module, and avoid unnecessary loss.
Description
Technical Field
The invention relates to the technical field of computers, in particular to a method and a device for determining software open source risks.
Background
The reuse of modules in software development is a common means for improving development efficiency, and particularly, the popularity of current open source software further reduces the complexity of software development and accelerates the progress of software development.
However, the authorization protocol of the open source software is very complex, some open source authorization protocols require the use of the open source software, and the developed software products must be opened in the same open source authorization mode, that is, the developed source codes must be disclosed, so that the vast majority of people in the society can access, download and use the software products. While some open source authorization protocols do not require the software product to be open source. Software product development is therefore conducted to examine the open source software modules used to determine which open source software is involved in order to avoid failing to comply with the requirements of the software open source authorization protocol.
Disclosure of Invention
In view of this, the present application provides a method and an apparatus for determining a risk of software opening source, which can accurately evaluate the risk of the software and the risk of the software opening source module, and avoid unnecessary loss.
In order to solve the technical problem, the technical scheme of the application is realized as follows:
in one embodiment, a software open source risk determination method is provided, the method comprising:
scanning a software source code library of the software to obtain a code file;
scanning the content of each code file, and determining an open source software module referenced by the code file;
acquiring an open source software authorization protocol corresponding to the determined open source software module based on a preset open source software authorization protocol library;
counting the number of open source software modules corresponding to the appointed open source software authorization protocol;
and determining the risk of the open source software module and the risk of the software according to the acquired open source software authorization protocol and the counted number of the open source software modules.
In another embodiment, there is provided a software open source risk determination apparatus, the apparatus comprising: the device comprises a scanning unit, a first acquisition unit, a first determination unit, a second acquisition unit, a statistic unit and a second determination unit;
the scanning unit is used for scanning a software source code library of software and scanning the content of each code file acquired by the first acquiring unit;
the first acquisition unit is used for acquiring a code file when the scanning unit scans a software source code library of the software;
the first determining unit is used for determining the open source software module referred by the code file when the scanning unit scans the content of each acquired code file;
the second obtaining unit is configured to obtain, based on a preset open-source software authorization protocol library, the open-source software authorization protocol corresponding to the open-source software module determined by the first determining unit;
the counting unit is used for counting the number of the open source software modules corresponding to the specified open source software authorization protocol acquired by the second acquiring unit;
the second determining unit is configured to determine the risk of the open-source software module and the risk of the software according to the open-source software authorization protocol acquired by the second acquiring unit and the number of open-source software modules counted by the counting unit.
In another embodiment, an electronic device is provided that includes a memory, a processor, and a computer program stored on the memory and executable on the processor, the processor implementing the steps of the software open source risk determination method when executing the program.
In another embodiment, a computer readable storage medium is provided, on which a computer program is stored which, when being executed by a processor, carries out the steps of the software open source risk determination method.
According to the technical scheme, the open-source software module related to the code file in the software is identified by scanning the software source code library of the software, and the risk of the software module and the risk of the software are determined by acquiring the open-source software authorization protocol corresponding to the determined open-source software module based on the preset open-source software authorization protocol library. The method and the system can accurately evaluate the risks of the software and the open source software module, and avoid unnecessary loss.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present application, the drawings needed to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without inventive labor.
Fig. 1 is a schematic diagram illustrating a process of determining a risk of software open source according to a first embodiment of the present application;
fig. 2 is a schematic diagram illustrating a process of determining a risk of software open source in the second embodiment of the present application;
fig. 3 is a schematic flow chart illustrating a software open source risk determination in the third embodiment of the present application;
FIG. 4 is a schematic diagram of an apparatus for implementing the above technique in an embodiment of the present application;
fig. 5 is a schematic physical structure diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
The terms "first," "second," "third," "fourth," and the like in the description and in the claims, as well as in the drawings, if any, are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the invention described herein are, for example, capable of operation in sequences other than those illustrated or otherwise described herein. Furthermore, the terms "comprising" and "having," as well as any variations thereof, are intended to cover non-exclusive inclusions. For example, a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements explicitly listed, but may include other steps or elements not explicitly listed or inherent to such process, method, article, or apparatus.
The technical solution of the present invention will be described in detail with specific examples. Several of the following embodiments may be combined with each other and some details of the same or similar concepts or processes may not be repeated in some embodiments.
The embodiment of the application provides a software open source risk determination method which is applied to a software open source risk determination device. The method comprises the steps of scanning a software source code library of software, identifying an open source software module related to a code file in the software, and acquiring an open source software authorization protocol corresponding to a determined open source software module based on a preset open source software authorization protocol library to determine the risk of the software module and the risk of the software. The risk of the software and the open source software module can be accurately evaluated, and unnecessary loss is avoided.
The software open source risk determination process in the embodiment of the present application is described in detail below with reference to the accompanying drawings.
Example one
Referring to fig. 1, fig. 1 is a schematic diagram illustrating a software open source risk determination process in a first embodiment of the present application. The method comprises the following specific steps:
In a specific implementation, a directory or a link corresponding to the software to be determined needs to be specified.
Scanning a source code base of the software, namely scanning a directory corresponding to the software or a source code base corresponding to a link;
all code files are acquired during the scanning process.
When the content of each code file is scanned, the software module referred by each code file can be determined;
whether the software module is an open source software module can be determined according to the name of the referenced software module.
And 103, acquiring the determined open source software authorization protocol corresponding to the open source software module based on a preset open source software authorization protocol library.
The preset open source software authorization protocol library is a published or specified open source software authorization protocol library, and the mode for obtaining the preset open source software authorization protocol library is not limited in the embodiment of the application.
The preset software authorization protocol library comprises: and the incidence relation between the name of the open source software module and the open source software authorization protocol.
And 104, counting the number of the open source software modules corresponding to the appointed open source software authorization protocol.
The open source software licensing agreements are designated as a second version generic public license (GPLv2) agreement and an enhanced version generic public license (AGPL) agreement.
During specific implementation, the number M of the open source software modules corresponding to the GPLv2 protocol is counted, and the number N of the open source software modules corresponding to the AGPL protocol is counted.
And 105, determining the risk of the open source software module and the risk of the software according to the acquired open source software authorization protocol and the counted number of the open source software modules.
When the appointed open source software authorization protocol is the GPLv2 protocol and the AGPL protocol, determining the risk of the open source software module according to the obtained open source software authorization protocol and the counted number of the open source software modules, and the risk of the software, including:
determining an open source software module related to the GPLv2 or AGPL protocol as a high risk module, and determining an open source software module not related to the second version of general public license GPLv2 protocol and the library general public license AGPL protocol as a low risk module;
if the sum of the number of open source software modules related to the GPLv2 protocol and the AGPL protocol is larger than a preset value, determining that the software is at high risk; otherwise, low risk is determined.
The high-risk criteria are updated in time with the update of the open source software authorization protocol.
In the embodiment of the present application, the specified open-source software authorization protocol is, for example, a GPLv2 protocol and an AGPL protocol, and during specific implementation or after the open-source software authorization protocol is updated, an implementer may set the specified open-source software protocol as needed, which is not limited in the embodiment of the present application.
In the embodiment of the present application, two risk levels of high risk and low risk are taken as an example, during specific implementation, a plurality of risk levels may also be divided, and a corresponding relationship between a risk level and a designated open source software authorization protocol and a corresponding relationship between the counted number of open source software modules and the divided risk levels are configured.
In the embodiment of the application, the software source code library of the software is scanned, the open source software module related to the code file in the software is identified, and the open source software authorization protocol corresponding to the determined open source software module is obtained based on the preset open source software authorization protocol library to determine the risk of the software module and the risk of the software. The risk of the software and the open source software module can be accurately evaluated, and unnecessary loss is avoided.
Example two
Referring to fig. 2, fig. 2 is a schematic diagram of a software open source risk determination process in the second embodiment of the present application. The method comprises the following specific steps:
In a specific implementation, a directory or a link corresponding to the software to be determined needs to be specified.
Scanning a source code base of the software, namely scanning a directory corresponding to the software or a source code base corresponding to a link;
all code files are acquired during the scanning process.
And step 203, scanning the content of the code file by using the keywords corresponding to the determined computer language, and determining the software module referred by the code file.
If the determined computer language is C language, determining a software module referenced by the code file by using a keyword # include corresponding to the C language;
and if the determined computer language is python and java, determining the software module referenced by the code file by using the keyword import corresponding to python and java.
And step 204, determining the software module as the open source software module based on the open source software module library.
The open source software module library comprises: name of the open source software module;
in specific implementation, some software modules are system software modules, are not in the open source software module library, do not relate to open source authorization, and do not concern the software modules.
In the embodiment, an open source software module library is used for determining whether a software module is an open source software module; when the name of the software module exists in the open source software module library, determining that the software module is an open source software module; otherwise, determining the software module part open source software module.
Stdio, as referenced by # include < stdio.h > in language C, is a system standard input output library and does not belong to a software open source module.
In java language, such as:
import org.openstack4j.api.OSClient.OSClientV3;
it is known that the OSClientV3 interface, version V3, in the api interface of the openstack4j software module is used here.
Assuming that the name of the openstack4j software module exists in the open-source software module library, determining that the openstack4j software module is an open-source software module, and acquiring the version number if the version number of the open-source software module can be acquired during specific implementation; and if not, not acquiring.
In the embodiment of the application, the open-source software module library can be used for identifying the open-source software module during specific implementation, and the preset open-source software authorization protocol library can also be used for identifying the open-source software module.
And step 205, acquiring the determined open source software authorization protocol corresponding to the open source software module based on a preset open source software authorization protocol library.
The preset open source software authorization protocol library is a published or specified open source software authorization protocol library, and the mode for obtaining the preset open source software authorization protocol library is not limited in the embodiment of the application.
The preset software authorization protocol library comprises: and the incidence relation between the name of the open source software module and the open source software authorization protocol.
In specific implementation, if the version number of the open source software module is obtained, the open source software authorization protocol corresponding to the version of the determined open source software module is obtained based on a preset open source software authorization protocol library.
And if the version number of the open source software module is not acquired, acquiring the determined open source software authorization protocol corresponding to the open source software module based on a preset open source software authorization protocol library.
And if the open source software module corresponds to a plurality of versions in the preset open source software authorization protocol library, acquiring the open source authorization protocols corresponding to all the versions.
And step 206, counting the number of the open source software modules corresponding to the appointed open source software authorization protocol.
The open source software authorization protocols specified are the GPLv2 protocol and the AGPL protocol.
During specific implementation, the number M of the open source software modules corresponding to the GPLv2 protocol is counted, and the number N of the open source software modules corresponding to the AGPL protocol is counted.
And step 207, determining the risk of the open source software module and the risk of the software according to the acquired open source software authorization protocol and the counted number of the open source software modules.
When the appointed open source software authorization protocol is the GPLv2 protocol and the AGPL protocol, determining the risk of the open source software module according to the obtained open source software authorization protocol and the counted number of the open source software modules, and the risk of the software, including:
determining an open source software module related to the GPLv2 or AGPL protocol as a high risk module, and determining an open source software module not related to the second version of general public license GPLv2 protocol and the library general public license AGPL protocol as a low risk module;
if the sum of the number of open source software modules related to the GPLv2 protocol and the AGPL protocol is larger than a preset value, determining that the software is at high risk; otherwise, low risk is determined.
The high-risk criteria are updated in time with the update of the open source software authorization protocol.
In the embodiment of the present application, the specified open-source software authorization protocol is, for example, a GPLv2 protocol and an AGPL protocol, and during specific implementation or after the open-source software authorization protocol is updated, an implementer may set the specified open-source software protocol as needed, which is not limited in the embodiment of the present application.
In the embodiment of the present application, two risk levels of high risk and low risk are taken as an example, during specific implementation, a plurality of risk levels may also be divided, and a corresponding relationship between a risk level and a designated open source software authorization protocol and a corresponding relationship between the counted number of open source software modules and the divided risk levels are configured.
In the embodiment of the application, the risk of the software module and the risk of the software are determined by scanning a software source code library of the software, determining an open source software module quoted by the code file based on the computer language and the open source software module library, and acquiring an open source software authorization protocol corresponding to the determined open source software module based on a preset open source software authorization protocol library. The risk of the software and the open source software module can be accurately evaluated, and unnecessary loss is avoided.
EXAMPLE III
Referring to fig. 3, fig. 3 is a schematic diagram of a software open source risk determination process in the third embodiment of the present application. The method comprises the following specific steps:
In a specific implementation, a directory or a link corresponding to the software to be determined needs to be specified.
Scanning a source code base of the software, namely scanning a directory corresponding to the software or a source code base corresponding to a link;
all code files are acquired during the scanning process.
When the content of each code file is scanned, the software module referred by each code file can be determined;
whether the software module is an open source software module can be determined according to the name of the referenced software module.
And 303, acquiring the determined open source software authorization protocol corresponding to the open source software module based on a preset open source software authorization protocol library.
The preset open source software authorization protocol library is a published or specified open source software authorization protocol library, and the mode for obtaining the preset open source software authorization protocol library is not limited in the embodiment of the application.
The preset software authorization protocol library comprises: and the incidence relation between the name of the open source software module and the open source software authorization protocol.
And step 304, counting the number of the open source software modules corresponding to the appointed open source software authorization protocol.
The open source software authorization protocols specified are the GPLv2 protocol and the AGPL protocol.
During specific implementation, the number M of the open source software modules corresponding to the GPLv2 protocol is counted, and the number N of the open source software modules corresponding to the AGPL protocol is counted.
And 305, determining the risk of the open source software module and the risk of the software according to the acquired open source software authorization protocol and the counted number of the open source software modules.
When the appointed open source software authorization protocol is the GPLv2 protocol and the AGPL protocol, determining the risk of the open source software module according to the obtained open source software authorization protocol and the counted number of the open source software modules, and the risk of the software, including:
determining an open source software module related to the GPLv2 or AGPL protocol as a high risk module, and determining an open source software module not related to the second version of general public license GPLv2 protocol and the library general public license AGPL protocol as a low risk module;
if the sum of the number of open source software modules related to the GPLv2 protocol and the AGPL protocol is larger than a preset value, determining that the software is at high risk; otherwise, low risk is determined.
The high-risk criteria are updated in time with the update of the open source software authorization protocol.
In the embodiment of the present application, the specified open-source software authorization protocol is, for example, a GPLv2 protocol and an AGPL protocol, and during specific implementation or after the open-source software authorization protocol is updated, an implementer may set the specified open-source software protocol as needed, which is not limited in the embodiment of the present application.
In the embodiment of the present application, two risk levels of high risk and low risk are taken as an example, during specific implementation, a plurality of risk levels may also be divided, and a corresponding relationship between a risk level and a designated open source software authorization protocol and a corresponding relationship between the counted number of open source software modules and the divided risk levels are configured.
And step 306, outputting the risks of the software and the incidence relation between the open source software module and the risks.
The risk is output and displayed in a designated mode, particularly the related modules and software of the high-risk open source software can remind a software developer of paying attention to precaution and avoiding the precaution when necessary.
In the embodiment of the application, the software source code library of the software is scanned, the open source software module related to the code file in the software is identified, and the open source software authorization protocol corresponding to the determined open source software module is obtained based on the preset open source software authorization protocol library to determine the risk of the software module and the risk of the software. The risk of the software and the open source software module can be accurately evaluated, and unnecessary loss is avoided.
The risks related in the embodiment of the application are mainly business risks brought by cited open source software, but not vulnerability security risks of the software, and if the risks of the software can be correctly evaluated, software codes can be rewritten so as to avoid business losses, so that the method has important significance for selling software products; in order to avoid violating software sourcing authorization agreements that may face litigation and compensation issues, resulting in economic and reputation losses.
Based on the same inventive concept, the embodiment of the application also provides a software open source risk determination device. Referring to fig. 4, fig. 4 is a schematic structural diagram of an apparatus applied to the above technology in the embodiment of the present application. The device comprises: a scanning unit 401, a first acquiring unit 402, a first determining unit 403, a second acquiring unit 404, a counting unit 405, and a second determining unit 406;
a scanning unit 401, configured to scan a software source code library of software, and scan the content of each code file acquired by the first acquiring unit 402;
a first obtaining unit 402, which obtains a code file when the scanning unit 401 scans a software source code library of the software;
a first determining unit 403, configured to determine, when the scanning unit 401 scans the content of each acquired code file, an open-source software module referred to by the code file;
a second obtaining unit 404, configured to obtain, based on a preset open-source software authorization protocol library, an open-source software authorization protocol corresponding to the open-source software module determined by the first determining unit 403;
a counting unit 405, configured to count the number of open source software modules corresponding to the specified open source software authorization protocol acquired in the second acquiring unit 404;
a second determining unit 406, configured to determine the risk of the open-source software module and the risk of the software according to the open-source software authorization protocol acquired by the second acquiring unit 404 and the number of open-source software modules counted by the counting unit 405.
Preferably, the first and second electrodes are formed of a metal,
a first determining unit 403, specifically configured to determine, according to a suffix of a code file, a computer language for developing the code file; scanning the content of the code file by using the keywords corresponding to the determined computer language, and determining a software module referred by the code file; and determining the software module as the open source software module based on the open source software module library.
Preferably, the first and second electrodes are formed of a metal,
a first determining unit 403, further configured to obtain a version number of the open source software module when determining the open source software module related to the code file;
the second obtaining unit 404 is specifically configured to, if the first determining unit 403 obtains the version number of the open-source software module, obtain, based on a preset open-source software authorization protocol library, an open-source software authorization protocol corresponding to the determined version of the open-source software module.
Preferably, the first and second electrodes are formed of a metal,
a second determining unit 406, configured to specifically determine that an open source software module related to the GPLv2 or the AGPL protocol is a high risk module, and an open source software module not related to the second version of the generic public license GPLv2 protocol and the library-generic public license AGPL protocol is a low risk module; if the sum of the number of open source software modules related to the GPLv2 protocol and the AGPL protocol is larger than a preset value, determining that the software is at high risk; otherwise, determining as low risk; wherein the specified open source software authorization protocol comprises: the GPLv2 protocol and the AGPL protocol.
Preferably, the apparatus further comprises: an output unit;
and the output unit is used for outputting the risks of the software determined by the second determination unit and the incidence relation between the open source software module and the risks.
The units of the above embodiments may be integrated into one body, or may be separately deployed; may be combined into one unit or further divided into a plurality of sub-units.
In another embodiment, an electronic device is further provided, which includes a memory, a processor, and a computer program stored on the memory and executable on the processor, and the processor implements the steps of the software open source risk determination method when executing the program.
In another embodiment, a computer readable storage medium is also provided, having stored thereon computer instructions, which when executed by a processor, may implement the steps in the software open source risk determination method.
Fig. 5 is a schematic physical structure diagram of an electronic device according to an embodiment of the present invention. As shown in fig. 5, the electronic device may include: a Processor (Processor)510, a communication Interface (Communications Interface)520, a Memory (Memory)530 and a communication bus 540, wherein the Processor 510, the communication Interface 520 and the Memory 530 communicate with each other via the communication bus 540. Processor 510 may call logic instructions in memory 530 to perform the following method:
scanning a software source code library of the software to obtain a code file;
scanning the content of each code file, and determining an open source software module referenced by the code file;
acquiring an open source software authorization protocol corresponding to the determined open source software module based on a preset open source software authorization protocol library;
counting the number of open source software modules corresponding to the appointed open source software authorization protocol;
and determining the risk of the open source software module and the risk of the software according to the acquired open source software authorization protocol and the counted number of the open source software modules.
Furthermore, the logic instructions in the memory 530 may be implemented in the form of software functional units and stored in a computer readable storage medium when the software functional units are sold or used as independent products. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
The above-described embodiments of the apparatus are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.
Through the above description of the embodiments, those skilled in the art will clearly understand that each embodiment can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware. With this understanding in mind, the above-described technical solutions may be embodied in the form of a software product, which can be stored in a computer-readable storage medium such as ROM/RAM, magnetic disk, optical disk, etc., and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the methods described in the embodiments or some parts of the embodiments.
The above description is only for the purpose of illustrating the preferred embodiments of the present invention and is not to be construed as limiting the invention, and any modifications, equivalents, improvements and the like made within the spirit and principle of the present invention should be included in the scope of the present invention.
Claims (10)
1. A method for determining software open source risk, the method comprising:
scanning a software source code library of the software to obtain a code file;
scanning the content of each code file, and determining an open source software module referenced by the code file;
acquiring an open source software authorization protocol corresponding to the determined open source software module based on a preset open source software authorization protocol library;
counting the number of open source software modules corresponding to the appointed open source software authorization protocol;
and determining the risk of the open source software module and the risk of the software according to the acquired open source software authorization protocol and the counted number of the open source software modules.
2. The method of claim 1, wherein scanning the contents of each code file to determine the open source software module referenced by the code file comprises:
determining a computer language for developing the code file according to a suffix of the code file;
scanning the content of the code file by using the keywords corresponding to the determined computer language, and determining a software module referred by the code file;
and determining whether the software module referenced by the code file is the open source software module based on the open source software module library.
3. The method of claim 2, wherein when determining the open source software module to which the code file relates, the method further comprises:
if the version number of the open source software module is obtained, the obtaining of the open source software authorization protocol corresponding to the determined open source software module based on the preset open source software authorization protocol library includes:
and acquiring the open source software authorization protocol corresponding to the version of the determined open source software module based on a preset open source software authorization protocol library.
4. The method of any of claims 1-3, wherein the specified open source software authorization protocol comprises: a second version of the general public license GPLv2 protocol and an enhanced version of the general public license AGPL protocol;
the determining the risk of the software module according to the acquired open source software authorization protocol and the counted number of the software modules and the risk of the software comprise the following steps:
determining an open source software module which relates to a GPLv2 protocol or an AGPL protocol as a high risk module, and determining an open source software module which does not relate to a GPLv2 protocol or an AGPL protocol as a low risk module;
if the sum of the number of open source software modules related to the GPLv2 protocol and the AGPL protocol is larger than a preset value, determining that the software is at high risk; otherwise, low risk is determined.
5. The method of claim 4, further comprising:
and outputting the risks of the software and the incidence relation between the open source software module and the risks.
6. A software open source risk determination apparatus, the apparatus comprising: the device comprises a scanning unit, a first acquisition unit, a first determination unit, a second acquisition unit, a statistic unit and a second determination unit;
the scanning unit is used for scanning a software source code library of software and scanning the content of each code file acquired by the first acquiring unit;
the first acquisition unit is used for acquiring a code file when the scanning unit scans a software source code library of the software;
the first determining unit is used for determining the open source software module referred by the code file when the scanning unit scans the content of each acquired code file;
the second obtaining unit is configured to obtain, based on a preset open-source software authorization protocol library, the open-source software authorization protocol corresponding to the open-source software module determined by the first determining unit;
the counting unit is used for counting the number of the open source software modules corresponding to the specified open source software authorization protocol acquired by the second acquiring unit;
the second determining unit is configured to determine the risk of the open-source software module and the risk of the software according to the open-source software authorization protocol acquired by the second acquiring unit and the number of open-source software modules counted by the counting unit.
7. The apparatus of claim 6,
the first determining unit is specifically used for determining a computer language for developing the code file according to a suffix of the code file; scanning the content of the code file by using the keywords corresponding to the determined computer language, and determining a software module referred by the code file; and determining the software module as the open source software module based on the open source software module library.
8. The apparatus of claim 6,
the first determining unit is further configured to obtain a modular version number of the open source software when determining the open source software module related to the code file;
the second obtaining unit is specifically configured to, if the first determining unit obtains the version number of the open source software module, obtain, based on a preset open source software authorization protocol library, an open source software authorization protocol corresponding to the determined version of the open source software module.
9. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor implements the method according to any of claims 1-5 when executing the program.
10. A computer-readable storage medium, on which a computer program is stored, which program, when being executed by a processor, is adapted to carry out the method of any one of claims 1 to 5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011515718.6A CN112487366B (en) | 2020-12-21 | 2020-12-21 | Method and device for determining software open source risk |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011515718.6A CN112487366B (en) | 2020-12-21 | 2020-12-21 | Method and device for determining software open source risk |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112487366A true CN112487366A (en) | 2021-03-12 |
| CN112487366B CN112487366B (en) | 2024-03-12 |
Family
ID=74914889
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011515718.6A Active CN112487366B (en) | 2020-12-21 | 2020-12-21 | Method and device for determining software open source risk |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112487366B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113076245A (en) * | 2021-03-30 | 2021-07-06 | 山东英信计算机技术有限公司 | Risk assessment method, device, equipment and storage medium of open source protocol |
Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108710564A (en) * | 2017-09-15 | 2018-10-26 | 苏州棱镜七彩信息科技有限公司 | Source code comprehensive evaluating platform based on big data |
| CN109710299A (en) * | 2018-12-14 | 2019-05-03 | 平安普惠企业管理有限公司 | A kind of open source class libraries monitoring method, device, equipment and computer storage medium |
| US20200146496A1 (en) * | 2016-03-28 | 2020-05-14 | Bhagirath Ghanshyambhai PATADIA | Portable fully automatic cooking system |
| CN111274548A (en) * | 2020-01-17 | 2020-06-12 | 深圳开源互联网安全技术有限公司 | Method and device for determining open source software license compliance |
| CN111625466A (en) * | 2020-06-01 | 2020-09-04 | Oppo广东移动通信有限公司 | Software detection method and device and computer readable storage medium |
| CN111695831A (en) * | 2020-06-18 | 2020-09-22 | 中国信息安全测评中心 | Open source code use risk assessment method and device and electronic equipment |
| CN111931186A (en) * | 2020-08-12 | 2020-11-13 | 中国工商银行股份有限公司 | Software risk identification method and device |
| CN111931183A (en) * | 2020-07-31 | 2020-11-13 | 中国工商银行股份有限公司 | Open source software security vulnerability processing method and device |
| CN112084309A (en) * | 2020-09-17 | 2020-12-15 | 北京中科微澜科技有限公司 | License selection method and system based on open source software map |
| CN115712875A (en) * | 2022-11-24 | 2023-02-24 | 深圳开源互联网安全技术有限公司 | Risk judgment method and device for open source software license agreement |
-
2020
- 2020-12-21 CN CN202011515718.6A patent/CN112487366B/en active Active
Patent Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20200146496A1 (en) * | 2016-03-28 | 2020-05-14 | Bhagirath Ghanshyambhai PATADIA | Portable fully automatic cooking system |
| CN108710564A (en) * | 2017-09-15 | 2018-10-26 | 苏州棱镜七彩信息科技有限公司 | Source code comprehensive evaluating platform based on big data |
| CN109710299A (en) * | 2018-12-14 | 2019-05-03 | 平安普惠企业管理有限公司 | A kind of open source class libraries monitoring method, device, equipment and computer storage medium |
| CN111274548A (en) * | 2020-01-17 | 2020-06-12 | 深圳开源互联网安全技术有限公司 | Method and device for determining open source software license compliance |
| CN111625466A (en) * | 2020-06-01 | 2020-09-04 | Oppo广东移动通信有限公司 | Software detection method and device and computer readable storage medium |
| CN111695831A (en) * | 2020-06-18 | 2020-09-22 | 中国信息安全测评中心 | Open source code use risk assessment method and device and electronic equipment |
| CN111931183A (en) * | 2020-07-31 | 2020-11-13 | 中国工商银行股份有限公司 | Open source software security vulnerability processing method and device |
| CN111931186A (en) * | 2020-08-12 | 2020-11-13 | 中国工商银行股份有限公司 | Software risk identification method and device |
| CN112084309A (en) * | 2020-09-17 | 2020-12-15 | 北京中科微澜科技有限公司 | License selection method and system based on open source software map |
| CN115712875A (en) * | 2022-11-24 | 2023-02-24 | 深圳开源互联网安全技术有限公司 | Risk judgment method and device for open source software license agreement |
Non-Patent Citations (8)
| Title |
|---|
| CFAN评测室: "AGP 8×效率实测手记", 《电脑爱好者》, no. 01, 31 December 2003 (2003-12-31), pages 76 - 78 * |
| ROSARIO SCHIANO LO MORIELLO等: "Exploiting IoT-Oriented Technologies for Measurement Networks of Environmental Radiation", 《 IEEE INSTRUMENTATION & MEASUREMENT MAGAZINE 》, vol. 23, no. 9, 9 December 2020 (2020-12-09), pages 36, XP011824085, DOI: 10.1109/MIM.2020.9289067 * |
| 付娜等: "物联网开源软件知识产权风险研究", 《电信网技术》, no. 01, 15 January 2018 (2018-01-15), pages 27 - 30 * |
| 安全内参: "CNCERT:2019年开源软件风险研究报告", Retrieved from the Internet <URL:https://www.secrss.com/articles/19703> * |
| 张雷等: "一种软件代码特征提取方法", 《信息技术与信息化》, no. 04, 30 April 2023 (2023-04-30), pages 45 - 48 * |
| 李鲲程等: "数据清洗中文本相似度算法的比较与优化", 《通信管理与技术》, no. 05, 31 October 2021 (2021-10-31), pages 16 - 18 * |
| 金芝等: "开源软件与开源软件生态:现状与趋势", 《科技导报》, vol. 34, no. 14, 28 July 2016 (2016-07-28), pages 42 - 48 * |
| 韩鹏: "开源软件知识产权保护问题研究", 《中国优秀硕士学位论文全文数据库》, 30 September 2019 (2019-09-30), pages 117 - 342 * |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113076245A (en) * | 2021-03-30 | 2021-07-06 | 山东英信计算机技术有限公司 | Risk assessment method, device, equipment and storage medium of open source protocol |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112487366B (en) | 2024-03-12 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109558748B (en) | Data processing method and device, electronic equipment and storage medium | |
| Felty et al. | Feature specification and automated conflict detection | |
| CN110597888B (en) | Virtual resource acquisition method and device based on block chain, medium and equipment | |
| CN110377462B (en) | Interface testing method and device and terminal equipment | |
| CN108197034B (en) | Application testing method, server and system | |
| CN107357914A (en) | Information processing method and device | |
| CN108388802A (en) | A kind of alarm method and warning system of script injection attacks | |
| CN109962911A (en) | A kind of method and electronic equipment obtaining user information by small routine | |
| CN112487366A (en) | Method and device for determining software open source risk | |
| CN107690002A (en) | Communication means and device, system, computer installation and readable storage medium storing program for executing | |
| US11163548B2 (en) | Code registration to detect breaking API changes | |
| CN112732547B (en) | Service testing method and device, storage medium and electronic equipment | |
| CN111801696A (en) | Payment page management method, payment page management device, payment system and storage medium | |
| CN111240770A (en) | Application modularization method and device, computer readable storage medium and terminal equipment | |
| CN107277108B (en) | Method, device and system for processing messages at nodes of block chain | |
| US9727311B2 (en) | Generating a service definition including a common service action | |
| CN115511622A (en) | Intelligent contract upgrading method, device, equipment and storage medium | |
| CN111194026B (en) | Information sending method and device and electronic equipment | |
| CN113779945A (en) | Method and device for generating file | |
| CN108845953B (en) | Interface testing method and device | |
| CN110489124A (en) | Source code executes method, apparatus, storage medium and computer equipment | |
| CN114063985A (en) | Plug-in development method and device for Web application, electronic device, medium, and program | |
| CN112286702A (en) | Calling method and device of robot aggregation platform and electronic equipment | |
| CN111273897A (en) | Block chain resource consumption method and device, storage medium and electronic equipment | |
| CN111399842A (en) | Code compiling method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |