CN112487366B - Method and device for determining software open source risk - Google Patents

Method and device for determining software open source risk Download PDF

Info

Publication number
CN112487366B
CN112487366B CN202011515718.6A CN202011515718A CN112487366B CN 112487366 B CN112487366 B CN 112487366B CN 202011515718 A CN202011515718 A CN 202011515718A CN 112487366 B CN112487366 B CN 112487366B
Authority
CN
China
Prior art keywords
open source
source software
software
protocol
risk
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202011515718.6A
Other languages
Chinese (zh)
Other versions
CN112487366A (en
Inventor
苏娜
刘述
于涛
毛骏
刘秋月
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Academy of Information and Communications Technology CAICT
Original Assignee
China Academy of Information and Communications Technology CAICT
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Academy of Information and Communications Technology CAICT filed Critical China Academy of Information and Communications Technology CAICT
Priority to CN202011515718.6A priority Critical patent/CN112487366B/en
Publication of CN112487366A publication Critical patent/CN112487366A/en
Application granted granted Critical
Publication of CN112487366B publication Critical patent/CN112487366B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/10Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
    • G06F21/105Arrangements for software license management or administration, e.g. for managing licenses at corporate level
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/10Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
    • G06F21/12Protecting executable software
    • G06F21/121Restricting unauthorised execution of programs
    • G06F21/125Restricting unauthorised execution of programs by manipulating the program code, e.g. source code, compiled code, interpreted code, machine code
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q10/00Administration; Management
    • G06Q10/06Resources, workflows, human or project management; Enterprise or organisation planning; Enterprise or organisation modelling
    • G06Q10/063Operations research, analysis or management
    • G06Q10/0635Risk analysis of enterprise or organisation activities

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Business, Economics & Management (AREA)
  • Human Resources & Organizations (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Security & Cryptography (AREA)
  • Entrepreneurship & Innovation (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Technology Law (AREA)
  • Multimedia (AREA)
  • Economics (AREA)
  • Strategic Management (AREA)
  • Development Economics (AREA)
  • Game Theory and Decision Science (AREA)
  • Educational Administration (AREA)
  • Marketing (AREA)
  • Operations Research (AREA)
  • Quality & Reliability (AREA)
  • Tourism & Hospitality (AREA)
  • General Business, Economics & Management (AREA)
  • Stored Programmes (AREA)

Abstract

The application provides a method and a device for determining a software open source risk. The method comprises the following steps: scanning a software source code library of software to obtain a code file; scanning the content of each code file and determining an open source software module referenced by the code file; acquiring an open source software authorization protocol corresponding to the determined open source software module based on a preset open source software authorization protocol library; counting the number of open source software modules corresponding to the designated open source software authorization protocol; and determining the risk of the open source software module and the risk of the software according to the acquired open source software authorization protocol and the counted number of the open source software modules. The method can accurately evaluate the risks of the software and the open source software module, and avoid unnecessary loss.

Description

Method and device for determining software open source risk
Technical Field
The present invention relates to the field of computer technologies, and in particular, to a method and an apparatus for determining a risk of software open source.
Background
The multiplexing of the modules in the software development is a common means for improving the development efficiency, particularly the current popularity of open source software, thereby reducing the complexity of the software development and accelerating the development progress of the software.
However, the authorization protocol of the open source software is very complex, and some open source authorization protocols require the use of the open source software, and the developed software product must be opened in the same open source authorization mode, i.e. the developed source code must be disclosed, so that the vast staff of society can access, download and use the open source code. While some open source authorization protocols do not require the software product to be open source. Software product development is thus performed to examine the open source software modules used to determine which open source authorization protocols the open source software is involved in, in order to avoid failing to comply with the requirements of the software open source authorization protocols.
Disclosure of Invention
In view of the above, the present application provides a method and apparatus for determining risk of software open source, which can accurately evaluate risks of the software and the open source software module, and avoid unnecessary loss.
In order to solve the technical problems, the technical scheme of the application is realized as follows:
in one embodiment, a method for determining risk of software open source is provided, the method comprising:
scanning a software source code library of software to obtain a code file;
scanning the content of each code file and determining an open source software module referenced by the code file;
acquiring an open source software authorization protocol corresponding to the determined open source software module based on a preset open source software authorization protocol library;
counting the number of open source software modules corresponding to the designated open source software authorization protocol;
and determining the risk of the open source software module and the risk of the software according to the acquired open source software authorization protocol and the counted number of the open source software modules.
In another embodiment, there is provided a software open source risk determination apparatus, the apparatus including: the device comprises a scanning unit, a first acquisition unit, a first determination unit, a second acquisition unit, a statistics unit and a second determination unit;
the scanning unit is used for scanning a software source code library of software and scanning the content of each code file acquired by the first acquisition unit;
the first acquisition unit acquires a code file when the scanning unit scans a software source code library of software;
the first determining unit is used for determining an open source software module referenced by each code file when the scanning unit scans the content of each acquired code file;
the second obtaining unit is configured to obtain an open source software authorization protocol corresponding to the open source software module determined by the first determining unit based on a preset open source software authorization protocol library;
the statistics unit is used for counting the number of open source software modules corresponding to the designated open source software authorization protocol acquired in the second acquisition unit;
the second determining unit is configured to determine a risk of the open source software module and a risk of the software according to the open source software authorization protocol acquired by the second acquiring unit and the number of open source software modules counted by the counting unit.
In another embodiment, an electronic device is provided that includes a memory, a processor, and a computer program stored on the memory and executable on the processor, the processor implementing the steps of the software open source risk determination method when executing the program.
In another embodiment, a computer readable storage medium is provided, on which a computer program is stored which, when executed by a processor, implements the steps of the software open source risk determination method.
As can be seen from the above technical solutions, in the above embodiments, by scanning a software source code library of software, an open source software module related to a code file in the software is identified, and a determined open source software authorization protocol corresponding to the open source software module is obtained based on a preset open source software authorization protocol library, so as to determine the risk of the software module and the risk of the software. The risk of the software and the open source software module can be accurately estimated by the scheme, and unnecessary loss is avoided.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are needed in the description of the embodiments will be briefly described below, it being obvious that the drawings in the following description are only some embodiments of the present application, and that other drawings may be obtained according to these drawings without inventive effort to a person skilled in the art.
Fig. 1 is a schematic diagram of a software open source risk determination process in a first embodiment of the present application;
fig. 2 is a schematic diagram of a software open source risk determination process in a second embodiment of the present application;
fig. 3 is a schematic diagram of a software open source risk determination process in a third embodiment of the present application;
FIG. 4 is a schematic diagram of a device applied to the above technology in an embodiment of the present application;
fig. 5 is a schematic diagram of an entity structure of an electronic device according to an embodiment of the present invention.
Detailed Description
The following description of the technical solutions in the embodiments of the present application will be made clearly and completely with reference to the drawings in the embodiments of the present application, and it is apparent that the described embodiments are only some embodiments of the present application, not all embodiments. All other embodiments, which can be made by one of ordinary skill in the art without undue burden from the present disclosure, are within the scope of the present disclosure.
The terms "first," "second," "third," "fourth" and the like in the description and in the claims and in the above drawings, if any, are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that the embodiments of the invention described herein may be implemented, for example, in sequences other than those illustrated or otherwise described herein. Furthermore, the terms "comprise" and "have," as well as any variations thereof, are intended to cover a non-exclusive inclusion. For example, a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those elements but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
The technical scheme of the invention is described in detail below by specific examples. The following embodiments may be combined with each other, and some embodiments may not be repeated for the same or similar concepts or processes.
The embodiment of the application provides a method for determining a software open source risk, which is applied to a device for determining the software open source risk. The method comprises the steps of scanning a software source code library of software, identifying an open source software module related to a code file in the software, and acquiring an open source software authorization protocol corresponding to the determined open source software module based on a preset open source software authorization protocol library to determine the risk of the software module and the risk of the software. The risk of the software and the open source software module can be accurately estimated, and unnecessary losses are avoided.
The following describes the software open source risk determination process in the embodiment of the present application in detail with reference to the accompanying drawings.
Example 1
Referring to fig. 1, fig. 1 is a schematic diagram of a software open source risk determination process in a first embodiment of the present application. The method comprises the following specific steps:
and step 101, scanning a source code library of the software to obtain a code file.
In a specific implementation, it is necessary to specify a directory or link to which the software to be determined corresponds.
Scanning a source code library of the software, namely scanning a catalog or a source code library corresponding to a link corresponding to the software;
all code files are acquired during the scanning process.
And 102, scanning the content of each code file to determine an open source software module related to the code file.
As the contents of each code file are scanned, the software module referenced by each code file may be determined;
it may be determined from the names of the referenced software modules whether the software modules are open source software modules.
And step 103, acquiring the open source software authorization protocol corresponding to the determined open source software module based on a preset open source software authorization protocol library.
The preset open source software authorization protocol library is not limited in the manner of acquiring the preset open source software authorization protocol library according to the open source software authorization protocol library which can be disclosed or designated.
The preset software authorization protocol library comprises the following steps: the association relation between the name of the open source software module and the open source software authorization protocol.
Step 104, counting the number of open source software modules corresponding to the designated open source software authorization protocol.
The specified open source software authorization protocols are the second edition generic public license (GPLv 2) protocol and the enhanced edition generic public license (AGPL) protocol.
In specific implementation, the number M of open source software modules corresponding to the GPLv2 protocol is counted, and the number N of open source software modules corresponding to the AGPL protocol is counted.
And 105, determining the risk of the open source software module and the risk of the software according to the acquired open source software authorization protocol and the counted number of the open source software modules.
When the designated open source software authorization protocol is the GPLv2 protocol and the AGPL protocol, determining the risk of the open source software module and the risk of the software according to the acquired open source software authorization protocol and the counted number of the open source software modules, wherein the method comprises the following steps:
determining that an open source software module related to the GPLv2 or AGPL protocol is a high risk module, and an open source software module not related to the second edition of the generic public license GPLv2 protocol and the library generic public license AGPL protocol is a low risk module;
if the sum of the numbers of open source software modules related to the GPLv2 protocol and the AGPL protocol is counted to be larger than a preset value, determining that the software is at high risk; otherwise, it is determined as low risk.
The high risk criterion is updated in time with the update of the open source software authorization protocol.
In the embodiment of the present application, the specified open source software authorization protocol is exemplified by the GPLv2 protocol and the AGPL protocol, and in specific implementation, or after the open source software authorization protocol is updated, an implementer may set the specified open source software protocol according to needs, which is not limited in the embodiment of the present application.
In this embodiment of the present application, two risk levels, that is, a high risk level and a low risk level, may be taken as an example, and when the risk level is implemented in a specific manner, a plurality of risk levels may be divided, and a corresponding relationship between the risk levels and a designated open source software authorization protocol, and a corresponding relationship between the number of counted open source software modules and the divided risk levels may be configured.
In the embodiment of the application, the open source software module related to the code file in the software is identified by scanning the software source code library of the software, and the risk of the software module and the risk of the software are determined by acquiring the open source software authorization protocol corresponding to the determined open source software module based on the preset open source software authorization protocol library. The risk of the software and the open source software module can be accurately estimated, and unnecessary losses are avoided.
Example two
Referring to fig. 2, fig. 2 is a schematic diagram of a software open source risk determination process in a second embodiment of the present application. The method comprises the following specific steps:
step 201, scanning a source code library of the software to obtain a code file.
In a specific implementation, it is necessary to specify a directory or link to which the software to be determined corresponds.
Scanning a source code library of the software, namely scanning a catalog or a source code library corresponding to a link corresponding to the software;
all code files are acquired during the scanning process.
Step 202, determining a computer language for developing the code file according to the suffix of the code file.
And 203, scanning the content of the code file by using the keywords corresponding to the determined computer language, and determining the software module referenced by the code file.
If the determined computer language is C language, determining a software module referenced by the code file by using a keyword #include corresponding to the C language;
if the determined computer languages are python and java, then the software modules referenced by the code file are determined using the keyword imports corresponding to python and java.
Step 204, determining a software module that is an open source software module based on the open source software module library.
The open source software module library includes: the name of the open source software module;
in particular implementations, some software modules are system software modules that are not involved in the open source software module library and are not of interest.
In the embodiment, an open source software module library is used for determining whether the software module is an open source software module; when the name of the software module exists in the open source software module library, determining that the software module is an open source software module; otherwise, determining the open source software module of the software module part.
Stdio referenced by #include < stdio.h > in the C language is a system standard input-output library, and does not belong to the software open source module.
In java language, such as:
import org.openstack4j.api.OSClient.OSClientV3;
it is known that the oscientv 3 interface, version V3, of the openstack4j software module api interface is used here.
Assuming that the name of an openstack4j software module exists in an open source software module library, determining that the openstack4j software module is an open source software module, and if the version number of the open source software module can be acquired in specific implementation, acquiring the version number of the open source software module; if not, the data is not acquired.
Steps 202 through 204 are performed to scan the contents of each code file and determine the open source software module referenced by the code file.
In the embodiment of the application, the open source software module can be identified by using an open source software module library in specific implementation, and the open source software module can also be identified by using a preset open source software authorization protocol library.
Step 205, acquiring the open source software authorization protocol corresponding to the determined open source software module based on a preset open source software authorization protocol library.
The preset open source software authorization protocol library is not limited in the manner of acquiring the preset open source software authorization protocol library according to the open source software authorization protocol library which can be disclosed or designated.
The preset software authorization protocol library comprises the following steps: the association relation between the name of the open source software module and the open source software authorization protocol.
In specific implementation, if the version number of the open source software module is obtained, the open source software authorization protocol corresponding to the determined version of the open source software module is obtained based on a preset open source software authorization protocol library.
And if the version number of the open source software module is not acquired, acquiring the open source software authorization protocol corresponding to the determined open source software module based on a preset open source software authorization protocol library.
And if the open source software module corresponds to a plurality of versions in the preset open source software authorization protocol library, acquiring open source authorization protocols corresponding to all the versions.
Step 206, counting the number of open source software modules corresponding to the designated open source software authorization protocol.
The designated open source software authorization protocols are the GPLv2 protocol and the AGPL protocol.
In specific implementation, the number M of open source software modules corresponding to the GPLv2 protocol is counted, and the number N of open source software modules corresponding to the AGPL protocol is counted.
Step 207, determining the risk of the open source software module and the risk of the software according to the acquired open source software authorization protocol and the counted number of the open source software modules.
When the designated open source software authorization protocol is the GPLv2 protocol and the AGPL protocol, determining the risk of the open source software module and the risk of the software according to the acquired open source software authorization protocol and the counted number of the open source software modules, wherein the method comprises the following steps:
determining that an open source software module related to the GPLv2 or AGPL protocol is a high risk module, and an open source software module not related to the second edition of the generic public license GPLv2 protocol and the library generic public license AGPL protocol is a low risk module;
if the sum of the numbers of open source software modules related to the GPLv2 protocol and the AGPL protocol is counted to be larger than a preset value, determining that the software is at high risk; otherwise, it is determined as low risk.
The high risk criterion is updated in time with the update of the open source software authorization protocol.
In the embodiment of the present application, the specified open source software authorization protocol is exemplified by the GPLv2 protocol and the AGPL protocol, and in specific implementation, or after the open source software authorization protocol is updated, an implementer may set the specified open source software protocol according to needs, which is not limited in the embodiment of the present application.
In this embodiment of the present application, two risk levels, that is, a high risk level and a low risk level, may be taken as an example, and when the risk level is implemented in a specific manner, a plurality of risk levels may be divided, and a corresponding relationship between the risk levels and a designated open source software authorization protocol, and a corresponding relationship between the number of counted open source software modules and the divided risk levels may be configured.
In the embodiment of the application, the software source code library of the software is scanned, the computer language of the development code file is determined, the open source software module referenced by the code file is determined based on the computer language and the open source software module library, and the risk of the software module and the risk of the software are determined by acquiring the open source software authorization protocol corresponding to the determined open source software module based on the preset open source software authorization protocol library. The risk of the software and the open source software module can be accurately estimated, and unnecessary losses are avoided.
Example III
Referring to fig. 3, fig. 3 is a schematic diagram of a software open source risk determination process in a third embodiment of the present application. The method comprises the following specific steps:
step 301, scanning a source code library of the software to obtain a code file.
In a specific implementation, it is necessary to specify a directory or link to which the software to be determined corresponds.
Scanning a source code library of the software, namely scanning a catalog or a source code library corresponding to a link corresponding to the software;
all code files are acquired during the scanning process.
In step 302, the content of each code file is scanned, and the open source software module involved in the code file is determined.
As the contents of each code file are scanned, the software module referenced by each code file may be determined;
it may be determined from the names of the referenced software modules whether the software modules are open source software modules.
Step 303, acquiring the open source software authorization protocol corresponding to the determined open source software module based on a preset open source software authorization protocol library.
The preset open source software authorization protocol library is not limited in the manner of acquiring the preset open source software authorization protocol library according to the open source software authorization protocol library which can be disclosed or designated.
The preset software authorization protocol library comprises the following steps: the association relation between the name of the open source software module and the open source software authorization protocol.
Step 304, counting the number of open source software modules corresponding to the designated open source software authorization protocol.
The designated open source software authorization protocols are the GPLv2 protocol and the AGPL protocol.
In specific implementation, the number M of open source software modules corresponding to the GPLv2 protocol is counted, and the number N of open source software modules corresponding to the AGPL protocol is counted.
And step 305, determining the risk of the open source software module and the risk of the software according to the acquired open source software authorization protocol and the counted number of the open source software modules.
When the designated open source software authorization protocol is the GPLv2 protocol and the AGPL protocol, determining the risk of the open source software module and the risk of the software according to the acquired open source software authorization protocol and the counted number of the open source software modules, wherein the method comprises the following steps:
determining that an open source software module related to the GPLv2 or AGPL protocol is a high risk module, and an open source software module not related to the second edition of the generic public license GPLv2 protocol and the library generic public license AGPL protocol is a low risk module;
if the sum of the numbers of open source software modules related to the GPLv2 protocol and the AGPL protocol is counted to be larger than a preset value, determining that the software is at high risk; otherwise, it is determined as low risk.
The high risk criterion is updated in time with the update of the open source software authorization protocol.
In the embodiment of the present application, the specified open source software authorization protocol is exemplified by the GPLv2 protocol and the AGPL protocol, and in specific implementation, or after the open source software authorization protocol is updated, an implementer may set the specified open source software protocol according to needs, which is not limited in the embodiment of the present application.
In this embodiment of the present application, two risk levels, that is, a high risk level and a low risk level, may be taken as an example, and when the risk level is implemented in a specific manner, a plurality of risk levels may be divided, and a corresponding relationship between the risk levels and a designated open source software authorization protocol, and a corresponding relationship between the number of counted open source software modules and the divided risk levels may be configured.
And 306, outputting the risk of the software and the association relation between the open source software module and the risk.
And outputting risks, and displaying the risks in a specified mode, particularly the related high-risk open source software module and the related high-risk open source software, so that a software developer can be reminded of taking precautions and avoiding the risks if necessary.
In the embodiment of the application, the open source software module related to the code file in the software is identified by scanning the software source code library of the software, and the risk of the software module and the risk of the software are determined by acquiring the open source software authorization protocol corresponding to the determined open source software module based on the preset open source software authorization protocol library. The risk of the software and the open source software module can be accurately estimated, and unnecessary losses are avoided.
The risks related in the embodiment of the application are mainly commercial risks brought by quoted open source software, but not vulnerability security risks of the software, if the risks of the software can be correctly estimated, software codes can be rewritten so as to avoid commercial losses, and the method has important significance on the market of software products; in order to avoid violating software open source authorization agreements that may face litigation and reimbursement issues, resulting in economic and reputation losses.
Based on the same inventive concept, the embodiment of the application also provides a software open source risk determining device. Referring to fig. 4, fig. 4 is a schematic structural diagram of an apparatus to which the above technology is applied in the embodiment of the present application. The device comprises: a scanning unit 401, a first acquisition unit 402, a first determination unit 403, a second acquisition unit 404, a statistics unit 405, and a second determination unit 406;
a scanning unit 401, configured to scan a software source code library of software, and scan the content of each code file acquired by the first acquiring unit 402;
a first acquisition unit 402 that acquires a code file when the scanning unit 401 scans a software source code library of software;
a first determining unit 403, configured to determine, when the scanning unit 401 scans the content of each acquired code file, an open source software module referenced by the code file;
a second obtaining unit 404, configured to obtain, based on a preset open source software authorization protocol library, an open source software authorization protocol corresponding to the open source software module determined by the first determining unit 403;
a statistics unit 405, configured to count the number of open source software modules corresponding to the specified open source software authorization protocol acquired in the second acquisition unit 404;
the second determining unit 406 is configured to determine the risk of the open source software module and the risk of the software according to the open source software authorization protocol acquired by the second acquiring unit 404 and the number of open source software modules counted by the counting unit 405.
Preferably, the method comprises the steps of,
a first determining unit 403, specifically configured to determine a computer language for developing the code file according to the suffix of the code file; performing content scanning on the code file by using the keywords corresponding to the determined computer language, and determining a software module referenced by the code file; a software module that is an open source software module is determined based on the library of open source software modules.
Preferably, the method comprises the steps of,
the first determining unit 403 is further configured to obtain a version number of the open source software module when determining the open source software module related to the code file;
the second obtaining unit 404 is specifically configured to obtain, if the first determining unit 403 obtains the version number of the open source software module, an open source software authorization protocol corresponding to the determined version of the open source software module based on a preset open source software authorization protocol library.
Preferably, the method comprises the steps of,
a second determining unit 406, specifically configured to determine that an open source software module related to the GPLv2 or AGPL protocol is a high risk module, and an open source software module not related to the second version of the generic public license GPLv2 protocol and the library generic public license AGPL protocol is a low risk module; if the sum of the numbers of open source software modules related to the GPLv2 protocol and the AGPL protocol is counted to be larger than a preset value, determining that the software is at high risk; otherwise, determining as low risk; wherein the specified open source software authorization protocol comprises: GPLv2 protocol and AGPL protocol.
Preferably, the apparatus further comprises: an output unit;
the output unit is used for outputting the risk of the software determined by the second determining unit and the association relation between the open source software module and the risk.
The units of the above embodiments may be integrated or may be separately deployed; can be combined into one unit or further split into a plurality of sub-units.
In another embodiment, there is also provided an electronic device including a memory, a processor, and a computer program stored on the memory and executable on the processor, the processor implementing the steps of the software open source risk determination method when executing the program.
In another embodiment, a computer readable storage medium having stored thereon computer instructions which when executed by a processor may implement steps in the software open source risk determination method is also provided.
Fig. 5 is a schematic diagram of an entity structure of an electronic device according to an embodiment of the present invention. As shown in fig. 5, the electronic device may include: processor (Processor) 510, communication interface (Communications Interface) 520, memory (Memory) 530, and communication bus 540, wherein Processor 510, communication interface 520, memory 530 complete communication with each other through communication bus 540. Processor 510 may invoke logic instructions in memory 530 to perform the following method:
scanning a software source code library of software to obtain a code file;
scanning the content of each code file and determining an open source software module referenced by the code file;
acquiring an open source software authorization protocol corresponding to the determined open source software module based on a preset open source software authorization protocol library;
counting the number of open source software modules corresponding to the designated open source software authorization protocol;
and determining the risk of the open source software module and the risk of the software according to the acquired open source software authorization protocol and the counted number of the open source software modules.
Further, the logic instructions in the memory 530 described above may be implemented in the form of software functional units and may be stored in a computer-readable storage medium when sold or used as a stand-alone product. Based on this understanding, the technical solution of the present invention may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution, in the form of a software product stored in a storage medium, comprising several instructions for causing a computer device (which may be a personal computer, a server, a network device, etc.) to perform all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
The apparatus embodiments described above are merely illustrative, wherein the elements illustrated as separate elements may or may not be physically separate, and the elements shown as elements may or may not be physical elements, may be located in one place, or may be distributed over a plurality of network elements. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of this embodiment. Those of ordinary skill in the art will understand and implement the present invention without undue burden.
From the above description of the embodiments, it will be apparent to those skilled in the art that the embodiments may be implemented by means of software plus necessary general hardware platforms, or of course may be implemented by means of hardware. Based on this understanding, the foregoing technical solution may be embodied essentially or in a part contributing to the prior art in the form of a software product, which may be stored in a computer readable storage medium, such as ROM/RAM, a magnetic disk, an optical disk, etc., including several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the method described in the respective embodiments or some parts of the embodiments.
The foregoing description of the preferred embodiments of the invention is not intended to be limiting, but rather to enable any modification, equivalent replacement, improvement or the like to be made within the spirit and principles of the invention.

Claims (9)

1. A method for determining risk of software open source, the method comprising:
scanning a software source code library of software to obtain a code file;
scanning the content of each code file and determining an open source software module referenced by the code file;
acquiring an open source software authorization protocol corresponding to the determined open source software module based on a preset open source software authorization protocol library;
counting the number of open source software modules corresponding to the designated open source software authorization protocol;
determining the risk of the open source software module and the risk of the software according to the acquired open source software authorization protocol and the counted number of the open source software modules;
wherein the specified open source software authorization protocol comprises: the second edition of the generic public license GPLv2 protocol and the enhanced edition of the generic public license AGPL protocol;
the determining the risk of the software module and the risk of the software according to the acquired open source software authorization protocol and the counted number of the software modules comprises the following steps:
determining that an open source software module related to a GPLv2 protocol or an AGPL protocol is a high risk module, and an open source software module not related to the GPLv2 protocol and the AGPL protocol is a low risk module;
if the sum of the numbers of open source software modules related to the GPLv2 protocol and the AGPL protocol is counted to be larger than a preset value, determining that the software is at high risk; otherwise, it is determined as low risk.
2. The method of claim 1, wherein the scanning the content of each code file to determine the open source software module referenced by the code file comprises:
determining a computer language for developing the code file according to the suffix of the code file;
performing content scanning on the code file by using the keywords corresponding to the determined computer language, and determining a software module referenced by the code file;
whether the software module referenced by the code file is an open source software module is determined based on the open source software module library.
3. The method of claim 2, wherein when determining the open source software module to which the code file relates, the method further comprises:
if the version number of the open source software module is obtained, the open source software authorization protocol corresponding to the determined open source software module is obtained based on a preset open source software authorization protocol library, which comprises the following steps:
and acquiring the open source software authorization protocol corresponding to the determined version of the open source software module based on a preset open source software authorization protocol library.
4. The method according to claim 1, wherein the method further comprises:
and outputting the risk of the software and the association relation between the open source software module and the risk.
5. A software open source risk determination apparatus, the apparatus comprising: the device comprises a scanning unit, a first acquisition unit, a first determination unit, a second acquisition unit, a statistics unit and a second determination unit;
the scanning unit is used for scanning a software source code library of software and scanning the content of each code file acquired by the first acquisition unit;
the first acquisition unit acquires a code file when the scanning unit scans a software source code library of software;
the first determining unit is used for determining an open source software module referenced by each code file when the scanning unit scans the content of each acquired code file;
the second obtaining unit is configured to obtain an open source software authorization protocol corresponding to the open source software module determined by the first determining unit based on a preset open source software authorization protocol library;
the statistics unit is used for counting the number of open source software modules corresponding to the designated open source software authorization protocol acquired in the second acquisition unit;
the second determining unit is configured to determine a risk of the open source software module and a risk of the software according to the open source software authorization protocol acquired by the second acquiring unit and the number of open source software modules counted by the counting unit;
wherein the specified open source software authorization protocol comprises: the second edition of the generic public license GPLv2 protocol and the enhanced edition of the generic public license AGPL protocol;
the second determining unit is specifically configured to determine a risk of the software module according to the obtained open source software authorization protocol and the counted number of software modules, and when the risk of the software module includes: determining that an open source software module related to a GPLv2 protocol or an AGPL protocol is a high risk module, and an open source software module not related to the GPLv2 protocol and the AGPL protocol is a low risk module; if the sum of the numbers of open source software modules related to the GPLv2 protocol and the AGPL protocol is counted to be larger than a preset value, determining that the software is at high risk; otherwise, it is determined as low risk.
6. The apparatus of claim 5, wherein the device comprises a plurality of sensors,
the first determining unit is specifically configured to determine a computer language for developing the code file according to a suffix of the code file; performing content scanning on the code file by using the keywords corresponding to the determined computer language, and determining a software module referenced by the code file; a software module that is an open source software module is determined based on the library of open source software modules.
7. The apparatus of claim 5, wherein the device comprises a plurality of sensors,
the first determining unit is further configured to obtain a version number of the open source software module when determining the open source software module related to the code file;
the second obtaining unit is specifically configured to obtain, if the first determining unit obtains the version number of the open source software module, an open source software authorization protocol corresponding to the determined version of the open source software module based on a preset open source software authorization protocol library.
8. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the method of any of claims 1-4 when the program is executed by the processor.
9. A computer readable storage medium, on which a computer program is stored, characterized in that the program, when being executed by a processor, implements the method of any of claims 1-4.
CN202011515718.6A 2020-12-21 2020-12-21 Method and device for determining software open source risk Active CN112487366B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011515718.6A CN112487366B (en) 2020-12-21 2020-12-21 Method and device for determining software open source risk

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011515718.6A CN112487366B (en) 2020-12-21 2020-12-21 Method and device for determining software open source risk

Publications (2)

Publication Number Publication Date
CN112487366A CN112487366A (en) 2021-03-12
CN112487366B true CN112487366B (en) 2024-03-12

Family

ID=74914889

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011515718.6A Active CN112487366B (en) 2020-12-21 2020-12-21 Method and device for determining software open source risk

Country Status (1)

Country Link
CN (1) CN112487366B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113076245A (en) * 2021-03-30 2021-07-06 山东英信计算机技术有限公司 Risk assessment method, device, equipment and storage medium of open source protocol

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108710564A (en) * 2017-09-15 2018-10-26 苏州棱镜七彩信息科技有限公司 Source code comprehensive evaluating platform based on big data
CN109710299A (en) * 2018-12-14 2019-05-03 平安普惠企业管理有限公司 A kind of open source class libraries monitoring method, device, equipment and computer storage medium
CN111274548A (en) * 2020-01-17 2020-06-12 深圳开源互联网安全技术有限公司 Method and device for determining open source software license compliance
CN111625466A (en) * 2020-06-01 2020-09-04 Oppo广东移动通信有限公司 Software detection method and device and computer readable storage medium
CN111695831A (en) * 2020-06-18 2020-09-22 中国信息安全测评中心 Open source code use risk assessment method and device and electronic equipment
CN111931186A (en) * 2020-08-12 2020-11-13 中国工商银行股份有限公司 Software risk identification method and device
CN111931183A (en) * 2020-07-31 2020-11-13 中国工商银行股份有限公司 Open source software security vulnerability processing method and device
CN112084309A (en) * 2020-09-17 2020-12-15 北京中科微澜科技有限公司 License selection method and system based on open source software map
CN115712875A (en) * 2022-11-24 2023-02-24 深圳开源互联网安全技术有限公司 Risk judgment method and device for open source software license agreement

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20200146496A1 (en) * 2016-03-28 2020-05-14 Bhagirath Ghanshyambhai PATADIA Portable fully automatic cooking system

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108710564A (en) * 2017-09-15 2018-10-26 苏州棱镜七彩信息科技有限公司 Source code comprehensive evaluating platform based on big data
CN109710299A (en) * 2018-12-14 2019-05-03 平安普惠企业管理有限公司 A kind of open source class libraries monitoring method, device, equipment and computer storage medium
CN111274548A (en) * 2020-01-17 2020-06-12 深圳开源互联网安全技术有限公司 Method and device for determining open source software license compliance
CN111625466A (en) * 2020-06-01 2020-09-04 Oppo广东移动通信有限公司 Software detection method and device and computer readable storage medium
CN111695831A (en) * 2020-06-18 2020-09-22 中国信息安全测评中心 Open source code use risk assessment method and device and electronic equipment
CN111931183A (en) * 2020-07-31 2020-11-13 中国工商银行股份有限公司 Open source software security vulnerability processing method and device
CN111931186A (en) * 2020-08-12 2020-11-13 中国工商银行股份有限公司 Software risk identification method and device
CN112084309A (en) * 2020-09-17 2020-12-15 北京中科微澜科技有限公司 License selection method and system based on open source software map
CN115712875A (en) * 2022-11-24 2023-02-24 深圳开源互联网安全技术有限公司 Risk judgment method and device for open source software license agreement

Non-Patent Citations (7)

* Cited by examiner, † Cited by third party
Title
AGP 8×效率实测手记;Cfan评测室;《电脑爱好者》;20031231(第01期);第76-78页 *
Exploiting IoT-Oriented Technologies for Measurement Networks of Environmental Radiation;Rosario Schiano Lo Moriello等;《 IEEE Instrumentation & Measurement Magazine 》;20201209;第23卷(第9期);第36 - 42页 *
一种软件代码特征提取方法;张雷等;《信息技术与信息化》;20230430(第04期);第45-48页 *
开源软件与开源软件生态:现状与趋势;金芝等;《科技导报》;20160728;第34卷(第14期);第42-48页 *
开源软件知识产权保护问题研究;韩鹏;《中国优秀硕士学位论文全文数据库》;20190930;社会科学Ⅰ辑 G117-342 *
数据清洗中文本相似度算法的比较与优化;李鲲程等;《通信管理与技术》;20211031(第05期);第16-18页 *
物联网开源软件知识产权风险研究;付娜等;《电信网技术》;20180115(第01期);第27-30页 *

Also Published As

Publication number Publication date
CN112487366A (en) 2021-03-12

Similar Documents

Publication Publication Date Title
CN110609693B (en) Code updating method and device based on data standardization and terminal equipment
Felty et al. Feature specification and automated conflict detection
CN110377462B (en) Interface testing method and device and terminal equipment
CN108846753B (en) Method and apparatus for processing data
KR100750962B1 (en) Parsing structured data
CN111290760B (en) Application program compiling method and device, electronic equipment and storage medium
CN112487366B (en) Method and device for determining software open source risk
CN110543469A (en) Database version management method and server
CN111026765B (en) Dynamic processing method, device, storage medium and apparatus for strictly balanced binary tree
US20090282388A1 (en) Optimizing the handling of source code requests between a software configuration management (scm) system and a software integrated development environment (ide) using projected ancillary data
CN116204428A (en) Test case generation method and device
US20240078387A1 (en) Text chain generation method and apparatus, device, and medium
FR2826761A1 (en) Network sent extensible mark up language document analysis having language detected and assigned content value read/automatic identification digital word assembly with mark up language/length equal value read.
CN108845953B (en) Interface testing method and device
CN112711584A (en) Data checking method, checking device, terminal equipment and readable storage medium
CN110489124A (en) Source code executes method, apparatus, storage medium and computer equipment
CN116204201B (en) Service processing method and device
CN116910053A (en) Data timeout management method and device, electronic equipment and readable storage medium
CN110716855B (en) Processor instruction set testing method and device
CN116541830A (en) SQL generation method, device, equipment and storage medium for preventing injection attack
CN116400915A (en) Service calling method and device and terminal equipment
CN116627803A (en) Software similarity detection method, system, equipment and storage medium
CN115145658A (en) Application programming interface API identification method and device and electronic equipment
CN115061835A (en) Method and device for determining method call relation
CN116594993A (en) Method, device and storage medium for high-efficiency automatic warehousing and storage of DWG (discrete wavelength) analysis data

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant