摘要
不可阻挡的软件组件化趋势与多人协同作业模式的开发过程促使开源软件供应链逐渐形成,在蓬勃发展的开源软件带来巨大便利的同时,开源漏洞随着供应链悄然而至,威胁着软件系统的安全性和可靠性。软件成分分析可对维护脆弱的开源软件供应链的安全起到实质性的支撑作用,它通过开源软件组件漏洞检测与自动修复两个核心功能发现并修复软件项目中潜在的漏洞和风险。为加深相关研究人员对软件成分分析在安全漏洞方面的实践的了解,文中梳理归纳了近年的开源软件组件漏洞检测与自动修复技术的研究进展与成果;进一步地,从用户视角出发,基于8个分析维度对目前常见的8种软件成分分析工具进行了总结与探析;最后,探讨了开源软件组件漏洞检测与自动修复技术现存的挑战并展望了未来可能的发展方向。
The unstoppable trend of software componentization and the development process of collaborative work mode by multiple individuals have led to the gradual formation of open-source software supply chains.While flourishing open-source software brings great convenience,open-source vulnerabilities quietly emerge along the supply chain,posing a threat to the security and reliability of software systems.Software composition analysis technology can provide substantial support for maintaining the security of fragile open-source software supply chains.It discovers and fixes potential vulnerabilities and risks in software projects through two core functions:open-source software component vulnerability detection and automatic repair.To deepen the understanding of relevant researchers on the practical application of software component analysis in security vulnerabilities,this paper reviews and summarizes the research progress and achievements in recent years on open-source software component vulnerability detection and automatic repair technologies.Furthermore,starting from the users’perspective,a summary and analysis of eight common software composition analysis tools based on eight analysis dimensions are provided.Finally,the existing challenges of open-source software component vulnerability detection and automatic repair technology are discussed,and their possible future development directions are explored.
作者
张旭明
史涯晴
黄松
王兴亚
胡津昌
陆江涛
ZHANG Xuming;SHI Yaqing;HUANG Song;WANG Xingya;HU Jinchang;LU Jiangtao(College of Command and Control Engineering,Army Engineering University of PLA,Nanjing 210007,China;College of Computer Science and Technology,Nanjing Tech University,Nanjing 211816,China)
出处
《计算机科学》
北大核心
2025年第6期1-20,共20页
Computer Science
关键词
开源软件供应链
软件成分分析
组件漏洞检测
自动修复
Open-source software supply chain
Software component analysis
Component vulnerability detection
Automatic repair
