Securing Supply Chains in Open Source Ecosystems: Methodologies for Determining Version Numbers of Components Without Package Management Files

Authors

  • Li Sun

DOI:

https://doi.org/10.54097/n8djwto1zb

Keywords:

Supply chain security detection, Non-package management files, Open source components, Component version number determination method

Abstract

In the case of supply chain security detection research, determining the component version number is a crucial task for the open source components of package-free management files. This paper aims to explore the new perspective of the determination of component version numbers based on various methods and to propose an effective method. First, by analyzing the source code of the component, you can try to determine the version number of the component by a specific mode, function, or variable in the code. This approach requires in-depth study and analysis of the source code to extract key code snippets that may contain version information. Second, the submission history of the component can be used to track the change of the version number. The modification content and update information for each version is obtained by viewing the submission records of the components in the version control system. Such an approach is relatively feasible for those components with a canonical versioning history. In addition, the metadata or metadata information of the component can be used to determine the version number. Some open-source components may contain version-related information in their code or documentation, such as release date, release instructions, version labels, etc. By parsing and extraction of these metadata, the version number of the components is obtained. In addition, the version number of the component can be obtained through communication with the community or the developer. Participate in the relevant open source community or contact component developers to consult them for information about the component version. This approach may require more time and resources, but is a viable option for those components that are difficult to determine the version number through other means. To sum up, the determination of the version number of open source components without package management files is an important link in supply chain security detection.

References

Zhang Xiaofei, Peng Hua, Chen Beibei. "A method of open source package-free management file based on code variation analysis." Journal of Software, 2021,32 (6): 1667-1682.

Li Wenyan, Liu Fang, Zhao Feng, et al. "Analysis method of open source components of package-free management files based on vulnerability mining." Software Engineering and Application, 2020,49 (10): 86-91.

Guo Ming, Zhang Lin. "Review of version tracking and determination technologies for open source components of package-free management files." Computer Application Research, 2019,36 (11): 3218-3225.

Wang Yafei, Zhou Yunfei, Zhang Yu. "A method of open-source component identification based on code static analysis." Computer Engineering and Design, 2018,39 (12): 3142-3147.

Li Ting, Hu Dongsheng, Zhang Baoqing, et al. "Study on the determination method of open source components of package-free management files." Computer Science and Exploration, 2017,11 (11): 1425-1433.

Liu Fang, Zhang Xiaoli, Chen Xuelei, et al. "A method for identifying open-source components of package-free management files based on static analysis." Computer Engineering and Application, 2016,52 (11): 57-62.

Huang Liwen, Jiang Xiaoming, Yao Qinghua, et al. "Study on open source components for package management files." Computer Science, 2015,42 (9): 246-249.

Peng Zhang, and Haiyan Liu. "Summary of open source components for package-free management files." Computer Engineering, 2014,40 (8): 136-140.

Yang Hongwei, Zhang Lin, Ma Junfeng. "Package-free management file open source component version number determination method and its implementation." Computer Application and software, 2013,30 (8): 249-252.

Wang Lihong, Li Hao, Guo Haiyan, et al. "A method for identifying open-source components of package-free management files based on static analysis." Computer Engineering and Design, 2002,23 (3): 134-137.

Downloads

Published

28-02-2024

Issue

Section

Articles

How to Cite

Sun, L. (2024). Securing Supply Chains in Open Source Ecosystems: Methodologies for Determining Version Numbers of Components Without Package Management Files. Journal of Computing and Electronic Information Management, 12(1), 32-36. https://doi.org/10.54097/n8djwto1zb