Towards a proactive management of Open Source Supply Chains

实现开源供应链的主动管理

• 批准号: RGPIN-2021-02476
• 负责人: German, Daniel
• 金额: $ 2.11万
• 依托单位: University of Victoria
• 依托单位国家: 加拿大
• 项目类别: Discovery Grants Program - Individual
• 财政年份: 2021
• 资助国家: 加拿大
• 起止时间: 2021-01-01 至 2022-12-31
• 项目状态: 已结题
• 来源: https://www.nserc-crsng.gc.ca/ase-oro/Details-Detailles_eng.asp?id=742000
• 关键词: Towards; proactive; management; Open; Source

Open Source Software (OSS), particularly in the form of libraries and frameworks, has become a fundamental part of software development; almost any software today relies on some OSS. A supply chain is a network of entities involved in supplying a product or service to a consumer. An Open Source Supply Chain (OSSC) is a supply chain that involves one or more OSS components that are used without a bilateral agreement between the component creator/maintainer and its customer. Thus, an OSSC is customer managed: the vendor (creator/maintainer of the OSS component being used) is usually not even aware of who its customers (users) are. When organizations incorporate an OSS component, they assume the associated risk with using this component, and cannot rely on support from the creator of the component. Thus, they must be careful when they evaluate and adopt an OSS component into their OSSC. They must also monitor the evolution of their entire OSSC, responding in a timely manner to potential defects (especially security related ones), upgrades, deprecations, and other changes in these components. These challenges are exacerbated by the ever growing number of dependencies required to build a software system today, and the continuous increase in the reuse of OSS components. The goal of this research program is to create models, methods and tools that help organizations proactively manage their Open Source Supply Chains. This will help software organizations reduce the cost and risk of reusing OSS in their OSSC, and improve the quality of the software they build with it.

开源软件（OSS），特别是以库和框架的形式，已经成为软件开发的基本组成部分；如今几乎所有软件都依赖于某些 OSS。供应链是参与向消费者提供产品或服务的实体网络。开源供应链 (OSSC) 是一种涉及一个或多个 OSS 组件的供应链，组件创建者/维护者与其客户之间无需签订双边协议即可使用这些组件。因此，OSSC 是由客户管理的：供应商（正在使用的 OSS 组件的创建者/维护者）通常甚至不知道其客户（用户）是谁。当组织合并 OSS 组件时，他们承担使用该组件的相关风险，并且不能依赖该组件创建者的支持。因此，他们在评估 OSS 组件并将其纳入 OSSC 时必须小心。他们还必须监控整个 OSSC 的演变，及时响应这些组件中的潜在缺陷（尤其是与安全相关的缺陷）、升级、弃用和其他更改。如今构建软件系统所需的依赖项数量不断增加，以及 OSS 组件的重用率不断增加，这些挑战变得更加严重。该研究计划的目标是创建模型、方法和工具，帮助组织主动管理其开源供应链。这将帮助软件组织降低在 OSSC 中重用 OSS 的成本和风险，并提高用它构建的软件的质量。