一种面向软件成分分析的轻量化依赖分析方法

doi:10.19678/j.issn.1000-3428.00 70637

摘要/Abstract

摘要： 如今，开源软件在各个行业，尤其是航空航天、汽车电子等关键领域广泛应用，但大部分开源软件存在安全漏洞。在我国，针对开源软件的成分分析和验证在软件开发及评测中严重缺失，导致关键领域软件安全难以保障。因此，软件成分分析对确保软件安全不可或缺，其中，准确的第三方依赖项（Third Party Dependencies, TPDs）识别是软件漏洞管理与合规性评估的关键。针对上述问题，本文提出了一种面向软件成分分析的轻量化依赖分析方法，提高了TPD识别的准确性和大规模项目文件处理的效率，主要内容如下：第一，方法包含一种针对Java语言Maven项目的分析算法，算法通过识别项目的构建配置文件，构建项目结构模型并提取第三方依赖项信息；第二，方法包含一种基于Winnowing算法的冗余依赖检测算法，算法通过分步对比代码文件与识别到第三方依赖项信息的哈希指纹，检测第三方依赖项的实际使用情况，排除冗余依赖项；第三，基于提出的算法，设计并实现了一种轻量化的成分分析框架，该框架通过特定的分析器类包装分析算法，使用Java中的ServiceLoader API注册并执行分析任务。为了验证方法的有效性，我们构建了一个包含56870个不同版本TPD的数据库，并从GitHub收集了4个真实的开源项目进行实验验证，结果表示，提出的算法在检测准确度上表现出色：与基于机器学习的聚类算法和基于代码相似性比较的技术相比，提出的算法有更高的准确率和F1分数和更低的检测耗时。另外，该系统应用的ServiceLoader API使得系统有较强的拓展性，便于增加不同的分析算法，有较强的实用性，为后续实现多语言TPD检测工作打下基础。关键词：软件成分分析；依赖检测；Java语言；Maven工具；软件系统

Abstract: Nowadays, open source software is widely used in various industries, especially in key fields such as aerospace and automotive electronics, but most open source software has security vulnerabilities. In China, the component analysis and verification of open source software are seriously missing in software development and evaluation, which makes it difficult to ensure the safety of software in key areas. Therefore, software component analysis is indispensable to ensure software security, and accurate identification of Third Party Dependencies (TPDS) is the key to software vulnerability management and compliance assessment. To solve the above problems, this paper proposes a lightweight dependency analysis method for software component analysis, which improves the accuracy of TPD identification and the efficiency of large-scale project file processing. The main contents are as follows: first, the method includes an analysis algorithm for Java Maven project, which constructs the project structure model and extracts the third-party dependency information by identifying the construction configuration file of the project; Second, the method includes a redundant dependency detection algorithm based on winnowing algorithm. The algorithm detects the actual use of third-party dependencies and eliminates redundant dependencies by comparing the code file and the hash fingerprint that identifies the third-party dependency information step by step; Thirdly, based on the proposed algorithm, a lightweight component analysis framework is designed and implemented. The framework wraps the analysis algorithm through a specific analyzer class, registers and executes the analysis task using the ServiceLoader API in Java. In order to verify the effectiveness of the method, we built a database containing 56870 different versions of TPD, and collected four real open source projects from GitHub for experimental verification. The results show that the proposed algorithm performs well in detection accuracy: compared with the clustering algorithm based on machine learning and the technology based on code similarity comparison, the proposed algorithm has higher accuracy, F1 score and lower detection time. In addition, the ServiceLoader API applied in the system makes the system more extensible, convenient for adding different analysis algorithms, and has strong practicability, which lays the foundation for the subsequent implementation of multilingual TPD detection.

李天然 , 朴勇 , 孔子涵. 一种面向软件成分分析的轻量化依赖分析方法[J]. 计算机工程, doi: 10.19678/j.issn.1000-3428.00 70637.

Li Tianran, Piao Yong, Kong Zihan. A Lightweight Dependency Analysis Method for Software Component Analysis[J]. Computer Engineering, doi: 10.19678/j.issn.1000-3428.00 70637.

参考文献

[1] A. Dann, H. Plate, B. Hermann, S. E. Ponta and E. Bodden. Identifying Challenges for OSS Vulnerability Scanners - A Study & Test Suite[J]. in IEEE Transactions on Software Engineering, 2022,48(9): 3613-3625.
[2] Y. Wu, Z. Yu, M. Wen, Q. Li, D. Zou and H. Jin. Understanding the Threats of Upstream Vulnerabilities to Downstream Projects in the Maven Ecosystem[C]//2023 IEEE/ACM 45th International Conference on Software Engineering (ICSE), Melbourne, Australia, 2023: 1046- 1058.
[3] 王戈,郭新海,刘安,等.基于 SBOM 的软件安全治理实践 [J].邮电设计技术, 2023(8):9-13. Wang Ge, Guo Xinhai, Liu An, etc. Practice of Software Security Governance Based on SBOM [J] Postal and
Telecommunications Design Technology, 2023 (8): 9-13. [4] Z. Ma, H. Wang, Y. Guo and X. Chen. LibRadar: Fast and Accurate Detection of Third-Party Libraries in Android Apps[C]//2016 IEEE/ACM 38th International Conference on Software Engineering Companion(ICSE-C), Austin, TX, USA, 2016:653-656.
[5] M. Li et al. Large-Scale Third-Party Library Detection in Android Markets[J] IEEE Transactions on Software Engineering, 2020,46(9): 981-1003.
[6] 朱辉,陈昭宇.一种基于分级检测的 C,C++语言软件成分分析方法及系统:CN202310583009.9[P].2024-11-12. Zhu Hui, Chen Zhaoyu. A C, C++language software component analysis method and system based on hierarchical detection: CN202310583009.9 [P]. 2022-11-12.
[7] Michael Backes, Sven Bugiel, and Erik Derr. Reliable Third-Party Library Detection in Android and its Security Applications[C]//2016 ACM SIGSAC Conference on Computer and Communications Security (CCS’16). Association for Computing Machinery, New York, USA,2016:356–367.
[8] J. Huang et al. Scalably Detecting Third-Party Android Libraries With Two-Stage Bloom Filtering[J]. in IEEE Transactions on Software Engineering, 2023,49(4): 2272-2284.
[9] X. Zhan et al. ATVHunter: Reliable Version Detection of ThirdParty Libraries for Vulnerability Identification in Android Applications[C]//2021 IEEE/ACM 43rd International Conference on Software Engineering (ICSE), Madrid, ES, 2021:1695-1707.
[10] Zhan X , Fan L , Liu T ,et al. Automated third-party library detection for Android applications: are we there yet?[C]// ASE '20: 35th IEEE/ACM International Conference on Automated Software Engineering. ACM, 2020.
[11] X. Song, Y. Wang, X. Cheng, G. Liang, Q. Wang and Z. Zhu. Efficiently Trimming the Fat: Streamlining Software Dependencies with Java Reflection and Dependency Analysis[C]//2024 IEEE/ACM 46th International Conference on Software Engineering (ICSE), Lisbon, Portugal, 2024: 1261-1272.
[12] C. Soto-Valero, D. Tiwari, T. Toady and B. Baudry. Automatic Specialization of Third-Party Java Dependencies[J]. in IEEE Transactions on Software Engineering, 2023,49(11): 5027-5045.
[13] Z. Wang et al. Precise and Efficient Third-party Java Libraries Identification Tool for Collaborative Software[C]//2024 27th International Conference on Computer Supported Cooperative Work in Design (CSCWD), Tianjin, China, 2024:2541-2546.
[14] K. Pan and Y. Wang. Research on Dynamic Detection of Java Dependency Conflict[C]//2020 IEEE International Conference on Advances in Electrical Engineering and Computer Applications(AEECA), Dalian, China, 2020: 711-714.
[15] T. Gustavsson. Managing the Open Source Dependency[J]. in Computer, 2020,53(2):83-87.
[16] 陈克豪.安全左移场景下的软件成分分析评估与改进方法研究[D].浙江理工大学,2023. Chen Kehao. Research on Software Component Analysis, Evaluation, and Improvement Methods in Safe Left Shift Scenarios [D] Zhejiang University of Technology, 2023.
[17] Avalle, Matteo, Pironti, et al.The Java SPI Framework for Security Protocol Implementation[C]//2011 6th International Conference on Availability, Reliability and Security(ARES 2011). Vienna, Austria, 2011: 746-751.
[18] Jaber Z J, Aliwy A H. Design and Implementation of Arabic Plagiarism Detection System[J]. Further Advances in Internet of Things in Biomedical and CyberPhysical Systems, 2021, 193:347–358.
[19] Faisal M, Malang I M, Sulthan M M E, et al. Plagiarism Detection Using Manber and Winnowing Algorithm[J]. International Journal of Advanced Science and Technology, 2020, 29(6s):2130-2136.
[20] Saul Schleimer, Daniel S. Wilkerson, Alex Aiken． Winnowing: Local Algorithms for Document Fingerprinting[C]//International Conference on Management of Data, 2003: 76-85.
[21] Apurbalal Senapati, Arunendu Mondal, Soumen Maji. A Fuzzy String Matching-Based Reduplication with Morphological Attributes[J]. Pattern Recognition and Data Analysis with Applications, 2022, 888(1): 1-10.
[22] Lida Zhao, Sen Chen, Zhengzi Xu, et al. Software Composition Analysis for Vulnerability Detection: An Empirical Study on Java Projects[C]//31st ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering (ESEC/FSE 2023). New York, NY, USA, 2023: 960–972.
[23] J. Yeboah, S. Popoola. Efficacy of Static Analysis Tools for Software Defect Detection on Open-Source Projects[C]//2023 International Conference on Computational Science and Computational Intelligence (CSCI), Las Vegas, NV, USA, 2023: 1588-1593.
[24] B. Boles, E. O'Donoghue, A. Redempta Manzi Muneza, et al. Deciphering Discrepancies: A Comparative Analysis of Docker Image Security[C]//2024 IEEE International Conference on Source Code Analysis and Manipulation (SCAM), Flagstaff, AZ, USA, 2024: 254-259.
[25] 软件供应链安全指南 . 开源软件成分检测工具 OpenSCA 使用攻略[EB/OL]. (2025-02-18)[2025-03-04]. https://blog.csdn.net/lanoukejijiaoyu/article/details/1457 01657. Software supply chain security guide. Introduction to opensca, an open source software component detection tool[EB/OL].(2025-02-18)[2025-03-04]. https://blog.csdn.net/lanoukejijiaoyu/article/details/1457 01657.
[26] T. Makino, T. Nakamura, L. Bustamante, et al. Piezoelectric and Inversely Piezoelectric Responses of Bone Tissue Plates in the Megahertz Range[J]. IEEE Transactions on Ultrasonics, Ferroelectrics, and Frequency Control, 2020, 67(8): 1525-1532.

选择文件类型/文献管理软件名称

选择包含的内容