Shulou(Shulou.com)06/01 Report--

How to discover and solve the risks brought by open source? That requires effective management of the open source code used, and there are several important links that are essential to achieve effective management:

First, enhance the awareness of open source management and formulate open source management strategies

The so-called plan and move later, in the absence of open source management strategy to blindly use or participate in open source, there is a great risk. Before using open source software or participating in open source projects, a company should raise its staff's awareness of open source management and formulate corresponding open source management strategies. these strategies should at least include: the basic principles of using or participating in open source, the management methods of open source software, and solutions or plans for the problems that may arise in the process of using or participating in open source.

Develop a set of open source management strategy, and use open source software under the guidance of this strategy, in order to use open source software more safely and efficiently, and let open source bring more value to the company. On the other hand, there is no general open source management strategy, each company should formulate strategies according to its own needs and specific circumstances, and these strategies need to be improved and adjusted according to the actual situation in practice.

Second, timely and effective discovery of open source software and its risks

A clear understanding of the open source software you use is a prerequisite for managing open source software. Understanding the open source software you are using has two implications: one is to understand what open source code is used in your software code, and the other is to understand the open source code itself and the risks it may cause.

In many cases, companies will not be able to fully understand what open source code has been introduced into its software. for example: the reuse of code, developers randomly borrow from the network code, foreign code, some open source software itself nested other open source code, and sometimes even artificially conceal some open source code, and so on.

To find these potentially hidden open source code, you need to use professional open source code inspection tools to check the software code. The detection accuracy of open source testing tools is very important, not only to be able to accurately detect the entire open source components used in your software, but also to be able to detect specific open source files, or even open source code fragments, used in your software. On the premise of ensuring the detection accuracy, the detection speed is also very important, too slow will affect the release and iterative speed of the software version.

It is not enough to know which open source is used, but also to understand whether the open source code itself is risky. if you use open source testing tools, testing tools should be able to discover the risks of these open source software. including license compliance risk and security vulnerability risk. For the license compliance risk, the License of the open source software can be indexed through the information such as the name and version of the open source software. By analyzing whether License is in line with the company's open source management strategy, we can know whether there is a risk of license violation. For the risk of security vulnerabilities, you can extract the corresponding security vulnerabilities from the security vulnerability library (such as NVD) through information such as the name and version of the open source software. Security vulnerabilities are usually caused by part of the code in the software, so if you can identify security vulnerabilities at the code fragment level, rather than just from the entire open source component level, it will be more accurate and less prone to false positives.

Third, make open source management part of the R & D process

For most software companies, open source review and management is a long-term and continuous work, and the most effective way to do this is to integrate it into the day-to-day research and development process. The introduction of open source review and management in the early stages of research and development can avoid the risk of open source from the source and reduce the high cost of "rework".

Open source management usually needs the help of professional tools, how to effectively use open source management tools in the process of research and development, without adversely affecting the research and development process and development cycle, which is the requirement of open source review and management tools.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.