CN-122019222-A - Component repairing method, system, equipment, medium and product based on software supply chain

Abstract

The embodiment of the invention provides a component repairing method, a system, equipment, a medium and a product based on a software supply chain, and relates to the technical field of information security. The method comprises the steps of obtaining component information of a software supply chain based on a full life cycle of software development, wherein the component information at least comprises a component bill of materials, component dependency relationship data and component risk data, constructing a dependency network diagram based on the component information, determining a diagram type and a spectrum radius of the dependency network diagram, determining a propagation threshold corresponding to the diagram type, determining a component set to be repaired from the dependency network diagram based on the diagram type, the spectrum radius and the propagation threshold if the spectrum radius is greater than or equal to the propagation threshold, and repairing components to be repaired contained in the component set to be repaired to obtain the repaired software supply chain. The invention can improve the security defense capability of the software supply chain and ensure the stable and reliable operation of the software system.

Inventors

• ZHU JUNTAO
• REN TIANFEI
• CHEN MINGCHENG
• NI HAO
• XU JIAHUAN
• SUN GANG
• LIN YEMING
• Teng Zhangchao
• LI JIAHAO
• GUO CHUXU
• Zou tianyi
• FAN BAOWEN
• Wang Gangyang

Assignees

• 浙商银行股份有限公司
• 易企银(杭州)科技有限公司

Dates

Publication Date

20260512

Application Date

20251226

Claims (10)

1. 1. A method of component repair based on a software supply chain, the method comprising: Acquiring component information of a software supply chain based on a full life cycle of software development, wherein the component information at least comprises a component bill of materials, component dependency relationship data and component risk data; Constructing a dependency network graph based on the component information, wherein the dependency network graph comprises a component node set and an edge set, each component in the component bill of materials is contained in the component node set, the edge set comprises a plurality of edges, and any one edge is used for connecting two different components with dependency relations; Determining a graph type and a spectrum radius of the dependent network graph; Determining a propagation threshold corresponding to the graph type; and if the spectrum radius is larger than or equal to the propagation threshold, determining a to-be-repaired component set from the dependent network graph based on the graph type, the spectrum radius and the propagation threshold, and repairing the to-be-repaired component contained in the to-be-repaired component set to obtain a repaired software supply chain.
2. 2. The software supply chain based component repair method of claim 1, wherein the graph type is a full graph, a full bipartite graph, a star graph, a line graph, a ring graph, or a generally complex network, and the determining the graph type and the spectral radius of the network-dependent graph specifically comprises: Determining a graph type of the dependent network graph; Determining a weighted adjacency matrix of the dependent network graph based on the component information; A spectral radius of the dependent network graph is determined based on the weighted adjacency matrix.
3. 3. The software supply chain based component repair method of claim 2, wherein if the graph type is the complete graph, the determining the set of components to be repaired from the dependent network graph based on the graph type, the spectrum radius, and the propagation threshold value specifically comprises: Rounding up the propagation threshold to obtain a first parameter; Acquiring the total number of nodes in the dependent network graph; determining a difference between the total number of nodes and the first parameter as a nash equalization cost; Determining a to-be-repaired component set from the dependence network graph based on the Nash equilibrium cost, wherein the to-be-repaired component set comprises at least one to-be-repaired component group, the number of to-be-repaired components contained in each to-be-repaired component group is the same as the Nash equilibrium cost, and the to-be-repaired components contained in any two to-be-repaired component groups are not completely the same.
4. 4. The software supply chain-based component repair method of claim 2, wherein if the graph type is the full bipartite graph, the dependency graph includes a first set of component nodes and a second set of component nodes, and the component nodes included in the first set of component nodes are completely different from the component nodes included in the second set of component nodes; the determining a component set to be repaired from the dependent network graph based on the graph type, the spectrum radius and the propagation threshold value specifically comprises: Determining an unrepaired component number array set based on the propagation threshold and a preset first constraint condition; the unrepaired component array sets comprise at least one unrepaired component array, wherein each unrepaired component array set meets the preset first constraint condition, and comprises the first unrepaired component number of the first component node set and the second unrepaired component number of the second component node set; Determining sub-sets of components to be repaired, which correspond to each group of components to be repaired respectively, based on the dependency network graph, wherein the sub-sets of components to be repaired comprise at least one group of components to be repaired, the number of the nodes of the components to be repaired in the first group of components to be repaired in any group of components to be repaired is the same as the number of the first components to be repaired corresponding to any group of components to be repaired, and the number of the nodes of the components to be repaired in the second group of components to be repaired in any group of components to be repaired is the same as the number of the second components to be repaired corresponding to any group of components to be repaired; And constructing a component set to be repaired based on the component sub-sets to be repaired respectively corresponding to the unrepaired component arrays.
5. 5. The software supply chain based component repair method of claim 2, wherein if the graph type is the star graph, the dependency network graph includes a set of intermediate component nodes and peripheral component nodes; the determining a component set to be repaired from the dependent network graph based on the graph type, the spectrum radius and the propagation threshold value specifically comprises: Determining the intermediate component node as a first component group to be repaired; obtaining a second parameter based on the propagation threshold and a preset second constraint condition; Acquiring the total number of nodes in the dependent network graph; determining a maximum Nash equalization cost based on the total number of nodes and the second parameter; Determining at least one second component group to be repaired from the peripheral component node set based on the maximum Nash equilibrium cost, wherein the number of components to be repaired contained in each second component group to be repaired is the same as the maximum Nash equilibrium cost, and the components to be repaired contained in any two component groups to be repaired are not completely the same; And combining the first component group to be repaired with the second component group to be repaired to obtain a component set to be repaired.
6. 6. The software supply chain-based component repair method according to claim 1, wherein after repairing the components to be repaired included in the set of components to be repaired to obtain the repaired software supply chain, the method further comprises: acquiring updated component information of the acquired software supply chain; updating the weighted adjacent matrix of the dependent network graph based on the updating component information to obtain a weighted adjacent matrix to be verified; determining a target spectrum radius of the dependent network graph based on the weighted adjacency matrix to be verified; If the target spectrum radius is smaller than the propagation threshold value, determining that the software supply chain repair is completed; And if the target spectrum radius is greater than or equal to the propagation threshold, executing the steps of determining a component set to be repaired from the dependent network graph based on the graph type, the spectrum radius and the propagation threshold, repairing components to be repaired contained in the component set to be repaired, and obtaining a repaired software supply chain.
7. 7. A software supply chain based component repair system, the system comprising: the system comprises an acquisition unit, a software supply chain and a software development unit, wherein the acquisition unit is used for acquiring component information of the software supply chain based on a full life cycle of the software development, and the component information at least comprises a component bill of materials, component dependency relationship data and component risk data; The device comprises a building unit, a dependency network graph and a processing unit, wherein the dependency network graph is used for building a dependency network graph based on the component information, the dependency network graph comprises a component node set and an edge set, each component in the component bill of materials is contained in the component node set, the edge set comprises a plurality of edges, and any one edge is used for connecting two different components with dependency relations; a first determining unit, configured to determine a graph type and a spectrum radius of the dependent network graph; a second determining unit configured to determine a propagation threshold value corresponding to the graph type; and the repair unit is used for determining a to-be-repaired component set from the dependence network graph based on the graph type, the spectrum radius and the propagation threshold value if the spectrum radius is larger than or equal to the propagation threshold value, repairing the to-be-repaired component contained in the to-be-repaired component set, and obtaining a repaired software supply chain.
8. 8. A computing device, the computing device comprising: at least one processor, memory, and input output unit; wherein the memory is configured to store a computer program, and the processor is configured to invoke the computer program stored in the memory to perform the method of any of claims 1-6.
9. 9. A computer readable storage medium comprising instructions which, when run on a computer, cause the computer to perform the method of any one of claims 1 to 6.
10. 10. A computer program product comprising a computer program, characterized in that the computer program, when executed by a processor, implements the method of any of claims 1-6.

Description

Component repairing method, system, equipment, medium and product based on software supply chain Technical Field The embodiment of the invention relates to the technical field of information security, in particular to a component repairing method, a system, equipment, a medium and a product based on a software supply chain. Background In the field of software development, with the continuous increase of the complexity of a software system, modern software development is highly dependent on third-party open source components, commercial libraries and outsourcing services, so that a wide and complex software supply chain system is formed. The software supply chain runs through all links of the software life cycle, including requirement analysis, design, development, construction, testing, release, deployment, operation and maintenance until the offline destruction. In the process, development teams commonly adopt public or private warehouses such as Maven, npm (Node PACKAGE MANAGER), pyPI (The Python Package Index), docker mirror images and the like to introduce a large number of external dependent components, so that development efficiency and iteration speed are greatly improved. However, this open, efficient, globalized software supply chain model also presents serious security challenges. In recent years, for the frequent occurrence of attack events of a software supply chain, an attacker can realize batch infiltration of thousands of systems at the downstream by contaminating upstream components, tampering a construction flow, implanting a back door or using old components which are not repaired by known vulnerabilities, thereby causing large-scale information leakage, service interruption or persistence control. The currently mainstream software supply chain security management means mainly rely on software bill of materials (Software Bill of Materials, SBOM) generation and management, software component analysis (Software Composition Analysis, SCA) tool scanning, vulnerability database comparison (e.g., NVD, CNNVD) and other modes to perform risk identification. However, these tools are mainly used for identifying and discovering component risks, and cannot provide repair governance methods for the stock and mass of newly added components. Alarms are usually triggered after components have been introduced into projects and even run on-line, and active defensive capability is lacking, and adaptive adjustment cannot be performed according to factors such as threat situation, component propagation path, affected asset range and the like, so that the security defensive capability of a software supply chain is poor. Disclosure of Invention In this context, embodiments of the present invention desire to provide a method, system, apparatus, medium, and article of manufacture for component repair based on a software supply chain. In a first aspect of the embodiments of the present invention, there is provided a component repair method based on a software supply chain, including: Acquiring component information of a software supply chain based on a full life cycle of software development, wherein the component information at least comprises a component bill of materials, component dependency relationship data and component risk data; Constructing a dependency network graph based on the component information, wherein the dependency network graph comprises a component node set and an edge set, each component in the component bill of materials is contained in the component node set, the edge set comprises a plurality of edges, and any one edge is used for connecting two different components with dependency relations; Determining a graph type and a spectrum radius of the dependent network graph; Determining a propagation threshold corresponding to the graph type; and if the spectrum radius is larger than or equal to the propagation threshold, determining a to-be-repaired component set from the dependent network graph based on the graph type, the spectrum radius and the propagation threshold, and repairing the to-be-repaired component contained in the to-be-repaired component set to obtain a repaired software supply chain. In one example of this embodiment, the graph type is a full graph, a full bipartite graph, a star graph, a straight line graph, a ring graph, or a generally complex network, and the determining the graph type and the spectrum radius of the network-dependent graph specifically includes: Determining a graph type of the dependent network graph; Determining a weighted adjacency matrix of the dependent network graph based on the component information; A spectral radius of the dependent network graph is determined based on the weighted adjacency matrix. In an example of this embodiment, if the graph type is the complete graph, the determining the set of components to be repaired from the dependent network graph based on the graph type, the spectrum radius, and the propagation threshold specifically incl