JP-2026075460-A - Version upgrade management system and version upgrade management method

Abstract

[Challenge] To support the determination of the upgrade order for each component, taking into account the risks of upgrading each component and the importance of each component. [Solution] A version upgrade management system 1 calculates a stability value for each component of the software, which is a parameter representing the low risk of the software ceasing to function properly when a component is upgraded. Based on the calculated stability value and the importance of the upgrade of each component, an evaluation value is calculated for each component. Based on the evaluation value of each component, the priority order for upgrading each component that has dependencies on the specified component, which will be upgraded after the component being upgraded, is determined, and the information of the determined priority order is output to an output device. [Selection Diagram] Figure 1

Inventors

• 松本 佳大
• 下沢 拓
• 大島 敬志
• 大島 訓
• 楊 帆
• 山田 和正

Assignees

• 株式会社日立製作所

Dates

Publication Date

20260508

Application Date

20241022

Claims (10)

1. A storage device for storing software consisting of multiple components, and An evaluation value calculation process that calculates a stability value for each component of the software, which is a parameter representing the low risk of the software ceasing to function properly when the component is upgraded, and calculates a predetermined evaluation value for each component based on the calculated stability value and the importance of upgrading each component. A version upgrade management system comprising a computing device that accepts the specification of a component to be upgraded, determines the priority order for upgrading each component that has dependencies on the specified component and is to be upgraded after the specified component, based on the evaluation value of each component, and performs a priority determination process that outputs the determined priority information to an output device.
2. The aforementioned computing device is In the evaluation value calculation process, a stability value for the component is calculated based on parameters representing the operational stability between the component and other components that have dependencies on the component. The version upgrade management system according to claim 1.
3. The aforementioned computing device is In the evaluation value calculation process, for each component and each of the other components, a security stability score, which is a parameter representing the adequacy of the security measures of the component, and a maintenance stability score, which is a parameter representing the maintainability of the component, are calculated, and a stability value for the component is calculated based on the calculated security stability score and maintenance stability score. The version upgrade management system according to claim 2.
4. The aforementioned computing device is In the evaluation value calculation process, the centrality value, which is a parameter representing the centrality of the component in the software, is calculated for each component as the importance, and the evaluation value is calculated for each component based on the calculated centrality value and the calculated stability value. The version upgrade management system according to claim 1.
5. The aforementioned computing device is In the evaluation value calculation process, the vulnerability impact level, which is a parameter representing the magnitude of the impact that a vulnerability in the software has on the software, is calculated for each component as the importance level, and the evaluation value is calculated for each component based on the calculated vulnerability impact level and the calculated stability value. The version upgrade management system according to claim 1.
6. The aforementioned computing device is In the evaluation value calculation process, the stability ratio, which is a parameter representing the degree to which a component operates stably together with other dependent components, is calculated for each component as its importance, and the evaluation value is calculated for each component based on the calculated stability ratio and the importance. The version upgrade management system according to claim 1.
7. The aforementioned computing device is In the aforementioned priority determination process, the priority of version upgrades for each component that has dependencies on the specified component is determined by increasing the priority of each component as its evaluation value increases. The version upgrade management system according to claim 1.
8. The aforementioned computing device is After determining the upgrade priority for each component that has dependencies on the specified component based on the evaluation value of each component, a risk avoidance degree is calculated for each of the other components, which is a parameter representing the degree of impact that the upgrade of the component with the lowest priority among the components will have on the specified component and other components that have dependencies on the specified component. Based on the calculated risk avoidance degrees, the component to be upgraded next after the specified component is identified, and information on the identified component is output to the output device. The version upgrade management system according to claim 1.
9. The aforementioned computing device is In the risk avoidance process described above, the component to be upgraded next to the identified component is identified based on the calculated risk avoidance level and the calculated overall evaluation value. The version upgrade management system according to claim 8.
10. A method for managing version upgrades using an information processing device that includes a storage device for storing software consisting of multiple components, and a processing unit, The aforementioned computing device An evaluation value calculation process that calculates a stability value for each component of the software, which is a parameter representing the low risk of the software ceasing to function properly when a component is upgraded, and calculates a predetermined evaluation value for each component based on the calculated stability value and the importance of upgrading each component; The system accepts the specification of a component to be upgraded, determines the upgrade priority of each component that has dependencies on the specified component, based on the evaluation value of each component, and performs a priority determination process that outputs the determined priority information to an output device. Version upgrade management methods.

Description

This invention relates to a version upgrade management system and a version upgrade management method. Techniques for identifying software vulnerabilities and understanding their risks have been proposed for some time (e.g., Patent Document 1). Furthermore, a method for evaluating the risks associated with software version upgrades using centrality from network science has been proposed (e.g., Non-Patent Document 1). Patent No. 7294441 R.C.A. Heddes, "Vulnerability Risk Modelling in Open Source Software Systems," Master thesis, 2022, https://repository.tudelft.nl/record/uuid:4b3b172f-1c64-4ddf-9854-c74b62edee76. (Retrieved September 17, 2024) This figure shows an example of the configuration of the version upgrade management system according to this embodiment.This figure shows an example of software configuration information.This figure shows an example of a dependency table.This figure shows an example of vulnerability information.This figure shows an example of the hardware configuration of a risk assessment system.This is a flowchart illustrating the entire process performed in the version upgrade management system.This is a flowchart illustrating the details of the stability calculation process.This is a flowchart illustrating the details of the centrality risk calculation process.This figure shows an example of a weighted adjacency matrix.This figure shows an example of a risk assessment management table that may be created.This figure shows an example of a priority determination table that may be created.This is a flowchart that explains the details of the priority determination process.This figure shows an example of a screen displaying the priority determination results. The embodiments of the present invention will be described below with reference to the drawings. In the following explanation, "interface device" may refer to one or more interface devices. These one or more interface devices may be at least one of the following: • One or more I/O (Input/Output) interface devices. An I/O (Input/Output) interface device is an interface device to at least one of the following: an I/O device and a remote display computer. The I/O interface device to the display computer may be a communication interface device. The at least one I/O device may be either a user interface device, such as an input device like a keyboard and pointing device, or an output device like a display device. • One or more communication interface devices. These one or more communication interface devices may be one or more identical devices (e.g., one or more NICs (Network Interface Cards)) or two or more different types of communication interface devices (e.g., one NIC and one HBA (Host Bus Adapter)). Furthermore, in the following explanation, "memory" refers to one or more memory devices, which are examples of one or more storage devices, and are typically main memory devices. At least one memory device in the memory may be a volatile memory device or a non-volatile memory device. Furthermore, in the following description, "persistent storage device" may refer to one or more persistent storage devices, which are examples of one or more storage devices. Persistent storage devices are typically non-volatile storage devices (e.g., auxiliary storage devices), and specifically, may be HDDs (Hard Disk Drives), SSDs (Solid State Drives), NVME (Non-Volatile Memory Express) drives, or SCMs (Storage Class Memory). Furthermore, in the following explanation, "storage device" may refer to at least memory, including both memory and persistent storage. Furthermore, in the following description, "processor" may refer to one or more processor devices. At least one processor device is typically a microprocessor device such as a CPU (Central Processing Unit), but may also be other types of processor devices such as a GPU (Graphics Processing Unit). At least one processor device may be single-core or multi-core. At least one processor device may be a processor core. At least one processor device may be a broad-sense processor device, such as a circuit that is a collection of gate arrays defined by a hardware description language that performs some or all of the processing (e.g., FPGA (Field-Programmable Gate Array), CPLD (Complex Programmable Logic Device), or ASIC (Application Specific Integrated Circuit)). Furthermore, in the following explanation, the term "xxx table" may be used to describe information that yields an output for a given input. This information can be data of any structure (for example, structured or unstructured data), or it can be a neural network, a learning model such as a genetic algorithm or a random forest that generates an output for a given input. Therefore, "xxx table" can be referred to as "xxx information." Also, in the following explanation, the structure of each table is just an example; a single table may be divided into two or more tables, or all or part of two or more tables may be combined into a single table. Fur