开源软件漏洞库综述  被引量：10

作　　者：贾培养 孙鸿宇 曹婉莹 伍高飞 王文杰 Jia Peiyang;Sun Hongyu;Cao Wanying;Wu Gaofei;Wang Wenjie(SchooL of Cyber Engineering,Xidian University,Xi’an 710126;National Computer Network lntrusion Protection Center,University of Chinese Academy of Sciences,Beijing 101408)

机构地区：[1]西安电子科技大学网络与信息安全学院,西安710126 [2]中国科学院大学国家计算机网络入侵防范中心,北京101408

出　　处：《信息安全研究》2021年第6期566-574,共9页Journal of Information Security Research

基　　金：国家自然科学基金重点项目(U1836210)。

摘　　要：近年来,随着软件开发周期的不断缩短,越来越多的软件开发者在其项目代码中使用大量的开源代码.软件开发者往往只关注自己负责部分的代码安全,几乎不关注项目采用的开源代码的安全性问题.开源软件的使用者很难将传统漏洞数据库中的漏洞条目对应到当前的软件版本中.现有的漏洞版本控制方案和开源代码的版本控制方案之间存在一定的差异,这使得开源代码使用者无法及时修复存在漏洞的代码,因此一个能够准确收集开源漏洞情报并对漏洞进行精确匹配的漏洞库是十分必要的.首先介绍了开源代码的广泛使用带来的潜在安全挑战;其次对现有开源漏洞库平台的情况进行了详细分析,同时对现有开源漏洞库从多个维度进行了对比研究;然后给出了当前开源漏洞库建设面临的问题和挑战;最后给出了建设开源漏洞数据库的一些建议.In recent years,with the continuous shortening of the software development cycle,a large number of open source code is used in modern software projects,and software developers tend to focus only on the security of the part of the project code they are responsible for,and rarely pay attention to the security of the open source code used in the project,and it is difficult for users to correspond the vulnerability entries in the traditional vulnerability repository to the current software version.There are some differences between the vulnerabilities existing version control schemes and those of open source code,so a vulnerability repository that can accurately collect open source code vulnerability intelligence and precisely match vulnerabilities is essential.This paper first introduces the potential security challenges brought by the widespread use of open source code,then analyzes in detail the existing open source vulnerability repository platforms and conducts a comparative study of existing open source vulnerability databases from several dimensions,then gives the problems and challenges faced by the construction of current open source vulnerability databases,and finally gives some suggestions for building open source vulnerability databases.

关 键 词：开源软件 漏洞数据库 版本控制 开源漏洞情报 开源漏洞库 

分 类 号：TP393.08[自动化与计算机技术—计算机应用技术]