Regulated Industries
Practice of Open Source Governance Implementation in Regulated Industries
Prior to the special construction of the Software Bill of Materials (SBOM) platform for open source communities, China's open source ecosystem faced various challenges and pain points that severely hindered the effective management and security assurance of open source software.From the perspective of open source software risk management and control, with the widespread application of open source software across industries, security vulnerabilities have become increasingly prominent. A large number of open source components contain known or unknown vulnerability risks, accompanied by potential copyright disputes and malicious attack incidents.In terms of enhancing the status and influence of the open source software supply chain, China lacks a unified and efficient infrastructure for SBOM management and services in open source communities. The absence of standardized data foundations, tool architectures, and specification interfaces fails to provide strong technical support for open source ecosystem governance.In terms of standards and services, there is a lack of comprehensive and standardized SBOM testing and evaluation criteria. This makes it difficult to effectively guarantee the accuracy, completeness, and compliance of SBOM data, thereby affecting the application effectiveness of SBOM in software development and supply chain management.
Solution
Technical Architecture
The solution adopts a layered technical architecture, mainly consisting of the Presentation Layer, Web Service Layer, Data Layer, and Infrastructure Layer.
The solution adopts a layered technical architecture, mainly consisting of the Presentation Layer, Web Service Layer, Data Layer, and Infrastructure Layer.
The Web Service Layer is developed based on Java SpringBoot, responsible for scheduling detection engines, integrating with external systems, and other related functions. It includes functional modules such as test runtime monitoring, private repository security scanning, and code homology analysis. By implementing asynchronous task processing through detection task message queues, the system's concurrent processing capability is significantly improved.
The Data Layer adopts databases including MySQL, Redis, and Elasticsearch. It manages database connections via data connection pools to realize data storage, caching, and retrieval, ensuring efficient data access and processing.
The Infrastructure Layer utilizes Docker as the containerization technology, providing a stable and portable operating environment for the system. It supports two deployment modes: on-premises deployment and cloud-based SaaS deployment, meeting the diverse deployment needs of different users.
In addition, the system supports integration with various security tools and production platforms. It realizes automated distribution of detection tasks and collection of result data through RESTful APIs, enabling correlation analysis of results from different detection tools and cleaning/merging of vulnerability data, thus enhancing the readability and accuracy of vulnerability data.
Achievements and Benefits
This solution has delivered multi-dimensional value and remarkable expected outcomes for a regulatory authority
In Open Source Software Risk Management,Vulnerability detection rate increased by approximately 60%,Vulnerability remediation efficiency improved by over 50%,License compliance issues reduced by more than 70%,Detection rate of malicious components and backdoor code enhanced by 80%,These improvements have significantly mitigated losses caused by supply chain attacks.
In Open Source Ecosystem Governance The unified SBOM management and public service platform provides standardized infrastructure for the open source community, facilitating the integration and sharing of open source resources.
In Standardization and Services The development of SBOM testing and evaluation standards, as well as service system frameworks, has improved the quality of SBOM data and the professionalism of related services, promoting the popularization and application of SBOM technology.
Honorary Recognition
Xmirror Security Officially Joins as a Founding Member of the SBOM Working Group
At the SBOM Sub-Forum of the 2024 OpenAtom Open Source Ecosystem Conference—hosted by the OpenAtom Foundation and organized by the Open Source Risk Assessment and Governance Technology Laboratory—Xmirror Security successfully passed months of rigorous evaluation and review by the China Industrial Information Security Development Research Center, officially becoming one of the founding members of the SBOM Working Group.
Scan the QR code for access to the detailed scheme of the award - winning case.