OSCSE: A Practical Security Assessment Model for General Open Source Components

Cheng Huang 1
Cheng Huang 1
Yang You 2
1
 
2
 
Nsfocus Technologies Group Co., Ltd., Beijing 10089, P. R. China
Publication typeJournal Article
Publication date2025-02-28
World Scientific
scimago Q3
wos Q4
SJR0.206
CiteScore1.8
Impact factor0.6
ISSN02181940, 17936403
Abstract

Open source components (OSCs) have become a vital part for developing modern applications. The security of these components could affect the overall security of the software depends on them. Thus, the security of an OSC should be evaluated first before integrating to the software. However, the existing models lack generality, and cannot be easily automatic applied to OSCs developed in different programming language. To this end, we propose a security assessment model for OSCs, called the CRAM, which features generality and automation. The proposed model is constructed under the hypothesis that OSC with a larger and more active community is more likely to disclose more vulnerabilities. And it evaluates the security of OSC from its performance in size as well as activities of open source community and vulnerability disclosures. In the experiment section, we present validation and application experiments. In the validation experiment, we find that the basic hypothesis of the proposed model is valid, and there is a positive correlation between the community size as well as activities and vulnerability risk of OSCs. In the application experiment, we further evaluate our approach with large-scale open source components. Our hypothesis is further validated. The most of OSCs in the ecosystem are in line with the hypothesis. Finally, we successfully build the security baseline according to the hypothesis, and 5 vulnerable OSCs classified as vulnerable by our model are analyzed. The result proves the effectiveness of our model to identify a vulnerable open source ecosystem around the ecosystem.

Found 

Are you a researcher?

Create a profile to get free access to personal recommendations for colleagues and new articles.
Metrics
0
Share
Cite this
GOST |
Cite this
GOST Copy
Wang Z. et al. OSCSE: A Practical Security Assessment Model for General Open Source Components // International Journal of Software Engineering and Knowledge Engineering. 2025. Vol. 35. No. 03. pp. 397-419.
GOST all authors (up to 50) Copy
Huang C., Huang C., You Y. OSCSE: A Practical Security Assessment Model for General Open Source Components // International Journal of Software Engineering and Knowledge Engineering. 2025. Vol. 35. No. 03. pp. 397-419.
RIS |
Cite this
RIS Copy
TY - JOUR
DO - 10.1142/s021819402550010x
UR - https://www.worldscientific.com/doi/10.1142/S021819402550010X
TI - OSCSE: A Practical Security Assessment Model for General Open Source Components
T2 - International Journal of Software Engineering and Knowledge Engineering
AU - Huang, Cheng
AU - Huang, Cheng
AU - You, Yang
PY - 2025
DA - 2025/02/28
PB - World Scientific
SP - 397-419
IS - 03
VL - 35
SN - 0218-1940
SN - 1793-6403
ER -
BibTex |
Cite this
BibTex (up to 50 authors) Copy
@article{2025_Wang,
author = {Cheng Huang and Cheng Huang and Yang You},
title = {OSCSE: A Practical Security Assessment Model for General Open Source Components},
journal = {International Journal of Software Engineering and Knowledge Engineering},
year = {2025},
volume = {35},
publisher = {World Scientific},
month = {feb},
url = {https://www.worldscientific.com/doi/10.1142/S021819402550010X},
number = {03},
pages = {397--419},
doi = {10.1142/s021819402550010x}
}
MLA
Cite this
MLA Copy
Wang, Ziyan, et al. “OSCSE: A Practical Security Assessment Model for General Open Source Components.” International Journal of Software Engineering and Knowledge Engineering, vol. 35, no. 03, Feb. 2025, pp. 397-419. https://www.worldscientific.com/doi/10.1142/S021819402550010X.