安玲学记（250）——精读期刊论文1.2 软件供应链安全风险评估

摘要：This issue of tweets will introduce the 1.2 software supply chain security risk assessment of the journal paper "Research on Suppl

分享兴趣，传播快乐，

增长见闻，留下美好。

亲爱的您，这里是LearingYard学苑！

今天小编为大家带来“精读期刊论文《混源操作系统供应链安全风险评估方法研究》1.2 软件供应链安全风险评估"。

欢迎您的访问！

Share interest, spread happiness,

increase knowledge, and leave beautiful.

Dear, this is the LearingYard Academy!

Today, the editor brings the "the 1.2 Software supply chain security risk assessment of the journal paper 'Research on Supply chain Security Risk assessment Method of Mixed source Operating System'".

Welcome to visit!

一、内容摘要（Content summary）

本期推文将从思维导图、精读内容、知识补充三个方面介绍精读期刊论文《混源操作系统供应链安全风险评估方法研究》的1.2 软件供应链安全风险评估。

This issue of tweets will introduce the 1.2 software supply chain security risk assessment of the journal paper "Research on Supply chain Security Risk assessment Method of Mixed source Operating System" from three aspects: mind mapping, intensive reading content, and knowledge supplement.

二、思维导图（Mind Mapping）

三、精读内容（Detailed Reading Content）

该部分主要分为两部分内容，该部分主要分为两部分内容，一是基于指标体系的软件供应链安全风险评估，二是基于风险驱动因素的供应链安全风险评估。

This section mainly consists of two parts: one is the software supply chain security risk assessment based on the index system, and the other is the supply chain security risk assessment based on risk drivers.

（一）基于指标体系的软件供应链安全风险评估（Software Supply Chain Security Risk Assessment Based on the index system）

有文献将软件供应链定义为由代码包、工具平台及供需方通过依赖与组合关系构成的供应网络，并提出基于指标的评估方法。该方法从代码组件、人组织、工具三个构成要素出发，以可溯性、可用性（含可替代性扩展）为核心目标，围绕开发、交付、使用环节构建技术、知识产权、管理三维度的风险评估指标体系，通过加权量化指标复合形成整体风险评估结果。

Some literature defines the software supply chain as a supply network composed of code packages, tool platforms and supply and demand sides through dependency and composition relationships, and proposes an evaluation method based on indicators. This method starts from the three constituent elements of code components, human organization, and tools, takes traceability and usability (including substitutable scalability) as the core goals, and builds a three-dimensional risk assessment index system of technology, intellectual property rights, and management around the development, delivery, and usage links. The overall risk assessment result is formed through the combination of weighted quantitative indicators.

本文提出将软件供应链的可替代性纳入可用性范畴，并指出需补充安全性风险评估。因安全漏洞会直接威胁产品功能与数据安全，需构建独立评估维度以完善供应链韧性与安全保障体系。

This paper proposes to incorporate the substitutability of the software supply chain into the category of availability and points out that security risk assessment needs to be supplemented. As security vulnerabilities can directly threaten product functions and data security, it is necessary to establish an independent assessment dimension to improve the supply chain resilience and security guarantee system.

（二）基于风险驱动因素的供应链安全风险评估（Supply Chain security risk assessment based on risk drivers）

ALBERTS等人提出了一种基于风险驱动因素的软件供应链安全评估方法，将软件供应链定义为由参与产品内容贡献或修改的利益相关者构成的网络。该方法聚焦五个关键风险环节：需方行为、供方行为、供应链间数据流动、产品本身及运维过程，从中提取影响安全的关键因素构成风险驱动因素集合。

ALBERTS et al. proposed a software supply chain security assessment method based on risk drivers, defining the software supply chain as a network composed of stakeholders participating in the contribution or modification of product content. This method focuses on five key risk links: demand-side behavior, supply-side behavior, data flow between supply chains, the product itself and the operation and maintenance process. From these, the key factors affecting safety are extracted to form a set of risk drivers.

该文通过分析供方引入代码的风险及开发运维过程中的风险，结合访谈和文档资料评估各驱动因素状态，识别潜在风险并定位供应链短板。

This paper analyzes the risks of the code introduced by the supplier and the risks in the development and operation and maintenance process. Combined with interviews and document materials, it assesses the status of each driving factor, identifies potential risks and locates the shortcomings of the supply chain.

四、知识补充——技术工具与实践补充之软件物料清单生成与分析（Knowledge Supplementation - Software Bill of Materials Generation and Analysis for Technical Tools and Practical Supplementation）

软件物料清单是记录软件组件、依赖项及其元数据的清单，类似于产品的“成分表”。它帮助开发者、安全团队和合规人员全面了解软件的构成，识别潜在风险。以下是SBOM的生成与分析的详细介绍：

The software bill of materials is a list that records software components, dependencies and their metadata, similar to the "ingredient list" of a product. It helps developers, security teams and compliance personnel have a comprehensive understanding of the composition of the software and identify potential risks. The following is a detailed introduction to the generation and analysis of SBOM: