Ukuncika Kwekhodi Ekhuphukayo
Umbuzo: Yimaphi amaphrojekthi namalabhulali iphrojekthi yami incike kuwo?
Incazelo
Inhloso yale metric ukuqonda inombolo nezinhlobo zokuncika okusekelwe ekhodini okushumekwe phakathi kocezu lwesofthiwe yomthombo ovulekile. Le methrikhi ayibandakanyi ngokusobala ukuncika okugxile kwingqalasizinda efana nesizindalwazi namasistimu okusebenza, azothuthukiswa njengemethrikhi ehlukile. Ngokwandisa, ukuqwashisa nge-Upstream Code Dependencies kwenza iphrojekthi ihlole impilo nokusimama kokuncika ngakunye, kusetshenziswa amanye amamethrikhi e-CHAOSS.
Izinhloso
I-Upstream Code Dependency metric ihloselwe ukuqonda ukuncika okusekelwe kukhodi okudingekayo ukuze kwakhiwe, kuhlolwe, noma kuqalise ucezu lwesofthiwe. I-Upstream Code Dependency metric ingasiza ekuhlonzeni ukuthi imaphi amaphrojekthi, amalabhulali, noma izinguqulo iphrojekthi yami encike ngokuqondile noma ngokuqhubekayo.
Implementation
Ukusetshenziswa nokusatshalaliswa kwamamethrikhi ezempilo kungase kuholele ekwephuleni ubumfihlo. Izinhlangano zingase zichayeke ezingozini. Lezi zingozi zingase zigeleze kusukela ekuthobeleni i-GDPR e-EU, nomthetho wezwe wase-US, noma nomunye umthetho. Kungase futhi kube nezingozi zenkontileka ezivela kumigomo yesevisi kubahlinzeki bedatha njenge-GitHub ne-GitLab. Ukusetshenziswa kwamamethrikhi kufanele kuhlolwe ubungozi kanye nezinkinga zedatha yezimiso zedatha ezingaba khona. Ngicela ubone Idokhumenti ye-CHAOSS Data Ethics ukuze uthole isiqondiso esengeziwe.
I-Upstream Code Dependency metric ingasetshenziswa ngokuhlaziya ifayela lokuncika lephrojekthi noma ngokusebenzisa amathuluzi akhona ahlola idatha yomphathi wephakheji yezilimi ezisetshenziswayo (isb, package.json ye-JavaScript npm, pyproject.toml / needs.txt yePython, Gemfile / Gemfile .khiyela uRuby, njll.). Qaphela: I-C/C++ ngokuvamile isebenzisa abaphathi bephakheji yesistimu. Izinto ziba nzima nakakhulu ngezilimi eziningi, njengoba nje amafayela ancike olimini oluthile azodinga ukuskenwa.
Amapharamitha
Konke ukuncika okubaliwe kufanele kufake izinguqulo ezithile ezisetshenziselwa ukuncika ngakunye. Qaphela ukuthi amanye amasistimu awakusekeli, noma awasebenzisi, “ukuphina inguqulo” ngakho awaphoqeleli inguqulo ethile.
- Ukujula Kwesihlahla Sokuncika
- Ukuncika Okuqondile - ukuncika kwe-oda lokuqala, njengoba kumenyezelwe kukhodi yomthombo kanye/noma ukulungiselelwa komphathi wephakheji (isb., requirements.txt, Gemfile, njll.)
- I-Transitive Dependency - ukuncika okungaqondile, okungukuthi, ukuncika okungaphezu kokuncika kwe-oda lokuqala nakho okubizwa ngokuthi i-nested or second order. Isibonelo iphrojekthi A engaphansi kokuhlolwa incike kuphrojekthi B futhi iphrojekthi B incike kuProjekthi C. Kuphrojekthi A, iphrojekthi C iwukuncika okuguquguqukayo.
- I-Circular Dependency - ukuncika lapho uma kulandelelwa ekugcineni kubuyela kubo. Kumasistimu avumela ukuncika okuyindilinga, sithatha ngokuthi ukuncika okunikeziwe kubalwa kanye kuphela kulesi simo.
- Isimo sokuncika
- I-Static Dependency - Ukuncika kukhona kuzo zonke izimo.
- I-Dynamic Dependency - Izinguquko zokuncika ekusetshenzisweni nakwezinye izimo
- Ukuncika kusevisi yangaphandle njengokusebenzisa i-API
- Ukuncika Kokwenza - ukuncika okudingekayo ukuze kusetshenziswe isofthiwe. Qaphela ukuthi izinhlobo ezithile zokuncika ngokuvamile azifakwa ekubalweni, njengoba kuchazwe ngezansi. Lokhu kungase kube okukodwa noma ngaphezulu kokulandelayo:
- Yakha Ukuncika - Ikhodi idinga ukwakha ucezu lwesofthiwe
- Ukuncika Kokuhlola - Ikhodi idinga ukuhlola ucezu lwesofthiwe
- Ukuncika kwesikhathi sokusebenza - Ikhodi idinga ukusebenzisa ucezu lwesofthiwe
- Imininingwane yokuncika kwesikhathi sokusebenza kolimi (okungukuthi, indawo yesikhathi sokusebenza ye-Python)? (inombolo ezenzakalelayo). Le mininingwane inikezwa ngenxa yokubaluleka kokuncika kwesikhathi sokusebenza ukuze kuqinisekiswe ikhwalithi ezinhlelweni ezibalulekile zokuphepha.
- Imvamisa ukuthi yisiphi isikhathi sokusebenza solimi esizosetshenziswa kulawulwa indawo ebonakalayo , isb. i-venv ku-Python ; ku-Ruby ongayisebenzisa kaningi rbenv or rvm ukusebenzisa (futhi ngokuvamile kufakwe kokuthi “Gemfile” noma “Gemfile.lock” kanye ne-.ruby-version)
- I-PyPi ikhula kancane kancane “ukwenqaba ukuhlanganisa imitapo yolwazi/okuncika” okungahambelani. Iyaqala “ukubhidliza ukwakha”.
- Ngeshwa akuwona wonke amasistimu okupakisha anesimiso sokurekhoda ulwazi lwenguqulo yakho konke ukuncika okuguquguqukayo, ngisho nangaphakathi kwe-ecosystem yawo (kufanele ngokuhamba kwesikhathi)
- Kwamanye amasistimu kunezikhathi zokusebenza eziningi okungenzeka kube nzima ukuzihlukanisa. (Isibonelo, kukhona ukusetshenziswa okuningi kwe-Common Lisp futhi ngokuvamile noma yikuphi kuzo kungasebenza.)
- Imitapo yolwazi eyakhelwe ngaphakathi yolimi ebalwayo (isb, “re” ngePython)? (inombolo ezenzakalelayo)
- Imvamisa amalabhulali amaningi akhelwe ngaphakathi ancike ekusebenzeni. Nokho, ngokuvamile afakwa “ngobuningi” ngokukhetha ukusetshenziswa kolimi, futhi ngokuvamile awafakwa ekubalweni ukuze kube lula ukuhlaziya.
- Isibonelo: Ngokuzenzakalelayo,
pip freezeakubandakanyi lezi zinhlobo “zokuhlanganisa nolimi” imitapo yolwazi/okuncikile.
- Izinguqulo eziningi zokuncika okufanayo zibalwa ngokuzimela. Amanye amasistimu asekela izinguqulo eziningi zokuncika okufanayo ngaphakathi kwesistimu; ezimweni ezinjalo, zibalwa ngokwehlukana.
Qaphela: Ngokuvamile kubalulekile ukunikeza ulwazi mayelana nenguqulo yokukhishwa kolimi enkulu nencane ngesikhathi sokusebenza.
- Okunye ukubala nokuhlaziya kudinga lolu lwazi. Imvamisa izikhathi ezisetshenziswayo zolimi nemitapo yolwazi eyakhelwe ngaphakathi iyashiywa (bona ngenhla), futhi lolu lwazi lusebenza njengesifushaniso ukuze sinikeze lolu lwazi olwengeziwe.
- Isibonelo: I-ecosystem ye-Ruby isekela ukucaciswa kwenguqulo yesikhathi sokusebenza solimi ku-Gemfiles kanye nefayela le-.ruby-version.
- Isibonelo: Ukukhishwa kwe-Python kusuka ku-PyPi ne-Anaconda kuvame ukukhetha izinguqulo ezihlukene zamalabhulali ngezindlela ezahlukene.
Izihlungi
- Okuthrendayo ngokuhamba kwesikhathi (isb., ingabe ngincike kumaphrojekthi amaningi noma ambalwa kunonyaka odlule)
- Inombolo yezinguqulo zokuncika ngakunye
- Inombolo yezinkomba zokuncika okufanayo
Okubonwayo
Amathuluzi Ahlinzeka Ngemethrikhi
- i-deps.dev
- I-Deps.cloud
- OWASP
- Imitapo yolwazi.io
- BackYourStack.com
- I-software bill of materials
- IphakhejiPhobia
- Augur
Amasu Okuqoqwa Kwedatha (kuyakhetheka)
- I-Augur inokuqaliswa kokuskena ikhodi, kanye nokuhlonza ukuncika komphathi wephakheji.
- I-Libraries.io inikeza isithwebuli sokuncika esigxile kumphathi wephakheji (futhi sitholakala nge-Tidelift).
Abanikeli
- Georg Link
- Matt Germonprez
- Sean Goggins
- Sophia Vargas
- UKate stewart
- Vinod Ahuja
- UDavid A. Wheeler
- U-Arfon Smith
- Elizebeth Barron
- Ritik Malik
- Dhruv Sachdev
- UDaune O'Brien
- UMichael Scovetta
Ukuze uhlele le metric sicela uthumele isicelo sokushintsha lapha: https://github.com/chaoss/wg-risk/blob/master/focus-areas/dependency-risk-assessment/upstream-code-dependencies.md
Ukuze ubhekise le metric kusofthiwe noma ekushicilelweni sicela usebenzise le URL ezinzile: https://chaoss.community/?p=3977
Ukusetshenziswa nokusatshalaliswa kwamamethrikhi ezempilo kungase kuholele ekwephuleni ubumfihlo. Izinhlangano zingase zichayeke ezingozini. Lezi zingozi zingase zigeleze kusukela ekuthobeleni i-GDPR e-EU, nomthetho wezwe wase-US, noma neminye imithetho. Kungase futhi kube nezingozi zenkontileka ezivela kumigomo yesevisi kubahlinzeki bedatha njenge-GitHub ne-GitLab. Ukusetshenziswa kwamamethrikhi kufanele kuhlolwe ubungozi kanye nezinkinga zedatha yezimiso zedatha ezingaba khona. Ngicela ubone Idokhumenti ye-CHAOSS Data Ethics ukuze uthole isiqondiso esengeziwe.