@article{doi:10.1142/S021819402550010X,
author = {Wang, Ziyan and Huang, Cheng and You, Yang},
title = {OscSe: A Practical Security Assessment Model for General Open Source Components},
journal = {International Journal of Software Engineering and Knowledge Engineering},
volume = {35},
number = {03},
pages = {397-419},
year = {2025},
doi = {10.1142/S021819402550010X},

URL = { 
    
        https://doi.org/10.1142/S021819402550010X
    
    

},
eprint = { 
    
        https://doi.org/10.1142/S021819402550010X
    
    

}
,
    abstract = { Open source components (OSCs) have become a vital part for developing modern applications. The security of these components could affect the overall security of the software depends on them. Thus, the security of an OSC should be evaluated first before integrating to the software. However, the existing models lack generality, and cannot be easily automatic applied to OSCs developed in different programming language. To this end, we propose a security assessment model for OSCs, called the CRAM, which features generality and automation. The proposed model is constructed under the hypothesis that OSC with a larger and more active community is more likely to disclose more vulnerabilities. And it evaluates the security of OSC from its performance in size as well as activities of open source community and vulnerability disclosures. In the experiment section, we present validation and application experiments. In the validation experiment, we find that the basic hypothesis of the proposed model is valid, and there is a positive correlation between the community size as well as activities and vulnerability risk of OSCs. In the application experiment, we further evaluate our approach with large-scale open source components. Our hypothesis is further validated. The most of OSCs in the ecosystem are in line with the hypothesis. Finally, we successfully build the security baseline according to the hypothesis, and 5 vulnerable OSCs classified as vulnerable by our model are analyzed. The result proves the effectiveness of our model to identify a vulnerable open source ecosystem around the ecosystem. }
}