{"links":{},"metadata":{"_oai":{"id":"oai:ipsj.ixsq.nii.ac.jp:00223144","sets":["6164:6165:6462:11124"]},"path":["11124"],"owner":"44499","recid":"223144","title":["ソースコード管理のされ方を可視化するパッケージマネージャnpmアドオン"],"pubdate":{"attribute_name":"公開日","attribute_value":"2022-10-17"},"_buckets":{"deposit":"f4bf7f2c-04c4-4262-b37d-426d57413838"},"_deposit":{"id":"223144","pid":{"type":"depid","value":"223144","revision_id":0},"owners":[44499],"status":"published","created_by":44499},"item_title":"ソースコード管理のされ方を可視化するパッケージマネージャnpmアドオン","author_link":["587228","587232","587231","587224","587229","587227","587230","587233","587225","587226"],"item_titles":{"attribute_name":"タイトル","attribute_value_mlt":[{"subitem_title":"ソースコード管理のされ方を可視化するパッケージマネージャnpmアドオン"},{"subitem_title":"An npm add-on to visualize source code management","subitem_title_language":"en"}]},"item_keyword":{"attribute_name":"キーワード","attribute_value_mlt":[{"subitem_subject":"software supply chain, package manager, dependency transparency","subitem_subject_scheme":"Other"}]},"item_type_id":"18","publish_date":"2022-10-17","item_language":{"attribute_name":"言語","attribute_value_mlt":[{"subitem_language":"jpn"}]},"item_18_text_3":{"attribute_name":"著者所属","attribute_value_mlt":[{"subitem_text_value":"慶應義塾大学環境情報学部"},{"subitem_text_value":"慶應義塾大学SFC研究所"},{"subitem_text_value":"慶應義塾インフォメーションテクノロジーセンター"},{"subitem_text_value":"慶應義塾情報セキュリティインシデント対応チーム"},{"subitem_text_value":"慶應義塾大学環境情報学部"}]},"item_18_text_4":{"attribute_name":"著者所属(英)","attribute_value_mlt":[{"subitem_text_value":"Faculty of Information and Environment Studies, Keio University","subitem_text_language":"en"},{"subitem_text_value":"Keio Research Institute at SFC, Keio University","subitem_text_language":"en"},{"subitem_text_value":"Information Technology Center, Keio University","subitem_text_language":"en"},{"subitem_text_value":"Computer Security Incident Response Team, Keio University","subitem_text_language":"en"},{"subitem_text_value":"Faculty of Information and Environment Studies, Keio University","subitem_text_language":"en"}]},"item_publisher":{"attribute_name":"出版者","attribute_value_mlt":[{"subitem_publisher":"情報処理学会","subitem_publisher_language":"ja"}]},"publish_status":"0","weko_shared_id":-1,"item_file_price":{"attribute_name":"Billing file","attribute_type":"file","attribute_value_mlt":[{"url":{"url":"https://ipsj.ixsq.nii.ac.jp/record/223144/files/IPSJ-CSS2022089.pdf","label":"IPSJ-CSS2022089.pdf"},"date":[{"dateType":"Available","dateValue":"2024-10-17"}],"format":"application/pdf","billing":["billing_file"],"filename":"IPSJ-CSS2022089.pdf","filesize":[{"value":"742.5 kB"}],"mimetype":"application/pdf","priceinfo":[{"tax":["include_tax"],"price":"660","billingrole":"5"},{"tax":["include_tax"],"price":"330","billingrole":"6"},{"tax":["include_tax"],"price":"0","billingrole":"30"},{"tax":["include_tax"],"price":"0","billingrole":"46"},{"tax":["include_tax"],"price":"0","billingrole":"44"}],"accessrole":"open_date","version_id":"580b1574-4f62-4132-a1b7-eefc18b4602f","displaytype":"detail","licensetype":"license_note","license_note":"Copyright (c) 2022 by the Information Processing Society of Japan"}]},"item_18_creator_5":{"attribute_name":"著者名","attribute_type":"creator","attribute_value_mlt":[{"creatorNames":[{"creatorName":"光澤, 加偉"}],"nameIdentifiers":[{}]},{"creatorNames":[{"creatorName":"甲斐, 賢"}],"nameIdentifiers":[{}]},{"creatorNames":[{"creatorName":"ルーク, コリー"}],"nameIdentifiers":[{}]},{"creatorNames":[{"creatorName":"近藤, 賢郎"}],"nameIdentifiers":[{}]},{"creatorNames":[{"creatorName":"手塚, 悟"}],"nameIdentifiers":[{}]}]},"item_18_creator_6":{"attribute_name":"著者名(英)","attribute_type":"creator","attribute_value_mlt":[{"creatorNames":[{"creatorName":"Kai, Mitsuzawa","creatorNameLang":"en"}],"nameIdentifiers":[{}]},{"creatorNames":[{"creatorName":"Satoshi, Kai","creatorNameLang":"en"}],"nameIdentifiers":[{}]},{"creatorNames":[{"creatorName":"Korry, Luke","creatorNameLang":"en"}],"nameIdentifiers":[{}]},{"creatorNames":[{"creatorName":"Takao, Kondo","creatorNameLang":"en"}],"nameIdentifiers":[{}]},{"creatorNames":[{"creatorName":"Satoru, Tezuka","creatorNameLang":"en"}],"nameIdentifiers":[{}]}]},"item_resource_type":{"attribute_name":"資源タイプ","attribute_value_mlt":[{"resourceuri":"http://purl.org/coar/resource_type/c_5794","resourcetype":"conference paper"}]},"item_18_description_7":{"attribute_name":"論文抄録","attribute_value_mlt":[{"subitem_description":"ユーザがソフトウェアパッケージをインストールする際に，npm 等のパッケージマネージャは当該ソフトウェアやその依存ライブラリの真正性検証や脆弱性の検出等を行う．しかし，ソフトウェアのメンテナンス頻度や開発コミュニティの活発性等，それらのソースコードの管理のされ方までをユーザが意識する事は稀だ．ソースコードの管理され方が不透明な場合，メンテナが変わる等の要因でマルウェアが混入されるリスクが生じる．本稿では，ソフトウェアをパッケージマネージャによりインストールする際，そのソフトウェアと依存ライブラリのソースコードの管理のされ方を検証し可視化する機構を npm パッケージマネージャのアドオンとして提案する．本機構はソースコードの管理のされ方の可視化を含む SBOM (Software Bill of Materials) を動的に作成し，当該ソフトウェアが孕むリスクをユーザが事前に把握するのに資する．本稿では，npm パッケージマネージャを元にソフトウェアをインストールする際に使用される本機構の評価に向けた，パッケージ 1 件当たりのソースコードの管理のされ方の検証時間を手動で確認した．","subitem_description_type":"Other"}]},"item_18_description_8":{"attribute_name":"論文抄録(英)","attribute_value_mlt":[{"subitem_description":"When users install software packages, package managers like npm perform signature verification and vulnerability detection of software and dependent libraries. However, users are rarely aware of how the source code is managed, such as software maintenance and developer community activity. When source code management is unclear, a malicious party could introduce malware due to changes in maintainers. In this paper, we propose a mechanism to verify and visualize the management of source code of software and dependencies when a package manager installs software as an add-on to the npm package manager. This mechanism dynamically creates an SBOM (Software Bill of Materials) that includes a visualization of the source code management and helps users understand the software's risks in advance. Additionally, we conducted a simple evaluation of our implementation by checking the time required to evaluate and install each package when installed using our mechanism based on the npm package manager.","subitem_description_type":"Other"}]},"item_18_biblio_info_10":{"attribute_name":"書誌情報","attribute_value_mlt":[{"bibliographicPageEnd":"658","bibliographic_titles":[{"bibliographic_title":"コンピュータセキュリティシンポジウム2022論文集"}],"bibliographicPageStart":"651","bibliographicIssueDates":{"bibliographicIssueDate":"2022-10-17","bibliographicIssueDateType":"Issued"}}]},"relation_version_is_last":true,"weko_creator_id":"44499"},"created":"2025-01-19T01:23:01.125120+00:00","updated":"2025-01-19T13:29:57.732870+00:00","id":223144}