Software of unknown pedigree (SOUP) for Rust and TypeScript
jayvdb
48 views
20 slides
Oct 15, 2024
Slide 1 of 20
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
About This Presentation
Generating SOUP records using Rust
Slide Content
SOUP for Rust and TypeScript
@jayvdb
franklin.ai
@jayvdb
franklin.ai
franklin.ai
franklin.ai
Kubernetes
Rust services wrapping
Python AI
Electron frontend
Kubernetes
Rust services wrapping
Python AI
Electron frontend
Software of unknown pedigree
(SOUP)
software that has NOT been
developed with a known
software development process
or methodology, or which has
unknown or no safety-related
properties.
https://en.wikipedia.org/wiki/Software_of_unknown_pedigree
IEC 62304:2006
(SOUP)
software that has NOT been
developed with a known
software development process
or methodology, or which has
unknown or no safety-related
properties.
https://en.wikipedia.org/wiki/Software_of_unknown_pedigree
IEC 62304:2006
Software of unknown pedigree
(SOUP)
●i.e. Programming language
compilers/runtimes, and
package managers.
i.e. Open source libraries.
i.e. Docker images. e.g. “redis”
Github actions “uses: …” ?
Helm charts … ?
(SOUP)
●i.e. Programming language
compilers/runtimes, and
package managers.
i.e. Open source libraries.
i.e. Docker images. e.g. “redis”
Github actions “uses: …” ?
Helm charts … ?
SOUP records
●For each SOUP:
–Name
–Version
–Manufacturer
–Any custom requirements
–Website of bug reports and release
notes
–How is it used in the product
–
●For each SOUP:
–Name
–Version
–Manufacturer
–Any custom requirements
–Website of bug reports and release
notes
–How is it used in the product
–
SOUP risk evaluation
●For each SOUP, what safety classification is it:
–Class A: No unacceptable risk to health
–Class B: Injury is possible but not serious
–Class C: Death or serious injury is possible
–
●For each SOUP, what safety classification is it:
–Class A: No unacceptable risk to health
–Class B: Injury is possible but not serious
–Class C: Death or serious injury is possible
–
Non-product dependencies
●Build dependencies
–Is generated code
being formally
reviewed? Check it
in.
●Test dependencies
–Are the tests
mentioned in the
formal product
verification
protocols?
●Spell checker
●License checker
●Linters
●Optional developer
workflow helpers
X✓
Doc dependencies
Are the docs critical
to product use?
Are the doc outputs
reviewed?
?
●Build dependencies
–Is generated code
being formally
reviewed? Check it
in.
●Test dependencies
–Are the tests
mentioned in the
formal product
verification
protocols?
●Spell checker
●License checker
●Linters
●Optional developer
workflow helpers
X✓
Doc dependencies
Are the docs critical
to product use?
Are the doc outputs
reviewed?
?
Collate the SOUP
●company-product
–company-lib
●Open-source build tool
●Open-source test tool
●Open-source lib
–Open-source lib
✓
✓
✓
x
x
✓
●company-product
–company-lib
●Open-source build tool
●Open-source test tool
●Open-source lib
–Open-source lib
✓
✓
✓
x
x
✓
Collate the SOUP
●company-product
–company-lib
●Open-source build tool
●Open-source test tool
●Open-source lib
–Open-source lib
✓
✓
✓
x
x
✓
cargo lock
✓
✓
✓
✓
✓
x
●company-product
–company-lib
●Open-source build tool
●Open-source test tool
●Open-source lib
–Open-source lib
✓
✓
✓
x
x
✓
cargo lock
✓
✓
✓
✓
✓
x
Collate the SOUP
●company-product
–company-lib
●Open-source build tool
●Open-source test tool
●Open-source lib
–Open-source lib
✓
✓
✓
x
x
✓
npm lock
x
✓
✓
✓
✓
x
●company-product
–company-lib
●Open-source build tool
●Open-source test tool
●Open-source lib
–Open-source lib
✓
✓
✓
x
x
✓
npm lock
x
✓
✓
✓
✓
x
Collate the SOUP
Two choices:
1)Build SOUP at each level of the dependency tree,
put the SOUP into the versioned library
packages, and merge the SOUP at the top level.
2)Include lock files in library packages, and build a
tool to create the SOUP at the top level, using
the lock files.
Both require a manual process or custom tool to
create the final unified SOUP list.
Two choices:
1)Build SOUP at each level of the dependency tree,
put the SOUP into the versioned library
packages, and merge the SOUP at the top level.
2)Include lock files in library packages, and build a
tool to create the SOUP at the top level, using
the lock files.
Both require a manual process or custom tool to
create the final unified SOUP list.
I chose option 2
●Distributing lock files in packages is a technical
step.
●No significant extra effort during development. No
SOUP step for each library version. Library
versions are cheap.
●Extra effort occurs at product release, combining all
the lock files.
●Only need to consider the versions of libraries
included in the release.
●Distributing lock files in packages is a technical
step.
●No significant extra effort during development. No
SOUP step for each library version. Library
versions are cheap.
●Extra effort occurs at product release, combining all
the lock files.
●Only need to consider the versions of libraries
included in the release.
I chose Rust
I used “cargo_metadata” crate to understand cargo
dependency tree.
I used “cargo_metadata” crate to understand cargo
dependency tree.
I chose Rust
I found a 8 star repo that understood package.json.
I found a 8 star repo that understood package.json.
I chose Rust
I found a 8 star repo that understood package.json.
I found a 8 star repo that understood package.json.
I chose Rust
I found a random 0 star repo that understood pnpm
lock files. And then needed to create a lib from it.
I found a random 0 star repo that understood pnpm
lock files. And then needed to create a lib from it.
I chose Rust
●Oh, and we need
package
descriptions
from
npmjs.net ...
●Oh, and we need
package
descriptions
from
npmjs.net ...
TODO
●Add Python using phylum_lockfile
https://github.com/phylum-dev/cli
●Add Python using phylum_lockfile
https://github.com/phylum-dev/cli
TODO
●Publish ...
QUESTIONS?
@jayvdb
franklin.ai
●Publish ...
QUESTIONS?
@jayvdb
franklin.ai
Tags
Categories
GeneralDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 48
- Slides 20
- Age 416 days
Related Slideshows
22
Pray For The Peace Of Jerusalem and You Will Prosper
RodolfoMoralesMarcuc
33 views
26
Don_t_Waste_Your_Life_God.....powerpoint
chalobrido8
36 views
31
VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf
JaiJai148317
33 views
14
Fertility awareness methods for women in the society
Isaiah47
30 views
35
Chapter 5 Arithmetic Functions Computer Organisation and Architecture
RitikSharma297999
29 views
5
syakira bhasa inggris (1) (1).pptx.......
ourcommunity56
30 views