Patent Application
20210089286
The techniques described herein are directed to systems and methods that can be used to monitor and manage the currency of software applications. In particular, the systems and methods are directed to identifying dependencies in software applications, identifying the relationship of the products and technologies that are used in software applications, and providing an interface that can be used to manage the currency of the underlying software applications.
Existing application scanning tools often face lifecycle and coverage challenges. For example, some existing application scanning tools fail to provide full application coverage. More specifically, they fail to accurately identify a significant number of applications on a system.
It is desirable to have an application scanning tool with expanded application coverage. There is also a need for a management tool that allows a user to view scan results, maintain an active record of applications across portfolios, unify applications with common names, and track upgrades of the applications. Select embodiments of the disclosed technology address these needs.
The disclosed technology relates to systems and methods for managing software application currency. The system and method identify a first group from a plurality of software applications, where that first group is subject to currency management. The system and method identify a second group from the plurality of software applications, where that second group is not subject to currency management. For a first software application in the first group, the system and method identify a first dependency by using at least a source code repository corresponding to the first software application. The system and method determine that a first version corresponds to the first dependency, and determine that a second version corresponding to the first dependency is more current than the first version. The system and method identify the first software application for a currency update, based at least on the second version being more current than the first version.
In other aspects, the system and method identify a second dependency for a second application of the first group by using at least a source code repository corresponding to the second application. The system and method determine that the first dependency and the second dependency are the same dependency. The system and method determine that a third version corresponds to the second dependency, and that the third version corresponding to the second dependency is less current than the first version. The system and method identify the second software application as a higher priority for the currency update than the first software application, based at least on the third version being less current than the first version.
In other aspects, the system and method display information representing the first software application, the second software application, the first version corresponding to the first dependency, the second version corresponding to the first dependency, the third version corresponding to the second dependency, a priority for currency update of the first software application, and a priority for currency update of the second software application.
In other aspects, the system and method identify all dependencies for the first software application of the first group by using at least the source code repository corresponding to the first software application. The system and method determine all versions corresponding to all the dependencies, and the system and method display information representing all the versions and all the dependencies.
In other aspects, the system and method identify a total number of dependencies for the first software application of the first group by using at least the source code repository corresponding to the first software application. The system and method display information representing the total number of dependencies for the first software application.
In other aspects, the system and method identify a total number of software applications having a first version that corresponds to the first dependency for the first group of the plurality of software applications. The system and method display information representing the total number of software applications in the first group having the first version that corresponds to the first dependency.
In other aspects, the system and method identify a total number of software applications having the first dependency for the first group of the plurality of software applications. The system and method display information representing the total number of software applications in the first group having the first dependency.
In other aspects, the system and method identify names of all the software applications having the first dependency for the first group of the plurality of software applications. The system and method display information representing the names of all the software applications having the first dependency.
In other aspects, the system and method identify names of software applications in the second group having the first dependency for the second group of the plurality of software applications, by using at least source code repositories. The system and method display information representing the names of the software applications in the second group having the first dependency. The system and method display an option to change the identification of the software applications in the second group having the first dependency from the second group where they are not subject to currency management to the first group where they are subject to currency management.
In other aspects, the system and method identify names of software applications in the second group having the first dependency for the second group of the plurality of software applications, by using at least metadata associated with the software applications in the second group. The system and method display information representing the names of the software applications in the second group having the first dependency. The system and method display an option to change the identification of the software applications in the second group having the first dependency from the second group where they are not subject to currency management to the first group where they are subject to currency management.
In other aspects, the system and method identify third dependencies of a second software application that is not in either the first group or the second group, by using at least a source code repository corresponding to the second software application. The system and method determine that the first dependency corresponds to one of the third dependencies, and display information representing the third dependencies and respective versions.
Various aspects of the described illustrative embodiments may be combined with aspects of certain other embodiments to realize yet further combinations. It is to be understood that one or more features of any one illustration may be combined with one or more features of the other arrangements disclosed.
The following Detailed Description of the technology is better understood when read in conjunction with the appended drawings. For the purposes of illustration, there are shown in the drawings exemplary embodiments, but the subject matter is not limited to the specific elements and instrumentalities disclosed. Components in the figures are shown for illustration purposes only, and may not be drawn to scale.
In the following detailed description, numerous specific details are set forth by way of examples in order to provide a thorough understanding of the relevant teachings. However, it should be apparent to those skilled in the art that the present teachings may be practiced without such details. In other instances, well known methods, procedures, components, and/or circuitry have been described at a relatively high-level, without detail, in order to avoid unnecessarily obscuring aspects of the present teachings.
Essentially all software applications are created with some original source code for certain functions and features, and then libraries or modules for source code that has already been written and debugged are included or referred. These included or referred libraries or modules can be used to accomplish more routine functions or features. In this way, the developer can focus on the new features and functions, without the need to draft new source code from scratch for the rest. For example, a set of library functions may be available to handle input and output to a database or for display of data, and the developer can take advantage of those library functions by including or embedding the libraries in the newly created source code. Different programming languages accomplish this with standard statements, such as “Include xxx” where xxx is the file name of the library that is being referred to.
Software developers usually create, debug and maintain/manage the source code for a project in a development environment, which is typically called an Integrated Development Environment (“IDE”). IDE's are available for the common program languages, including JAVA, C, Python, and MICROSOFT'S .NET framework. The IDE includes both the source code under development, and the source code or links for the standard libraries that a developer may decide to include. Those standard libraries are generally not static, and they are updated over time with new features, and/or to address security issues. In this way, a standard library might have multiple available versions that can be included, and the developer can select the particular version of a library that they want to include in their project. The different versions can be identified by having different file names corresponding to the different versions, or by their location in different file folders or locations corresponding to the different versions.
Working within the IDE, it is possible to determine which particular library has been included in the source code for a project. This can be done by opening the project source code files and searching for keywords, such as “Include” and then keeping a list of all the libraries that have been included. It is also possible that a library also refers to another library, so it may be necessary to open many of the library source code files as well. That manual process may be slow, but it can identify all the libraries used, included or called by a project, and the versions of those respective libraries.
An operating system, such as MICROSOFT WINDOWS, LINUX and APPLE OS X also has source code, but the source code may not be provided with the program. Instead, the customer gets executable files. For an open source operating system like LINUX, it is possible for almost anyone to determine which libraries are called and included in the operating system. For closed operating systems, like WINDOWS and OS X, a customer would generally not be able to determine which libraries are called and included in the operating system. Similarly, for standard applications, like word processors, data base managers, e-mail applications, contact managers, etc., a customer would generally not be able to determine which libraries are called and included, unless the applications are open source. For operating systems and standard applications, the customers get executable files, and the companies that sell the products are responsible for maintaining and managing the operating system or application.
Beyond the operating system and the standard applications, companies may need software applications that are specifically developed for them or for their particular market. Depending on the company size and how extensive the market might be, those specialized software applications may be developed in-house, or they may be developed or customized under contract for the company. When developed in-house, the programmers might be employees or independent contractors, and the IDE with associated source code files is usually under the control of the company itself. In this way, the company has ready access to the source code files.
When source code is developed by a third party under contract to a company, it is very typical that the developer provides and maintains copies of the IDE with the underlying source code specifically for the benefit of the company. This helps mitigate risk for maintenance and management of the source code, in the event that the developer or programmers go out of business. In this arrangement the contractor would typically manage and maintain the application, under direction from the company, and the company would have access to the IDE or maybe a copy of the IDE.
The systems and methods described herein have particular utility for source code that is developed under contract, but it also has utility for in-house developed source code. Like the libraries that might be included, the source code for an application must also be maintained and managed. For example, a security risk might be exposed in a particular version of a library. A company that has a number of specialized software applications, individually developed and deployed at different times to address particular needs, may find it unduly time consuming to search all of those specialized software applications to determine whether any of them are using the particular version of that library that is at risk. In addition, a company that has a number of specialized software applications will usually want to prioritize the resources that are needed to update those individual specialized software applications. One way to prioritize is by knowing which library versions are used in each of the individual specialized software applications, and then focusing resources to update the software applications having the oldest versions. Another way to prioritize is by the type of dependency. As an example, if the dependency is related to a security framework, then that security dependency might have a higher priority.
Referring to
In the deployed environment 106, there are software applications that need to be currency managed 108, and software applications that do not need to be currency managed 110. The software applications that do not need to be currency managed might include the operating system components, as well as standard applications (word processors, data base managers, e-mail applications, contact managers, etc.). The software applications that are currency managed might include the in-house developed software, as well as software that is developed under contract for the company by third-parties. The IDE for software that is developed under contract for the company by third-parties might be part of development environment 102.
The system for currency management 112 takes advantage of the development environment 102 and the deployed environment 106. A database or file is used to track which software applications are subject to currency management 108, and which software applications are not subject to currency management 110. That information is saved in storage 114. The system for currency management 112 includes servers 130, clients 132, user interfaces 134, and network interfaces 136, with associated processors 138 and memory 140. The process of identifying the applications that are and are not subject to currency management is represented by step 120 in
At step 122, the source code files for managed applications are scanned by system 100 to identify dependencies. This may include searches for key words, such as “Include” or other terms that may be associated with dependencies.
At step 124, the versions of the dependencies or libraries are identified. In most instances, versions are sequentially numbered, and a more current version of a dependency will have a higher number. As an example version 1.2.2 of a library would typically be more current or newer than version 1.2.1.
The process illustrated in steps 122 and 124 are repeated by system 100 for other managed applications, and the various versions of the dependencies are identified. From those various versions of the dependencies, it is possible to determine which version of a dependency is used in the different software applications. As an example, one managed software application, which is used to track employee cross-selling credits, might use version 1.5.5 of a database query library. Another managed software application, which is used to track employee maternity leave, might use version 1.6.5 of that same database query library. At step 126, it is possible for system 100 to prioritize updates of the software application that is used to track employee cross-selling credits over the software application that is used to track employee maternity leave, based on the different versions of the database query library that are used in each application.
The process described and illustrated in steps 120-126 can be performed on a routine basis, or the steps can be performed based on some external trigger, such as notification of a security risk in a particular library.
The software code to perform steps 120-126 can be almost any language that is able to access and parse source code files. Where a company has a number of managed applications in one particular programming language, such as JAVA, it may be advantageous to also use JAVA for the software code to perform steps 120-126. If the company uses .NET, then it may be advantageous to also use .NET for the software code to perform steps 120-126. Regardless of what language is used for the software code to perform steps 120-126, it can be helpful to combine all the results so that priorities can be established across all the applications in a company.
The currency management system 112 may provide a graphical user interface 134 to display the scan results received from the scanner. The graphical user interface 134 may be available to a user or developer through web access. The graphical user interface 134 may provide a complete picture of application dependencies. The graphical user interface 134 may show a current point-in-time picture of all application dependencies. The graphical user interface 134 may display a blueprint of all application dependencies, including scanned and non-scanned application breakdowns as shown in
In one example, developers may review the scan results and link relevant components to a master table stored in database 114. The master table may maintain an active record of products across portfolio, unify the portfolio through mapping, and kickstart tracking process that identifies deltas. The currency management system 112 may identify components, products or dependencies from the scan results, and display information with regard to each component, product or dependencies in the graphical user interface 134.
The user may visit the graphical user interface 134 through web access.
The graphical user interface 134 may display products not linked to the master table or the master product list stored in database 114 in bold, and also display a “Match” button on the right side of the screen for linking purposes as illustrated in
As shown in
In the examples provided above, the illustrated components and steps are merely examples. Certain other components and other steps may be included or excluded as desired. Further, while a particular order of the steps is illustrated and executed from the perspective of a particular device or system, this ordering is merely illustrative, and any suitable arrangement of the steps and/or any number of systems, platforms, or devices may be used without departing from the scope of the examples provided herein.
The techniques described herein, therefore, allow a centralized search or scan of application dependencies as reflected in source code, the tracking of application dependencies across different systems, and the ability to quickly identify a particular application dependency, with the ability to prioritize resources for upgrades based on the application dependencies. Priorities for upgrades may also be based on other factors, such as security factors.
While there has been shown and described illustrative examples of a centralized search or scan of application dependencies as reflected in source code, the tracking of application dependencies across different systems, and the ability to quickly identify a particular application dependency, with the ability to prioritize resources for upgrades based on the application dependencies, it is to be understood that various other adaptations and modifications may be made within the spirit and scope of the examples herein. For example, certain functionality has been shown and described herein with relation to certain systems, platforms, hardware, devices, and modules. However, the examples in their broader sense are not as limited, and may, in fact, be employed in virtually any software development, management, or maintenance environment, as well as employed by any combination of devices or components discussed herein.
The foregoing description has been directed to specific examples or embodiments. It will be apparent, however, that other variations and modifications may be made to the described embodiments, with the attainment of some or all of their advantages. For instance, it is expressly contemplated that the components and/or elements described herein can be implemented as software being stored on a tangible (non-transitory) computer-readable medium, devices, and memories (e.g., disks/CDs/RAM/EEPROM/etc.) having program instructions executing on a computer, hardware, firmware, or a combination thereof. Further, methods describing the various functions and techniques described herein can be implemented using computer-executable instructions that are stored or otherwise available from computer readable media, including media that is local and media that is remote, which might be referred to as “the Cloud.” Such instructions can comprise, for example, instructions and data which cause or otherwise configure a general purpose computer, special purpose computer, or special purpose processing device to perform a certain function or group of functions. Portions of computer resources used can be accessible over a network. The computer executable instructions may be, for example, binaries, intermediate format instructions such as assembly language, firmware, or source code. Examples of computer-readable media that may be used to store instructions, information used, and/or information created during methods according to described examples include magnetic or optical disks, flash memory, USB devices provided with non-volatile memory, networked storage devices, and so on. In addition, devices implementing methods according to these disclosures can comprise hardware, firmware and/or software, and can take any of a variety of form factors. Typical examples of such form factors include laptops, smart phones, small form factor personal computers, personal digital assistants, and so on. Functionality described herein also can be embodied in peripherals or add-in cards. Such functionality can also be implemented on a circuit board among different chips or different processes executing in a single device, by way of further example. Instructions, media for conveying such instructions, computing resources for executing them, and other structures for supporting such computing resources are means for providing the functions described in these disclosures. Accordingly this description is to be taken only by way of example and not to otherwise limit the scope of the embodiments herein. Therefore, it is the object of the appended claims to cover all such variations and modifications as come within the true spirit and scope of the embodiments herein.
This application claims the benefit of, and priority to, U.S. Provisional Patent Application No. 62/905,674, filed Sep. 25, 2019, entitled CURRENCY SCANNING PROCESS, the full disclosure of which is incorporated herein by reference in its entirety.
| Number | Date | Country | |
|---|---|---|---|
| 62905674 | Sep 2019 | US |
