up to date! China Academy of Information and Communications Technology officially released the results of the credible open source assessment

With the widespread application of open source technology in recent years, my country's open source ecosystem has continued to grow and develop. Enterprises gradually understand open source risks in the process of extensive use of open source software, and thus pay attention to open source governance. At the same time, a large number of open source projects, open source governance methods, and supporting open source governance tools have emerged on the market. For market participants of varying levels, the China Academy of Information and Communications Technology has established a credible open source standard system and implemented evaluation tests. Carry out evaluations of corporate open source governance capabilities, open source project compliance, open source community maturity, open source tool testing capabilities, and open source risk management capabilities of commercial products to help companies reduce the risk of using open source software and promote the establishment of a credible open source ecosystem.

1614bfbcd32328 On September 17, 2021, the latest credible open source evaluation results of China Academy of

Trusted open source governance capabilities

Industrial and Commercial Bank of China Co., Ltd., Shanghai Pudong Development Bank Co., Ltd., China Merchants Bank Co., Ltd., China Mobile Information Technology Co., Ltd.

Trusted open source community

Apache ShardingSphere、Rancher、TiDB、MOSN

Trusted open source project

Apache ShardingSphere (version number: 5.0.0-beta)

Apache APISIX (version number: 2.8)

Apache Doris (version number: 0.14)

EMQ X (version number: 4.3.6)

OpenMLDB (version number: 0.2.2)

RANCHER (version number: 2.5.9)

Ukylin (version number: 20.04 LTS Pro)

Flomesh Pipy (version number: 0.8.0-31)

Alluxio (version number: 2.6.1)

CyberDog (version number: 1.0.0.66)

Curve (version number: 1.2.1-rc0)

The first batch of trusted open source supply chains-product capabilities

Diary Easy-Diary Easy V2.0

NetEase Shufan-Qingzhou Microservice 21.0.1 GA

Trusted open source governance tools

Shenzhen Open Source Internet Security Technology Co., Ltd. open source component security and compliance management platform (local deployment version)

China Academy of Information and Communications Technology has completed 46 credible open source assessments

Trusted open source evaluation results

Trusted open source governance

open source use

Industrial and Commercial Bank of China Limited

Agricultural Bank of China Co., Ltd.

Shanghai Pudong Development Bank Co., Ltd.

China Pacific Insurance (Group) Co., Ltd.

China CITIC Bank Co., Ltd.

China Merchants Bank Co., Ltd.

China Mobile Information Technology Co., Ltd.

Spontaneous open source

Tencent Technology (Shenzhen) Co., Ltd.

Trusted open source supply chain

Enterprise Capability

ZTE Corporation

Beijing Xiaomi Mobile Software Co., Ltd.

Product Capability

ZTE T8000 (Version: V4.00.10)

Xiaomi Mi 11 MIUI 12.5 (version: V12.5.6.0.RKBCNXM)

Beijing Youtejie Information Technology Co., Ltd.-Log Easy V2.0

Hangzhou Netease Shufan Technology Co., Ltd.-Qingzhou Microservice 21.0.1 GA

Trusted open source community

openEuler

openGauss

MindSpore

openLooKeng

TARS

Tencent Blue Shield Platform BK-CI

Apache ShardingSphere

RANCHER

TiDB

MOSN

Trusted open source project

Tencent Blue Shield platform BK-CI (version: V1.3.0-rc.10)

TARS (Version: TarsJava v1.7.2)

Apache APISIX (Version: 1.4)

Apache Pulsar (version: 2.6.0)

Apache Kylin (version: 3.1.0)

Tencent Blue Shield platform BK-CI (version: 1.0.0-beta.15)

TARS (Version: 2.1.0)

Apache ShardingSphere (version: 4.0.1)

Apache ShardingSphere (version number: 5.0.0-beta)

Apache APISIX (version number: 2.8)

Apache Doris (version number: 0.14)

EMQ X (version number: 4.3.6)

OpenMLDB (version number: 0.2.2)

Rancher (version number: 2.5.9)

Ukylin (version number: 20.04 LTS Pro)

Flomesh Pipy (version number: 0.8.0-31)

Alluxio (version number: 2.6.1)

CyberDog (version number: 1.0.0.66)

Curve (version number: 1.2.1-rc0)

Trusted open source governance tools

• Wangshen Information Technology (Beijing) Co., Ltd.—Qianxin Open Source Guard (SaaS version + local deployment version)
• Suzhou Prism Colorful Information Technology Co., Ltd.—FossEye (SaaS version) + open source governance platform (local deployment meal)
• Shenzhen Open Source Internet Security Technology Co., Ltd.—Open source component security and compliance management platform (SaaS version + local deployment version)
• Beijing Ampuno Information Technology Co., Ltd.-Xuanjing Yuanjian open source threat management and control platform (SaaS version + local deployment version)
• National Supercomputing Wuxi Center—SaaS version of Zhongjingniao code review system
• Xi'an Chico Houde Information Technology Co., Ltd.—Checode open source assistant detection system (local deployment version)
• Synopsys Technology (Shanghai) Co., Ltd.—Synopsys BlackDuck (SaaS version + local deployment version)
• JFrog Technology (Beijing) Co., Ltd.—JFrog X-Ray (local deployment version)

Introduction to Trusted Open Source Evaluation

Trusted Open Source Governance Evaluation

for user companies: evaluated for enterprise users who use open source software. The widespread use of open source software also puts forward higher requirements on the open source governance capabilities of enterprises from the perspective of security and compliance. In view of the risks faced by enterprise users when using open source software, focus on the company’s capabilities in organizational mechanisms, management systems, risk management, software evaluation and selection, technology use management, technology operation and maintenance management, regular health assessment, and software exit management. . According to the actual different stages of the company's open source governance level, it will be divided into basic level, enhanced level and advanced level.

for spontaneous open source companies: evaluated for companies that initiate open source projects. The focus will be on the standardization of enterprises in nine aspects: open source governance organization structure, open source project management system, open source tool platform construction, open source project application, open source project approval, open source project release, open source project operation and maintenance, open source community management, and open source project closure.

Trusted open source supply chain evaluation

The evaluation object is a software provider that provides commercial solutions based on open source software or a cloud service provider that provides cloud services, helping software providers and cloud service providers to standardize the process and system of introducing, developing and delivering open source software, and helping companies reduce open source supply chain risks .

Evaluation types are divided into enterprise open source supply chain risk management capability assessment and product open source supply chain risk management capability assessment.

Trusted open source community evaluation

The evaluation object is the open source community. Open source community = people + project + infrastructure platform. A good open source community helps open source projects create a good open source ecology and expand their influence. The credible open source community assessment, from the perspectives of infrastructure, community governance, community operations, and community development, sorts out the content and indicators that the open source community should pay attention to, and focuses on how to build an active developer ecology and a credible open source community.

Trusted open source project evaluation

The evaluation object is the community version of the open source project. Focus on examining the capabilities of open source projects in six aspects: license compliance, software security, software activity, technical maturity, service support, and software compatibility, and comprehensively measure the health of the community version of open source projects, and use them for open source projects Party provides the reference basis for selection.

Evaluation of trusted open source governance tools

The evaluation object is an open source component scanning tool with open source composition and security analysis functions to evaluate its basic capabilities, technical support capabilities, ease of use, deployment capabilities, security, and compatibility, to help standardize and improve the quality of open source governance tools, and at the same time It is suitable for open source users who purchase such tools, and helps user companies purchase such tools as a reference for selection.

Evaluation evaluation types are SaaS version evaluation, local deployment version evaluation, SaaS version + local deployment version evaluation.