A software trusted identification method based on distributed digital identity

By adopting a software trusted identification method based on distributed digital identity, the bottlenecks of cross-organizational mutual recognition and traceability of traditional software identification methods are solved. It realizes the uniqueness and cross-domain mutual recognition of software identity, improves component transparency and vulnerability response efficiency, reduces system integration difficulty, and enhances the ease of use of software supply chain governance.

CN122174240APending Publication Date: 2026-06-09HUZHOU COLLEGE

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
HUZHOU COLLEGE
Filing Date
2026-03-09
Publication Date
2026-06-09

Smart Images

  • Figure CN122174240A_ABST
    Figure CN122174240A_ABST
Patent Text Reader

Abstract

This invention discloses a software trusted identification method based on distributed digital identity, comprising the following steps: Step 1, creation and storage of distributed digital identity for software; Step 2, intelligent generation of multi-source heterogeneous software bill of materials; Step 3, dynamic vulnerability management; Step 4, ensuring data flow and security. This invention achieves uniqueness, immutability, and cross-domain mutual recognition of software identity by constructing a distributed software identification system based on the W3C DID standard and combining a consortium blockchain and the InterPlanetary File System (IPS) dual storage engine; it achieves automatic extraction of dependencies from multiple heterogeneous projects and generation of dual-format software bill of materials files through a multi-language adapted intelligent software bill of materials parsing engine; it achieves accurate matching of component versions and vulnerabilities and minute-level response by constructing a local dynamic vulnerability database and introducing a semantic association rule engine; and it achieves decoupling and flexible expansion of identification management, software bill of materials generation, and vulnerability scanning through modular toolchain design.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the fields of software supply chain security and blockchain technology, and in particular to a software trusted identification method based on distributed digital identity. Background Technology

[0002] In today's global digital wave, software supply chain security has become a core issue concerning the foundation of the digital economy and national cybersecurity. Frequent global data breaches have heightened the need for open-source component governance, but traditional identification methods have significant shortcomings, failing to meet cross-organizational mutual recognition requirements. This results in a lack of a trusted identification system to support industry security and compliance in the software supply chain. Open-source software and components have become an indispensable core part of modern software; however, current software bill of materials standards are not yet fully implemented, and software identity authentication and vulnerability tracing have significant weaknesses.

[0003] The current software supply chain security faces four core issues: First, the lack of software identification standards and trust bottlenecks. Traditional identification uses centralized management and lacks a unified international standard, making cross-organizational and cross-platform mutual recognition difficult. Identifiers are also easily tampered with, resulting in insufficient trust in software identities. Simultaneously, on-chain storage information is redundant, key management is simplistic, and the risk of private key loss is high, failing to balance decentralization and ease of use. Second, there are bottlenecks in open-source component traceability technology. Existing SCA tools only support component parsing in a single or limited language, lacking sufficient parsing capabilities for multi-language heterogeneous components. Furthermore, the software bill of materials generation format is singular, unable to achieve automatic dual-format conversion, leading to software... The system suffers from several problems: low transparency, reliance on graph visualization, and low efficiency in tracing vulnerabilities; delayed vulnerability response, reliance on static scanning tools and network requests to query public vulnerability databases, lack of local dynamic vulnerability database support, untimely vulnerability data updates, and long vulnerability discovery cycles; lack of a semantic association rule engine, making it difficult to accurately match component versions with vulnerability characteristics and achieve three-dimensional association analysis of "identifier-component-vulnerability"; high system coupling and low development efficiency, with low modularity of existing toolchains, tight coupling of functions, and difficulty in flexible expansion and integration; and high barrier to entry for blockchain operation, making it difficult for ordinary users to get started quickly, which restricts the popularization of software supply chain governance. Summary of the Invention

[0004] The purpose of this invention is to provide a software-trusted identification method based on distributed digital identity to address the shortcomings of existing identification methods.

[0005] Technical solution A software-trusted identification method based on distributed digital identity includes the following steps: Step 1: In response to a user's identification request for a target software entity, generate a unique distributed digital identity identifier and a distributed digital identity document for the software; store the distributed digital identity document on the consortium blockchain, and store the software package and its software bill of materials data associated with the target software entity in the InterPlanetary File System (IPS); write the file hash value returned by the IPS into the distributed digital identity document, and establish a mapping relationship between the software distributed digital identity identifier and the software package and software bill of materials data on the IPS; Step 2: Automatically identify the project type of the target software entity, call the corresponding dependency resolver based on the identification result, and extract component dependency information; based on the extracted component dependency information, generate a software bill of materials file and visualize the component dependency graph. Step 3: Synchronize vulnerability data, build and update the local vulnerability database in real time; use a semantic association rule engine to match the components in the software bill of materials file with the vulnerabilities in the local vulnerability database, and output an audit report containing details of the affected components and vulnerabilities; Step four: Throughout the entire process of file upload, software bill of materials generation, and vulnerability scanning, data association and evidence storage are performed based on the software's distributed digital identity, and the interactive data is transmitted in encrypted form. Preferably, the software bill of materials file conforms to both SPDX and CycloneDX standards.

[0006] Preferably, in step one, the prefix of the software distributed digital identity is dynamically generated according to the type of the identified object; the consortium blockchain is Chang'an Chain, which uses an algorithm to construct a multi-node consortium blockchain network; the distributed digital identity document includes: public key information and service endpoint information, wherein the service endpoint information points to software package or software bill of materials data stored on the InterPlanetary File System.

[0007] Preferably, step two specifically includes: detecting characteristic files in the root directory of the target software project and determining the project type, wherein the project type includes: Java / Maven, NodeJS / npm, or Golang / Go Modules; Depending on the project type, the pom.xml, package.json, or go.mod files are parsed to extract dependency information such as component names and version numbers; based on the dependency information, software bill of materials files in JSON and XML formats are generated.

[0008] Preferably, in step four, encrypting the transmission of interactive data specifically includes: using the HTTPS protocol for transport layer encryption, and managing the user key in a managed mode or a semi-managed mode; in the managed mode, the system manages the user key on behalf of the user, while in the semi-managed mode, the user manages the private key independently or through a key management service.

[0009] Preferably, in step three, the local vulnerability database is an SQLite database; the matching process of the semantic association rule engine includes: reading the component name and version number in the software bill of materials file, searching in the local vulnerability database, and using a semantic version comparison algorithm to determine whether the version of the current component is within the range of versions affected by the vulnerability.

[0010] Preferably, step three further includes: introducing an AI-assisted analysis model to perform semantic analysis on the vulnerability description.

[0011] Preferably, the distributed digital identity document is stored in string form; the distributed digital identity document is managed throughout its entire lifecycle through smart contracts deployed on the consortium blockchain.

[0012] A software-based trusted identification system based on distributed digital identity includes: The distributed software identification module includes a consortium blockchain network and an interplanetary file system distributed storage system. The consortium blockchain network is used to store software distributed digital identity documents that conform to W3C standards, and the interplanetary file system is used to store software packages and software bill of materials data. The intelligent parsing module for multi-source heterogeneous software bill of materials includes a project type identification module, a dependency parsing module, and a software bill of materials generation module. The project type identification module is used to identify the project type of the target software. The dependency parsing module is used to extract component dependency information based on the project type. The software bill of materials generation module is used to generate software bill of materials files and dependency graphs in both SPDX and CycloneDX formats. The dynamic vulnerability management module includes a local vulnerability database construction module, a vulnerability matching module, and a report generation module. The local vulnerability database construction module is used to synchronize data, the vulnerability matching module is used to perform semantic association matching between components in the software bill of materials and vulnerabilities in the local vulnerability database, and the report generation module is used to output audit reports. The supply chain security collaboration module includes a front-end visual interface and a back-end service module. The front-end visual interface is used to interact with users, and the back-end service module is used to coordinate the workflow of the distributed software identification module, the multi-source heterogeneous software bill of materials intelligent parsing module, and the dynamic vulnerability management module.

[0013] Preferably, the dynamic vulnerability management module further includes: an AI-assisted analysis module, which is used to perform semantic analysis on vulnerability descriptions; the backend service module of the supply chain security collaboration module adopts a dual backend architecture.

[0014] Beneficial effects This invention constructs a distributed software identification system based on the W3C DID standard, combining a consortium blockchain and the InterPlanetary File System (IPS) dual storage engine to achieve uniqueness, immutability, and cross-domain mutual recognition of software identities. Through a multi-language-adaptive intelligent software bill of materials (BOM) parsing engine, it automatically extracts dependencies from heterogeneous projects such as Java, NodeJS, and Golang, and generates SPDX / CDX dual-format BOM files. By constructing a local dynamic vulnerability database and introducing a semantic association rule engine, it achieves accurate matching of component versions and CVE vulnerabilities with minute-level response. Through a modular toolchain design, it decouples and flexibly expands functions such as identification management, BOM generation, and vulnerability scanning, lowering the system integration threshold. Specifically: 1. To solve the problem of standardization of identification, the system randomly generates a unique distributed digital identity. The prefix will be changed according to the type of identification object selected by the user, which is independent of software features. Based on the W3C DID standard, a distributed identification system is built. The system adopts the Chang'an Chain 5-node consortium chain and the InterPlanetary File System distributed storage to form a dual trusted anchor point to ensure that the identification is tamper-proof. The system also reduces the risk of private key loss through dual-mode key management and achieves seamless cross-organizational mutual recognition. 2. Break through the bottleneck of component traceability, develop a multi-language-adaptive intelligent parsing engine for software bill of materials, support dependency extraction of heterogeneous components such as Java / Maven, NodeJS / npm, Golang / Go Modules, realize automatic conversion of SPDX / CDX dual formats and visualization of dependency graphs, and improve component transparency and traceability efficiency; 3. Establish a dynamic vulnerability governance system, build a local dynamic vulnerability database, and ensure data timeliness through real-time synchronization and incremental deduplication algorithms; introduce AI-assisted vulnerability analysis and semantic association rule engine to shorten vulnerability response time from weekly to minute-level, accurately locate high-risk vulnerabilities, and generate visualized security audit reports.

[0015] 4. It adopts a modular toolchain and dual-mode interaction, using a SpringBoot + Flask dual-backend modular design to achieve plug-and-play functionality for core functions, reducing system coupling and improving ease of use; it integrates a global AI assistant, software bill of materials format recommendation and log AI early warning functions, coupled with a dual-mode interaction platform, to lower the barrier to entry and improve operational efficiency. Attached Figure Description

[0016] Figure 1This is a schematic diagram of the method steps of the present invention; Figure 2 This is a schematic diagram of the architecture integration process of the present invention; Figure 3 This is a schematic diagram of the overall architecture hierarchy of the present invention; Figure 4 This is a schematic diagram of the user interaction layer of the present invention; Figure 5 This is a schematic diagram of the evidence storage layer of the present invention; Figure 6 This is a schematic diagram of the system architecture of the present invention; Figure 7 This is a schematic diagram of the intelligent generation process of the multi-source heterogeneous software bill of materials according to the present invention; Figure 8 This is a schematic diagram of the security audit report of the vulnerability management system in step three of this invention. Figure 1 ; Figure 9 This is a schematic diagram of the security audit report of the vulnerability management system in step three of this invention. Figure 2 ; Figure 10 This is a schematic diagram of the front-end visual interface of the present invention; Figure 11 This is a schematic diagram illustrating the real-time generation results of vulnerability scanning in this invention; Figure 12 This is a schematic diagram of the AI ​​assistant of the present invention; Figure 13 This is a schematic diagram of the process from document upload, evidence storage, software bill of materials generation to vulnerability scanning in this invention. Figure 14 This is a schematic diagram of the blockchain network architecture of the present invention; Figure 15 This is a schematic diagram of the spectrum visualization required by the present invention; Figure 16 This is a schematic diagram of the registration interface in the normal mode of this invention; Figure 17 This is a schematic diagram of the advanced mode registration interface of the present invention; Figure 18 This is a schematic diagram of the login interface of the present invention. Detailed Implementation

[0017] The technical solution of the present invention will be further described below with reference to the embodiments and accompanying drawings.

[0018] Distributed Digital Identity (DID): A decentralized identifier based on W3C standards, used to uniquely identify software entities and supporting verifiable credentials; Software Bill of Materials (SBOM): A standardized list of software components, in formats including SPDX (Software Package Data Exchange) and CDX (CycloneDX). Chang'an Chain: A domestic consortium blockchain platform that supports smart contracts and efficient consensus for identification and evidence storage; IPFS: InterPlanetary File System, a distributed storage protocol used to store package hashes to ensure traceability; CVE: Common Vulnerability Disclosure Standard, a source of vulnerability database records; Modular toolchain: Decouples functions into independent modules and integrates them through APIs to improve flexibility; Blockchain: A decentralized "digital ledger" technology; SPDX: An international standard format used to generate software bills of materials. SPDX format bills of materials can list all components in the software in detail, such as open source libraries, their versions, and license information, helping users understand the software composition.

[0019] CDX: Another lightweight international SBOM standard format, similar to SPDX, with a greater emphasis on simplicity and efficiency; SCA: A technology used to identify open-source components used in software, detect security vulnerabilities, and manage license compliance.

[0020] Smart Contracts: Solidity 0.8.4 like Figure 1-6 As shown, a software trusted identification method based on distributed digital identity includes the following steps: In this embodiment, step one: In response to a user's request for identification of a target software entity, the system generates a unique distributed digital identity identifier for the software and a corresponding distributed digital identity document. The distributed digital identity identifier for the software follows the W3C DID standard, for example, "did:chain:QmX1...", where the prefix is ​​dynamically adjusted according to the type of the identified object. The system stores the generated distributed digital identity document on the Chang'an Chain consortium blockchain, which contains 5 nodes, uses the PBFT consensus algorithm, and can tolerate 1 / 3 node failures. Simultaneously, the software package associated with the target software entity and its software bill of materials data are stored in the InterPlanetary File System (IPS). The file hash value returned by the IPS is written into the server endpoint field of the distributed digital identity document, establishing a mapping relationship between the distributed digital identity identifier for the software and the software package and software bill of materials data on the IPS. An example of a distributed digital identity document is as follows: { "did": "did:software:Test1", "controller": "#signing-key", "publicKey": [{ "id": "#signing-key", "type": "Ed25519VerificationKey2020", "controller": "#signing-key", "publicKeyMultibase": "ze451a3e159132c237e073a08c2275b2dafyyk" }], "service": [{ "id": "#licensing", "type": "DigitalLicenseService", "serviceEndpoint": "ipfs: / / QmXoypizjW3WknFiJnKLwHCnL72vedxjQkDDP1mXWo6uco" }] } Step two, as Figure 7 As shown, the system automatically identifies the project type of the target software entity, calls the corresponding dependency resolver based on the identification result, and extracts component dependency information. Based on the extracted component dependency information, it generates software bill of materials files in JSON and XML formats according to the SPDX2.3 and CycloneDX1.4 standards, respectively, and visually displays the component dependency graph, such as... Figure 15 As shown; Step 3: The system synchronizes vulnerability data, builds and updates a local SQLite database in real time. This local SQLite database stores over 10,000 CVE records and is updated daily. Using a semantic association rule engine, the components in the software bill of materials file generated in Step 2 are matched against vulnerabilities in the local vulnerability database. A semantic version comparison algorithm is used to determine whether the component version is within the scope of the vulnerability's impact. The matching results generate an audit report in HTML format, such as... Figure 8-9 As shown, it includes vulnerability details, severity level, remediation suggestions, and supports visual display. Step four, as Figure 10-11 As shown, throughout the entire process of file upload, software bill of materials generation, and vulnerability scanning, the system uses distributed digital identity for data association and storage. All interactive data is transmitted encrypted using the HTTPS protocol to ensure data security. In a further implementation of this embodiment, in step one, the prefix of the software distributed digital identity is dynamically generated according to the type of the identified object. For example, software objects use "did:software", and organization objects use "did:organization".

[0021] like Figure 14 As shown, the consortium blockchain uses the Chang'an Chain and consists of 3 organizations with a total of 5 nodes. It deploys smart contracts to achieve full lifecycle management of distributed digital identities. The distributed digital identity document contains public key information and service endpoint information. The public key information is of type Ed25519VerificationKey2020, and the service endpoint points to package or software bill of materials data stored on the InterPlanetary File System, enabling rapid location.

[0022] In a further implementation of this embodiment, the software's bill of materials (BOM) file generation supports two international standard formats: SPDX and CycloneDX. Specifically, the SPDX format generates a JSON file according to the SPDX 2.3 standard, and the CycloneDX format generates an XML file according to the CycloneDX 1.4 standard. Users can choose the format as needed, or the system can automatically recommend one.

[0023] In a further implementation of this embodiment, step two includes the following specific steps: It detects characteristic files in the root directory of the target software project: pom.xml or build.gradle for Java projects, package.json for Node.js projects, and go.mod for Go projects. Analysis based on project type: In a Node.js project, directly parse the package.json file to extract the component names and versions from the dependencies and devDependencies. For Java projects, prioritize using Syft tools to analyze and extract Maven or Gradle dependencies; if failure occurs, parse the pom.xml file to obtain dependency coordinates. In a Go project, attempt to execute the command `go list -m all` to retrieve all module dependencies; if this fails, parse the `go.mod` file. Based on the extracted dependency information, JSON files in SPDX format and XML files in CycloneDX format are generated, and dependency graphs are generated using libraries such as ECharts.

[0024] In a further implementation of this embodiment, step four uses the HTTPS protocol for transport layer encryption, such as... Figure 16 , 17 As shown, user key management offers two modes: Managed mode: The system manages user keys on behalf of users. This mode is suitable for ordinary users. The private key is securely stored by the system and can be used immediately upon login.

[0025] Semi-managed mode: Users manage their private keys themselves or through a key management service. The private keys do not leave the user's device. This mode is suitable for advanced users and enhances security.

[0026] In a further implementation of this embodiment, in step three, the local vulnerability database uses an SQLite database to store information such as CVE number, vulnerability description, severity level, affected component package name, and version range. The vulnerability matching process is as follows: read the name and version number of each component in the software bill of materials file, search for matching component package names in the local vulnerability database, then use a semantic version comparison algorithm to determine whether the current version falls within the range of versions affected by the vulnerability, summarize all matching results, and sort them by severity.

[0027] Further implementations of this embodiment, such as... Figure 12 As shown, step three further includes: introducing AI-assisted analysis models, such as a BERT-based text classification model, to perform semantic analysis on vulnerability descriptions and extract key features to enhance matching accuracy. For example, when a component version description is inaccurate, the AI ​​model can combine the contextual information in the vulnerability description to determine whether it is affected, achieving a three-dimensional correlation analysis of "software distributed digital identity - component - vulnerability" and reducing the false positive rate.

[0028] In a further implementation of this embodiment, the distributed digital identity document is stored in string form, which can support subsequent expansion and updates. The distributed digital identity is managed throughout its entire lifecycle, including issuance, update, and cancellation, through deployed smart contracts. The smart contracts include methods for creating distributed digital identities, updating distributed digital identity documents, and revoking distributed digital identities, ensuring the traceability and immutability of operations.

[0029] Example 2 A software-based trusted identification system based on distributed digital identity includes: The distributed software identification module includes: a consortium blockchain network unit and an interplanetary file system distributed storage unit. The consortium blockchain network unit is used to store software distributed digital identity documents that conform to W3C standards, and the interplanetary file system distributed storage unit is used to store software packages and software bill of materials data. The intelligent parsing module for multi-source heterogeneous software bill of materials includes a project type identification unit, a dependency parsing unit, and a software bill of materials generation unit. The project type identification unit is used to identify the project type of the target software, the dependency parsing unit is used to extract component dependency information based on the project type, and the software bill of materials generation unit is used to generate software bill of materials files and dependency graphs in both SPDX and CycloneDX formats. The dynamic vulnerability management module includes a local vulnerability database construction unit, a vulnerability matching unit, and a report generation unit. The local vulnerability database construction unit is used to synchronize data and build and update the local vulnerability database. The vulnerability matching unit is used to semantically match the components in the software bill of materials with the vulnerabilities in the local vulnerability database. The report generation unit is used to output audit reports. The supply chain security collaboration module includes a front-end visual interface unit and a back-end service unit. The front-end visual interface unit is used to interact with users, while the back-end service unit is used to coordinate the workflows of the distributed software identification module, the multi-source heterogeneous software bill of materials intelligent parsing module, and the dynamic vulnerability management module.

[0030] In a further implementation of this embodiment, the dynamic vulnerability management module also includes an AI-assisted analysis unit. The AI-assisted analysis unit performs semantic analysis on vulnerability descriptions based on open-source or commercial large language models, thereby assisting the vulnerability matching module in improving accuracy.

[0031] The supply chain security collaboration module employs a dual-backend architecture of Spring Boot and Flask. Spring Boot handles user management and distributed digital identity status maintenance, while Flask handles computationally intensive tasks such as software bill of materials parsing and vulnerability scanning. Communication via RESTful APIs enables functional decoupling and flexible expansion. The module also integrates a global AI assistant that answers user questions using a knowledge base, provides software bill of materials format recommendations, and log alerts, enhancing the user experience.

[0032] Finally, it should be noted that the above embodiments are only used to illustrate the technical solutions of the present invention, and not to limit them; although the present invention has been described in detail with reference to the foregoing embodiments, those skilled in the art should understand that modifications can still be made to the technical solutions described in the foregoing embodiments, or equivalent substitutions can be made to some of the technical features; and these modifications or substitutions do not cause the essence of the corresponding technical solutions to deviate from the spirit and scope of the technical solutions of the embodiments of the present invention.

Claims

1. A software trusted identification method based on distributed digital identity, characterized in that, Includes the following steps: Step 1: In response to a user's identification request for a target software entity, generate a unique distributed digital identity identifier and a distributed digital identity document for the software; store the distributed digital identity document on the consortium blockchain, and store the software package and its software bill of materials data associated with the target software entity in the InterPlanetary File System (IPS); write the file hash value returned by the IPS into the distributed digital identity document, and establish a mapping relationship between the software distributed digital identity identifier and the software package and software bill of materials data on the IPS; Step 2: Automatically identify the project type of the target software entity, and call the corresponding dependency resolver based on the identification result to extract component dependency information; Based on the extracted component dependency information, a software bill of materials file is generated, and the component dependency graph is visualized. Step 3: Synchronize vulnerability data, build and update the local vulnerability database in real time; use a semantic association rule engine to match the components in the software bill of materials file with the vulnerabilities in the local vulnerability database, and output an audit report containing details of the affected components and vulnerabilities; Step four involves associating and storing data based on the distributed digital identity identifier of the software throughout the process, and encrypting and transmitting the interactive data. The entire process includes file uploading, software bill of materials generation, and vulnerability scanning.

2. The software trusted identification method based on distributed digital identity according to claim 1, characterized in that, The software bill of materials (BOM) document standards include SPDX and CycloneDX.

3. The software trusted identification method based on distributed digital identity according to claim 1, characterized in that, In step one, the prefix of the software distributed digital identity is dynamically generated according to the type of the identified object; the consortium blockchain is Chang'an Chain, which uses an algorithm to construct a multi-node consortium blockchain network; the distributed digital identity document includes: public key information and service endpoint information, wherein the service endpoint information points to software package or software bill of materials data stored on the InterPlanetary File System.

4. The software trusted identification method based on distributed digital identity according to claim 1, characterized in that, Step two specifically includes: detecting characteristic files in the root directory of the target software project and determining the project type, which includes: Java / Maven, NodeJS / npm, or Golang / Go Modules; Depending on the project type, the pom.xml, package.json, or go.mod files are parsed to extract dependency information such as component names and version numbers; based on the dependency information, software bill of materials files in JSON and XML formats are generated.

5. The software trusted identification method based on distributed digital identity according to claim 1, characterized in that, In step four, encrypting the transmission of interactive data specifically includes: using the HTTPS protocol for transport layer encryption, and managing the user key in a managed mode or a semi-managed mode; in the managed mode, the system manages the user key on behalf of the user, while in the semi-managed mode, the user manages the private key independently or through a key management service.

6. The software trusted identification method based on distributed digital identity according to claim 1, characterized in that, In step three, the local vulnerability database is an SQLite database; the matching process of the semantic association rule engine includes: reading the component name and version number in the software bill of materials file, searching in the local vulnerability database, and using a semantic version comparison algorithm to determine whether the version of the current component is within the range of versions affected by the vulnerability.

7. The software trusted identification method based on distributed digital identity according to claim 1, characterized in that, Step three further includes: introducing an AI-assisted analysis model to perform semantic analysis on the vulnerability description.

8. The software trusted identification method based on distributed digital identity according to claim 1, characterized in that, The distributed digital identity document is stored in string form; the distributed digital identity document is managed throughout its entire lifecycle through smart contracts deployed on the consortium blockchain.

9. A software-trusted identification system based on distributed digital identity, used to implement the method according to any one of claims 1 to 8, characterized in that, include: The distributed software identification module includes a consortium blockchain network unit and an interplanetary file system distributed storage unit. The consortium blockchain network unit is used to store software distributed digital identity documents that conform to W3C standards, and the interplanetary file system distributed storage unit is used to store software packages and software bill of materials data. The intelligent parsing module for multi-source heterogeneous software bill of materials includes a project type identification unit, a dependency parsing unit, and a software bill of materials generation unit. The project type identification unit is used to identify the project type of the target software. The dependency parsing unit is used to extract component dependency information according to the project type. The software bill of materials generation unit is used to generate software bill of materials files and dependency graphs in both SPDX and CycloneDX formats. The dynamic vulnerability management module includes a local vulnerability database construction unit, a vulnerability matching unit, and a report generation unit. The local vulnerability database construction unit is used to synchronize data, the vulnerability matching unit is used to perform semantic association matching between components in the software bill of materials and vulnerabilities in the local vulnerability database, and the report generation unit is used to output an audit report. The supply chain security collaboration module includes a front-end visual interface unit and a back-end service unit. The front-end visual interface unit is used to interact with users, and the back-end service unit is used to coordinate the workflow of the distributed software identification module, the multi-source heterogeneous software bill of materials intelligent parsing module, and the dynamic vulnerability management module.

10. The software trusted identification system based on distributed digital identity according to claim 9, characterized in that, The dynamic vulnerability management module also includes an AI-assisted analysis unit, which is used to perform semantic analysis on vulnerability descriptions; the supply chain security collaboration module adopts a dual-backend architecture.