Information processing device, information processing method, and information processing program

Abstract

To specify an influence of failure due to open source software on a prescribed product or service in which a plurality of pieces of open source software are installed.SOLUTION: An information processing apparatus of the present disclosure comprises a control unit which executes steps of: acquiring first information about a source code having a defect with respect to a source code group of a plurality of programs constituting a plurality of pieces of open source software installed in a product or a service; inputting the first information to a first database and searching the first database for a plurality of source codes on which the first information exerts an influence; and inputting second information about the plurality of searched source codes to a second database and acquiring a development object on which the second information exerts an influence from the second database.SELECTED DRAWING: Figure 3

Description

【Technical Field】 【0001】 The present invention relates to an information processing apparatus, an information processing method, and an information processing program for managing the occurrence of failures caused by open source software in a predetermined product or service in which a plurality of open source software is implemented. 【Background Art】 【0002】 In recent years, the development of software using open source software (OSS) has been booming. Here, in the GPL (GNU General Public License), which is one of the OSS licenses, when a failure occurs in the OSS itself, the creator is not responsible for the correction. Therefore, the user of the OSS has to wait for a technician on the Internet to correct it for free or correct it himself. 【0003】 In addition, there are some failures of OSS that spread to software that indirectly uses the OSS. On the other hand, when the OSS is updated, the influence can also spread to the software that indirectly uses the OSS. Then, there is a risk of omission of correction between OSSs having a call relationship. 【0004】 Here, Patent Document 1 discloses a technique for presenting a correction candidate location based on the degree of certainty to be changed when reflecting the changed location due to the version change of the reference source code for the customized reference source code. 【Prior Art Documents】 【Patent Documents】 【0005】 【Patent Document 1】 Japanese Patent No. 6507940 【Summary of the Invention】 【Problems to be Solved by the Invention】 【0006】 In traditional product and service development, the software implemented in them was managed and operated by the company developing the product or service. In this case, even if a defect was discovered in the software, the company developing the product or service could relatively easily identify its impact. However, with the recent rise of open-source software (OSS) development, where multiple open-source software components are implemented in products and services, if a problem occurs in the product or service due to an open-source software issue, it can become difficult for the company developing the product or service to identify its impact. 【0007】 Here, according to the technology described in Patent Document 1, even if the base source code is customized, the potential areas for modification due to version changes in the base source code are presented, which seems to make it easier to identify the impact of changes to OSS. However, in recent products and services that implement multiple OSS, it has been found that the management of these multiple OSS and the management of the development information of the product or service may be carried out separately, and in such cases, it has been found that it is still difficult to identify the impact of changes to OSS with conventional technology. 【0008】 The purpose of this disclosure is to identify the impact of open-source software-related failures on a given product or service that implements multiple open-source software programs. [Means for solving the problem] 【0009】 The information processing device disclosed herein is an information processing device that manages the occurrence of failures caused by open source software in a predetermined product or service on which multiple open source software programs are implemented. The information processing device includes a control unit that performs the following: obtaining first information concerning a defective source code from a group of source code sets of multiple programs constituting the multiple open source software programs implemented in the product or service; inputting the first information into a first database in which the multiple open source software programs implemented in the product or service are stored as a list along with the dependencies between the open source software programs, and searching for multiple source codes affected by the first information within the first database; and inputting second information concerning the retrieved multiple source codes into a second database in which multiple development objects related to the development information of the product or service are stored as a list along with the dependencies between the development objects, and obtaining development objects affected by the second information within the second database. 【0010】 In the information processing device described above, the user can use the first database to identify defective source code and its dependent source code among multiple open-source software implemented in a product or service. Furthermore, the user can use the second database to identify development objects affected by these source codes. Thus, in recent products and services that implement multiple open-source software, even if the management of these multiple open-source software programs and the management of development information for the product or service are performed separately in the first and second databases, the user can easily understand the impact of failures caused by open-source software on the product or service and quickly determine whether or not to continue operating the product or service, based on the acquired information on development objects. 【0011】 In the above-described information processing device, the first database may be managed by a first business operator who manages the operation of the product or service, and the second database may be managed by a second business operator who manages the development of the product or service. 【0012】 Furthermore, the first database may be a predetermined software bill of materials. This could be, for example, a Software Bill of Materials (SBOM) which applies a manufacturing bill of materials (BOM) to software. The second database may be a database configured to track the development information from higher to lower levels. Such a second database has the function of a traceability management tool configured to track the relationships between deliverables and documents created in the development of a product or service, from higher-level deliverables such as requirements definition models to lower-level deliverables such as architecture design models and detailed design models, as well as the relationships between higher-level deliverables related to software integration testing, etc., and lower-level deliverables related to unit testing, etc. 【0013】 In this case, the control unit further performs the following: determining the degree of failure to the product or service based on the development object affected by the second information; determining whether the operation of the product or service can be continued based on the degree of failure; and notifying the first business operator of whether the operation can be continued. The higher the level of the development object affected by the second information is related to the development information, the higher the degree of failure may be determined. This allows the user to quickly determine whether the operation of the product or service can be continued based on the above determination result. This makes it possible to more appropriately manage failures caused by open source software in products or services that implement multiple open source software programs. 【0014】 Furthermore, this disclosure can be understood from the perspective of a computer-based information processing method. Specifically, the information processing method of this disclosure is an information processing method for managing the occurrence of failures caused by open source software in a predetermined product or service on which multiple open source software is implemented, wherein the computer performs the following actions: to obtain first information concerning a defective source code from among a group of source code sets of multiple programs constituting the multiple open source software implemented in the product or service; to input the first information into a first database in which the multiple open source software implemented in the product or service is stored as a list along with the dependencies between the open source software, and to search for multiple source codes affected by the first information from the first database; and to input information concerning the searched multiple source codes into a second database in which multiple development objects relating to development information of the product or service are stored as a list along with the dependencies between the development objects, and to obtain development objects affected by the information from the second database. 【0015】 Furthermore, this disclosure can be viewed from the perspective of an information processing program. Specifically, the information processing program of this disclosure is an information processing program that manages the occurrence of failures caused by open source software in a predetermined product or service on which multiple open source software is implemented, and causes a computer to perform the following: obtain first information concerning a defective source code from among the source code group of multiple programs that constitute the multiple open source software implemented in the product or service; input the first information into a first database in which the multiple open source software implemented in the product or service is stored as a list along with the dependencies between the open source software, and search the first database for multiple source codes affected by the first information; and input information concerning the searched multiple source codes into a second database in which multiple development objects related to development information of the product or service are stored as a list along with the dependencies between the development objects, and obtain development objects affected by the information from the second database. [Effects of the Invention] 【0016】 This disclosure makes it possible to identify the impact of open-source software-related failures on a given product or service that implements multiple open-source software programs. [Brief explanation of the drawing] 【0017】 [Figure 1] This figure shows the schematic configuration of the information processing system in the first embodiment. [Figure 2] This figure shows in more detail the components of the server and user terminal included in the information processing system in the first embodiment. [Figure 3] This diagram illustrates the flow of operation of the information processing system in the first embodiment. [Figure 4]This is a diagram for explaining the mode in which an affected object in the second database is extracted in the first embodiment. [Figure 5] This is a diagram illustrating the operation flow of the information processing system in the second embodiment. [Figure 6] This is a diagram for explaining the mode in which an affected object in the second database is extracted in the second embodiment, and further for explaining the determination of the degree of failure. 【Modes for Carrying Out the Invention】 【0018】 Hereinafter, embodiments of the present disclosure will be described based on the drawings. The configurations of the following embodiments are examples, and the present disclosure is not limited to the configurations of the embodiments. 【0019】 <First Embodiment> The overview of the information processing system in the first embodiment will be described with reference to FIG. 1. FIG. 1 is a diagram showing the schematic configuration of the information processing system in the present embodiment. The information processing system 100 according to the present embodiment includes a network 200, a server 300, a user terminal 400, a first database, and a second database. The information processing system of the present disclosure is a system for managing the occurrence of failures caused by open source software in a predetermined product or service in which a plurality of open source software is implemented, and the management of the occurrence of the failures is executed by the server 300. The above-mentioned products include, for example, automobiles, home appliances, medical devices, etc., and the above-mentioned services include, for example, the provision of online games. 【0020】 The network 200 is, for example, an IP network, and communicatively connects between the server 300 and the user terminal 400, and between the server 300 and the first database or the second database. If the network 200 is an IP network, it may be wireless, wired, or a combination of wireless and wired. For example, if it is wireless communication, the user terminal 400 may access a wireless LAN access point (not shown) and communicate with the server 300 via a LAN or WAN. Also, the network 200 is not limited to these examples, and may be, for example, a public switched telephone network, an optical fiber line, an ADSL line, a satellite communication network, etc. 【0021】 The server 300 is connected to the user terminal 400 via the network 200. In FIG. 1, for simplicity of explanation, one server 300 and four user terminals 400 are shown, but it is needless to say that these are not limited thereto. Also, the server 300 is connected to the first database and the second database. 【0022】 The server 300 may be any electronic device as long as it is a computer device having processing capabilities for arithmetic processing and processing such as data acquisition, generation, and update, and may be, for example, a personal computer, a server, a mainframe, or other electronic devices. That is, the server 300 can be configured as a computer having a processor such as a CPU or GPU, a main storage device such as a RAM or ROM, and an auxiliary storage device such as an EPROM, a hard disk drive, or a removable medium. The removable medium may be, for example, a USB memory or a disk recording medium such as a CD or DVD. The auxiliary storage device stores an operating system (OS), various programs, various tables, etc. 【0023】 Furthermore, the server 300 may use SaaS (Software as a Service), PaaS (Platform as a Service), or IaaS (Infrastructure as a Service) via a cloud server as appropriate, without providing dedicated software, hardware, or OS for the information processing system 100 according to this embodiment. 【0024】 The user terminal 400 is an electronic device owned by a user of the information processing system 100 (such as an operational user or a development user, as described later), and can be any electronic device that has the processing power for calculation and processing such as data acquisition, generation, and updating. For example, it may be a mobile terminal, tablet terminal, smartphone, wearable device, personal computer, or other terminal device. 【0025】 Next, a detailed explanation of the components of the server 300 and user terminal 400 will be given based on Figure 2. Figure 2 is a diagram showing in more detail the components of the server 300 and user terminal 400 included in the information processing system 100 in the first embodiment. 【0026】 The server 300 has a communication unit 301, a storage unit 302, and a control unit 303 as functional units. It loads a program stored in the auxiliary storage device into the working area of ​​the main memory and executes it. Through the execution of the program, each functional unit is controlled, thereby enabling each functional unit to perform its respective function according to its predetermined purpose. However, some or all of the functions may be implemented by hardware circuits such as ASICs or FPGAs. 【0027】 Here, the communication unit 301 is a communication interface for connecting the server 300 to the network 200. The communication unit 301 is comprised of, for example, a network interface board and a wireless communication circuit for wireless communication. The server 300 is connected to user terminals 400, the first database, the second database, and other external devices via the communication unit 301, enabling communication between them. 【0028】 The storage unit 302 comprises a main memory and an auxiliary storage device. The main memory is the memory where programs executed by the control unit 303 and data used by said control programs are stored. The auxiliary storage device is the device where programs executed by the control unit 303 and data used by said control programs are stored. The storage unit 302 also stores data transmitted from the user terminal 400, etc., and stores the first information, second information, etc., which will be described later. The server 300 acquires data transmitted from the user terminal 400, etc. via the communication unit 301. 【0029】 The control unit 303 is a functional unit that manages the control performed by the server 300. The control unit 303 can be implemented by a processing unit such as a CPU. The control unit 303 is further composed of three functional units: a first acquisition unit 3031, a search unit 3032, and a second acquisition unit 3033. Each functional unit may be implemented by the CPU executing a stored program. 【0030】 The first acquisition unit 3031 acquires first information from a group of source code files of multiple programs that constitute multiple open-source software (OSS) implemented in a product or service. Here, the first information is information about a source code that has a defect among the above-mentioned group of source code files, and includes information such as the name and properties of the source code, the location of the defect, and the content of the defect. Such information may be transmitted from a user terminal 400 of a user using the information processing system 100. The first acquisition unit 3031 acquires the first information by acquiring such transmitted information and stores it in the storage unit 302 of the server 300. 【0031】 In this embodiment, the user terminal 400 has a communication unit 401, an input / output unit 402, and a storage unit 403 as functional units. The communication unit 401 is a communication interface for connecting the user terminal 400 to the network 200, and is configured to include, for example, a network interface board and a wireless communication circuit for wireless communication. The input / output unit 402 is a functional unit for displaying information transmitted from the outside via the communication unit 401, and for inputting information when transmitting information to the outside via the communication unit 401. The storage unit 403 is configured to include a main memory and an auxiliary memory, similar to the storage unit 302 of the server 300. 【0032】 The input / output unit 402 further includes a display unit 4021, an operation input unit 4022, and an image / audio input / output unit 4023. The display unit 4021 has the function of displaying various information and is implemented by, for example, an LCD (Liquid Crystal Display) display, an LED (Light Emitting Diode) display, or an OLED (Organic Light Emitting Diode) display. The operation input unit 4022 has the function of receiving operation input from the user and is specifically implemented by soft keys such as a touch panel or hard keys. The image / audio input / output unit 4023 has the function of receiving image input such as still images and videos and is specifically implemented by a camera using an image sensor such as Charged-Coupled Devices (CCD), Metal-oxide-semiconductor (MOS), or Complementary Metal-Oxide-Semiconductor (CMOS). The image / audio input / output unit 4023 also has the function of receiving audio input and output and is specifically implemented by a microphone or speaker. 【0033】 A user of the information processing system 100 can transmit the above-mentioned first information to the server 300 using the user terminal 400 configured in this manner. Here, the server 300 may provide the user terminal 400 with an interface for inputting the first information. In this case, a user of the information processing system 100 can transmit the first information to the server 300 by inputting information into the above-mentioned interface via the user terminal 400. 【0034】 The search unit 3032 inputs the first information described above into the first database and searches the first database for multiple source codes affected by the first information. Here, the first database is a database in which multiple open-source software (OSS) implemented in a product or service are stored as a list along with the dependencies between the open-source software (OSS), and is a predetermined software bill of materials. This is, for example, an SBOM (Software Bill of Materials) which applies a manufacturing bill of materials (BOM) to software. Such a database is managed by an operation user (the first business operator in this disclosure), which is a business operator that manages the operation of the product or service. The above SBOM may include the function of an OSS detection tool for detecting OSS, for example, a function that scans the source code registered in the SBOM and detects the presence or absence of OSS by matching it with a database that stores information on OSS from around the world. The information regarding the multiple source codes that have been retrieved is stored as second information in the storage unit 302 of the server 300. 【0035】 The second acquisition unit 3033 inputs the second information described above into the second database and retrieves development objects affected by the second information from the second database. Here, the second database is a database in which multiple development objects related to product or service development information are stored as a list along with the dependencies between the development objects, and is configured to allow the development information to be traced from higher to lower levels. Such a second database has the function of a traceability management tool that is configured to allow the tracing of relationships between deliverables and documents created in the development of a product or service, from higher-level deliverables such as requirements definition models to lower-level deliverables such as architecture design models and detailed design models, and from higher-level deliverables related to software integration testing to lower-level deliverables related to unit testing. Such a database is managed by the development user (the second business operator in this disclosure), which is the business operator that manages the development of the product or service. 【0036】 Furthermore, the control unit 303 functions as the control unit according to this disclosure by executing the processing of the first acquisition unit 3031, the search unit 3032, and the second acquisition unit 3033. 【0037】 Here, the operation flow of the information processing system 100 in this embodiment will be described. Figure 3 is a diagram illustrating the operation flow of the information processing system 100 in this embodiment. Figure 3 describes the operation flow between each component in the information processing system 100 in this embodiment, and the processing performed by each component. 【0038】 In this embodiment, first, first information is input to the user terminal 400 of a user utilizing the information processing system 100 (S101). Here, the user in this embodiment is, for example, an operational user. The operational user can input information regarding the source code of multiple programs constituting multiple OSS implemented in the product or service they operate, as first information, to the user terminal 400 using a predetermined interface. Then, the first information is transmitted from the user terminal 400 to the server 300. 【0039】 The server 300 acquires the first information transmitted from the user terminal 400 and stores it in the storage unit 302 (S102). 【0040】 The server 300 then inputs the acquired first information into the first database and searches the first database for second information relating to multiple source codes affected by the first information (S103). The first database is, for example, an SBOM (Software Bill of Materials) which stores a list of dependencies between multiple open-source software (OSS) implemented in a product or service. 【0041】 Then, the first database receives the information input from the server 300 (S104), and the second information is extracted (S105). The first information input from the server 300 is information about a defective source code (such as the name and properties of the source code, the location of the defect and the content of the defect), so the defective source code related to the first information is identified in the first database, and information about multiple source codes that have dependencies on that source code (such as the names and properties of the source codes and the call relationships with the defective source code) is extracted as the second information. The server 300 then receives the second information from the first database and stores it in the storage unit 302 (S106). 【0042】 In this embodiment, as described above, the first information is input by the operational user. The first database is then managed by the operational user who manages the operation of the product or service. Therefore, it might seem that the operational user can use the first database to manage the occurrence of failures caused by OSS for the product or service they operate. However, in recent years, with the advancement of IoT (Internet of Things) products such as automobiles and home appliances, the company that operates the product (e.g., information distribution and updates) and the company that developed the product (e.g., the product's developer) may be different, as is the case with the HMI (Human Machine Interface) of an automobile. In such a case, the operational user who operates the product can use the first database to identify defective source code and source code with dependencies among the multiple OSS implemented in the product, but they cannot grasp the impact that defect has on the operation of the product. In other words, simply identifying defective source code and source code with dependencies is not enough to properly manage the occurrence of failures caused by OSS for the product or service. 【0043】 Therefore, in the information processing system 100 of this disclosure, the server 300 then inputs the acquired second information into the second database and searches the second database for development objects (influence objects) that are affected by the second information (S107). The second database is a database in which multiple development objects related to product or service development information are stored as a list along with the dependencies between the development objects, and is a database that has the function of a traceability management tool configured to track the development information from top to bottom. 【0044】 Then, the second database retrieves the information entered from server 300 (S108), and extracts the influencing objects, which are development objects affected by the second information (S109). 【0045】 Here, Figure 4 is a diagram illustrating how influential objects are extracted from the second database in the first embodiment. In this embodiment, as shown in Figure 4, multiple development objects are stored in a traceable manner from top to bottom in the order of requirements, design, implementation, and testing of the development information. In this embodiment, the source code related to the second information is implemented in development object a. In other words, one of the development objects (influential objects) affected by the second information is development object a. 【0046】 As a result, the second database is configured to track dependencies between development objects, as shown in Figure 4. Therefore, development objects a1, a2, a3, a4, a5, and a6 that have dependencies on development object a are further extracted as influential objects. The server 300 then retrieves these influential objects from the second database (S110). 【0047】 The server 300 then transmits the acquired information about the influencing object to the user terminal 400 of the user using the information processing system 100 (S111), and the user terminal 400 acquires the information (S112). 【0048】 According to this, a user of the information processing system 100 (for example, an operations user) can not only identify the defective source code and the source code that has dependencies on it among the multiple OSS implemented in the product or service, but also understand the development objects affected by these source codes. In this way, even if the management of the multiple OSS and the management of the development information of the product or service are performed separately in products and services that implement multiple OSS in recent years, an operations user can, for example, determine whether or not to continue operating the product or service based on the information on affected objects obtained. On the other hand, for example, if a development user finds a defect in some of the source code of the multiple OSS implemented in the product or service they developed, they can input that information into the information processing system 100 and easily understand the development objects affected by that source code. Therefore, development users can easily identify the impact of failures caused by open-source software on products and services and respond quickly. 【0049】 According to the information processing system 100 described above, it is possible to identify the impact of failures caused by open-source software on a given product or service that implements multiple open-source software programs, and to appropriately manage the occurrence of failures caused by open-source software on the product or service. 【0050】 <Second Embodiment> The information processing system 100 in the second embodiment will be described with reference to Figures 5 and 6. 【0051】 Figure 5 is a diagram illustrating the flow of operation of the information processing system 100 in this embodiment. Figure 5 explains the flow of operation between each component in the information processing system 100 in this embodiment, and the processing performed by each component. In the processing shown in Figure 5, processes that are substantially the same as those shown in Figure 3 are denoted by the same reference numerals, and their detailed explanation is omitted. 【0052】 In the example shown in Figure 5, after processing S110, the server 300 determines the degree of failure to the product or service based on the acquired impact object (S211). In processing S211, the server 300 determines that the degree of failure is higher the higher the level of development object related to development information that the acquired impact object is. This will be explained with reference to Figure 6. 【0053】 Figure 6 is a diagram illustrating how influential objects are extracted from the second database in the second embodiment, and further illustrates how the degree of failure is determined. 【0054】 Here, Figure 6(a) is the same figure as Figure 4 above, with development objects a, a1, a2, a3, a4, a5, and a6 extracted as influential objects. Furthermore, in Figure 6(a), the scope of influential objects extends to development objects related to requirements, which are the highest level of development information. 【0055】 On the other hand, in Figure 6(b), the source code related to the second piece of information is implemented in development object b. In other words, one of the development objects affected by the second piece of information (affected object) is development object b. Then, development objects b1 and b2, which have dependencies on development object b, are further extracted as affected objects. As a result, in Figure 6(b), the scope of affected objects extends to development objects related to the design, which is one level below the requirements of the development information. 【0056】 Here, the higher the level of development object related to development information, the more likely it is that the impact will spread to other development objects. Therefore, in this embodiment, the server 300 determines that the degree of failure is higher in the case of Figure 6(a), where the scope of the affected objects extends to higher-level development objects, than in the case of Figure 6(b). 【0057】 Returning to Figure 5, the server 300 determines whether it can continue operating the product or service based on the degree of failure determined in the S211 process (S212). In the S212 process, the server 300 can determine, for example, that it cannot continue operating the product or service if the scope of the affected objects extends to the highest-level development object and the degree of failure is at its highest. 【0058】 The server 300 then transmits information regarding whether or not operations can be continued to the user terminal 400 of the user using the information processing system 100 (S213), and the user terminal 400 acquires the information (S214). 【0059】 According to this, for example, an operating user can quickly determine whether or not they can continue operating a product or service based on the above determination result by the information processing system 100. This allows for more appropriate management of failures caused by open-source software in products or services that implement multiple open-source software programs. 【0060】 The information processing system 100 described above can also appropriately manage the occurrence of failures caused by open-source software in a given product or service that implements multiple open-source software programs. 【0061】 <Other variations> The embodiments described above are merely examples, and this disclosure may be modified and implemented as appropriate without departing from its essence. For example, the processes and means described in this disclosure can be freely combined and implemented as long as no technical inconsistencies arise. In the embodiments described above, an example was described in which the first database is managed by the operational user (first business operator) and the second database is managed by the development user (second business operator). However, if the operational user and the development user are the same entity, these databases may be managed by a single user (business operator). 【0062】 Furthermore, the processing described as being performed by a single device may be divided and executed by multiple devices. For example, the first acquisition unit 3031 may be formed in a separate arithmetic processing unit from the server 300. In this case, the separate arithmetic processing unit is configured to cooperate suitably with the server 300. Also, the processing described as being performed by different devices may be executed by a single device. In a computer system, the hardware configuration (server configuration) by which each function is implemented can be flexibly changed. 【0063】 The present disclosure can also be realized by supplying a computer program implementing the functions described in the embodiments above to a computer, and having one or more processors in the computer read and execute the program. Such a computer program may be provided to the computer by a non-temporary computer-readable storage medium that can be connected to the computer's system bus, or it may be provided to the computer via a network. Non-temporary computer-readable storage mediums include, for example, any type of disk such as magnetic disks (floppy disks, hard disk drives (HDDs), etc.), optical disks (CD-ROMs, DVDs, Blu-ray discs, etc.), read-only memory (ROM), random access memory (RAM), EPROM, EEPROM, magnetic cards, flash memory, optical cards, and any type of medium suitable for storing electronic instructions. [Explanation of symbols] 【0064】 100... Information Processing Systems 200 Network 300 servers 301... Communications Department 302...Storage section 303... Control Unit 400...User terminals

Claims

[Claim 1] An information processing device for managing the occurrence of failures caused by open-source software in a specified product or service that implements multiple open-source software programs, With respect to the source code sets of multiple programs that constitute the multiple open-source software implemented in the aforementioned product or service, first information concerning a defective source code is obtained from among the source code sets. The process involves inputting the first information into a first database, which stores a list of the multiple open-source software implemented in the aforementioned product or service along with the dependencies between the open-source software, and searching within the first database for multiple source codes affected by the first information. The process involves inputting second information regarding the retrieved multiple source codes into a second database, which stores a list of multiple development objects related to the development information of the aforementioned product or service, along with the dependencies between the development objects, and retrieving the development objects affected by the second information from the second database. An information processing device comprising a control unit that performs the following. [Claim 2] The first database is managed by the first business operator, which is a business operator that manages the operation of the product or the service. The second database is managed by a second business operator, which is a business operator that manages the development of the product or the service. The information processing apparatus according to claim 1. [Claim 3] The first database is a predetermined software bill of materials. The information processing apparatus according to claim 2. [Claim 4] The second database is a database configured to allow tracking of the development information from top to bottom. The information processing apparatus according to claim 2. [Claim 5] The control unit, Based on the development object affected by the second information, the degree of failure to the product or service is determined, Based on the extent of the aforementioned failure, a determination is made as to whether or not the operation of the product or service can continue, and the decision regarding the continuation of said operation is made to the first business operator. The degree of the failure is determined to be higher the higher the level of the development object affected by the second information is a higher-level development object related to the development information. The information processing apparatus according to claim 4. [Claim 6] An information processing method for managing the occurrence of failures caused by open-source software in a predetermined product or service that implements multiple open-source software programs, Computers With respect to the source code sets of multiple programs that constitute the multiple open-source software implemented in the aforementioned product or service, first information concerning a defective source code is obtained from among the source code sets. The process involves inputting the first information into a first database, which stores a list of the multiple open-source software implemented in the aforementioned product or service along with the dependencies between the open-source software, and searching within the first database for multiple source codes affected by the first information. To input information about the retrieved multiple source codes into a second database in which multiple development objects related to the development information of the aforementioned product or service are stored as a list along with the dependencies between the development objects, the development objects affected by the information are obtained from the second database. An information processing method that performs the following. [Claim 7] An information processing program that manages the occurrence of failures caused by open-source software in a specified product or service that implements multiple open-source software programs, On the computer, With respect to the source code sets of multiple programs that constitute the multiple open-source software implemented in the aforementioned product or service, first information concerning a defective source code is obtained from among the source code sets. The process involves inputting the first information into a first database, which stores a list of the multiple open-source software implemented in the aforementioned product or service along with the dependencies between the open-source software, and searching within the first database for multiple source codes affected by the first information. To input information about the retrieved multiple source codes into a second database in which multiple development objects related to the development information of the aforementioned product or service are stored as a list along with the dependencies between the development objects, the development objects affected by the information are obtained from the second database. An information processing program that executes [something].

Images