Processing

Please wait...

Settings

Settings

Goto Application

1. WO2020139073 - SYSTEM AND METHOD TO GENERATE HASH VALUES FOR PROJECT ARTIFACT AND SOFTWARE PACKAGE

Note: Text based on automatic Optical Character Recognition processes. Please use the PDF version for legal matters

[ EN ]

SYSTEM AND METHOD TO GENERATE HASH VALUES FOR PROJECT ARTIFACT AND SOFTWARE PACKAGE

FIELD OF INVENTION

[0001] The present invention relates to integrity and authenticity of the project artifacts and software package, in particular to system and method to generate hash values for a project artifact and a software package before being stored in a version repository.

BACKGROUND

[0002] Typically, project artifact is a tangible by-product produced during software development. The developers document the project artifacts and store in a version repository so it can be retrieved upon demand. Examples of project artifacts including but not limited to use cases, class diagrams, UML models, requirements and design documents, etc, Generally, project artifacts describe functions, architecture, and design of the software.

[0003] Further, project artifacts needed to be baselined (labeled) and then an audit report needs to be generated to prepare for a release. Currently, releases rely on control procedures to determine and confirm the released artifacts. Thus the verification is performed based on the audit report. However, there is no verification method and system exist to check the authenticity and integrity of the released project artifacts during the labeling and audit report generation processes. Even if the baseline package is tampered, it will be deemed as“good for release” as there is no counter check mechanism implemented within the process to halt the release,..

[0004] US patent number 7,685,425 B 1 issued to Wright, et al. discloses a method for a secure serving of digitally signed computer files. The method receives a request from other computer for access to one or more computer files stored on a server computer. Each, said computer file is having an associated unique digital signature created using a signing key from at least one of a plurality of third parties. The signature is stored on the server computer. In response to the request, the method retrieves at least one requested computer file. Further, in response to the request, the method retrieves the digital

signatures directly at the server computer. Further, the method validates the unique digital signatures associated with the requested computer file, Then the method provides the other computer with access to the requested computer file only if the digital signature associated with the requested computer file is valid,. In case the digital signature is invalid, no further digital signature iis applied by the server computer, and maliciously altered, documents are not sent to the other computer. However, the method for a secure serving of digitally signed computer files is limited to the security of a Webpage, and the computer files or documents reside on. a web server. Further, the Webpages are served only when the hash values and digital signature are valid.

[0005] US patent number 5,7.24,425 issued to Chang, et al. discloses an apparatus for enhancing software security and for distributing software by utilizing public key encryption techniques. The apparatus includes a first computer which is provided with source code to be protected. Further, a software application writer's private key and an application writer's license provided to the first computer. The application writer's license includes identifying information such as the application writer's name as well as the application writer's public key. The first computer executes a compiler program to compile the source code into binary code and cqmputes a message digest for the binary code. The first computer then encrypts the message digest using the application writer's private key, such that the encrypted message digest is defined as a digital "signature" of the application writer. Further, a software passport is generated which includes the application writer's digital signature, the application writer's license, and the binary code. Tlien software passport is distributed to a user using any number of software distribution models. However, the apparatus for enhancing software security and for distributing software is applied for product authentication, and the binary packages can only be executed if the generated key matched with the pre-generated key.

[0006] It is, therefore, a need for a reliable, and efficient system and method to generate hash values for a project artifact and a software package before being stored in a version repository to ensure the integrity and authenticity of the project artifacts and software package.

SUMMARY

[0007] There is a need for a system and method to ensure project artifacts and software package integrity and authenticity before release.

[0008] The present invention mainly deals the technical problems existing in the prior art, in response to these problems, the present invention provides a system and method for generating hash value or key identifier for project artifacts and software package before being stored into a versioning repository.

[0009] An aspect of the present invention relates to a system to generate hash values for. a project artifact and a software package before being stored in a version repository. The system comprises a hash generator, a temporary storage, a version repository, a comparison generator, a label generator, and a report generator. The hash generator generates one or more hash values corresponding to each project artifacts. The temporary storage receives the generated hash values and the project artifacts from the hash generator. The version repository stores the project artifacts with the corresponding hash values. The comparison generator retrieves the project artifacts and the hash values from the version repository and matches the project artifacts with the hash values. The comparison generator further compares the matched project artifacts against a delivery checklist to determine an existence of the project artifacts in the version repository during a labeling operation. The label generator performs the labeling operation on the project artifacts matched with the hash values to obtain a release label. The label generator uploads the release label in the version repository. The report generator receives the release label from the version repository and generates an audit report.

[0010] In another aspect of the present invention, the comparison generator examines a date of the project artifacts in the version repository against a baseline date during the labeling operation.

[0011] In a further aspect of the present invention, the report generator generates an exception message on determining a mismatch of the hash values during of the comparison of the hash values and the project artifacts.

[0012] In yet a further aspect of the present invention, the version repository performs a backend verification of the hash values for each project artifacts.

[0013] Yet, an aspect of the present invention relates to a method for generating hash values for a project artifact and a software package before being stored in a version repository. The method comprises a step of generating one or more hash values corresponding to each project artifacts through a hash generator: The method then includes a step of uploading the generated hash values and. the project artifacts into a temporary storage. Further, the method includes the step of storing the project artifacts with the corresponding hash values in a version repository. The method then includes the step of retrieving the project artifacts and the hash values from the version repository and matches the project artifacts with the hash values through a comparison generator.

[0014] Furthermore, the method includes the step of comparing the matched project artifacts against a delivery checklist through the comparison generator to determine the existence of the project artifacts in the version repository during a labeling operation. The method then includes a step of performing the labeling operation on the project artifacts matched with the hash values to obtain a release label through a label generator. The label generator uploads the release label in the version repository,; Further, the method inclndes the step of receiving the release label from the version repository through a report generator to generate an audit report. In yet another aspect, the audit report is stored in the version repository. The method then includes the step of releasing the project artifacts.

[0015] Accordingly, one advantage of the present invention is that it provides a robust auditing process by generating the audit report only after verifying the project artifacts as “good for release”.

[0016] Accordingly, one advantage of the present invention is that it integrates mechanisms into the current release and auditing processes to validate the authenticity and. integrity of the project artifacts and software package before release.

[0017] Accordingly, one advantage of the present invention is that it generates a hash value and key to uniquely identify the project artifacts at baseline time.

[0018] Other features of embodiments df the present invention will be apparent from accompanying drawings and from the detailed description that follows.

BRIEF DESCRIPTION OF THE DRAWINGS

[0019] In the figures, similar components and/or features may have the same reference label Further, various components of the same type may be distinguished by following the reference label with a second label that distinguishes among the similar components. If only the first reference label is used in the specification, the description applies to any one of the similar components having the same first reference label irrespective of the second reference label.

[0020] FIG. 1 illustrates a flowchart of a method for generating hash values for a project artifact and a software package before being stored in a version repository, in accordance with an embodiment of the present invention.

[0021] FIG. 2 illustrates an exemplary block diagram of uploading the project artifacts with the corresponding hash values in a version repository, in accordance with an embodiment of the present invention.

[0022] FIG. 3 exemplifies a process to upload the project artifacts into the version repository, in accordance with an embodiment of the present invention.

[0023] FIG. 4 illustrates an exemplary block diagram of baseline project artifacts for release, in accordance with an embodiment of the present invention.

[0024] FIG. 5 illustrates an exemplaiy block diagram of generating an audit report, ΐh accordance with an embodiment of the present invention,

[0025] FIG. 6 illustrates a system for generating hash values for a project artifact before being stored in a version repository, in accordance with an embodiment of the present invention.

DETAILED DESCRIPTION

[0026] Systems and methods are disclosed for generating hash values for a project artifact and a software package before being stored in a version repository. Embodiments of the present invention include various steps, which will be described below. The steps may be performed by hardware components or may be embodied in machine-executable

instructions, which may be used to cause a general-purpose or special-purpose processor programmed with the instructions to perform the steps. Alternatively, steps may be performed by a combination of hardware, software, firmware, and/or by human operators.

[0027] Various methods described herein may be practised by combining one or more machine-readable storage media containing the code according to the present invention with appropriate standard computer hardware to execute the code contained therein. An apparatus for practicing various embodiments of the present invention may involve one or more computers (or one or more processors within a single computer) and storage systems containing or having network access to computer program(s) coded in accordance with various methods described herein, and the method steps of the invention could be accomplished by modules, routines, subroutines, or subparts of a computer program product.

[QQ28] The present invention discloses a system and method whereby the hash value is paired and stored with the. project artifacts and release package in the version repos i ton/. Further, the hash value is compared to ensure the integrity and authenticity of the project artifacts and release package during the labeling operation. The method further checks existence of the project artifacts in a version repository against delivery checklist during the labeling operation.: Then the method checks date of the project artifacts in the version repository against the planned baseline date during the labeling operation. Further, the method generates and matches the hash values when uploading a release label into a report form for report generation. The method then generates an exception message if the hash values are mismatched during the process of comparison.

[0029] Although the present invention has been described with the purpose of generating hash values for a project artifact and a software package before being stored in a version repository, it should be appreciated that the same has been done merely to illustrate the invention in an exemplary manner and any other purpose or function for which explained structures or configurations could be used, is covered within the scope of the present invention.

[0030] Exemplary embodiments will now be described more fully hereinafter with reference to the accompanying drawings, in which exemplary embodiments are shown. This invention may, however, be embodied in many different forms and should not be

construed as limited to the embodiments set forth herein. These embodiments are provided so that this invention will be thorough and complete and will fully convey the scope of the invention to those of ordinary skill in the art. Moreover, all statements herein reciting embodiments of the invention, as well as specific examples thereof, are intended to encompass both structural and functional equivalents thereof. Additionally, it is intended that such equivalents include both currently known equivalents as well as equivalents developed in the future (i.e., any elements developed that perform the same function, regardless of structure).

[0031] Thus, for example, it will be appreciate^ by those of ordinary skill in the art that the diagrams, schematics, illustrations, and the like represent conceptual views or processes illustrating systems and methods embodying this invention. The functions of the various elements shown in the figures may be provided through the use of dedicated hardware as well as hardware capable of executing associated software. Similarly, any switches shown in the figures are conceptual only. Their function may be carried out through the operation of program logic, through dedicated logic, through the interaction of program control and dedicated logic, or. even manually, the particular technique being selectable by the entity implementing this invention,,: Those of ordinary skill in the art further understand that the exemplary hardware, software, processes, methods, and/or operating systems described herein are for illustrative purposes and, thus, are not intended to be limited to any particular name.

[0032];: Specific details are given in the following description to provide a thorough understanding of the embodiments. However, it will be understood by one of ordinary skill in the art that the embodiments may be practised without these specific details. For example, circuits, systems, networks, processes, and other components may be shown as components in block diagram form in order not to obscure the embodiments in unnecessary detail. In other instances, well-known circuits, processes, algorithms, structures, and techniques may be shown without unnecessary detail to avoid obscuring the embodiments.

[0033] FIG. 1 illustrates a flowchart 100 of a method for generating hash values for a project artifact and a software package before being stored in a version repository, in accordance with an embodiment of the present invention. The method initiates with a step 104 of generating one or more hash values corresponding to each project artifacts through a hash generator. The method then includes a step 106 of uploading the generated hash values and the project artifacts into a temporary storage. Further, the method includes the step 108 of storing the project artifacts with the corresponding hash values in a version repository. The method then includes the step 110 of retrieving the project artifacts and the hash values from the version repository and matches the project artifacts with the hash values through a comparison generator.

[0034] Furthermore, the method includes the step 112 of comparing the matched project artifacts against a delivery checklist through the comparison generator to determine an existence of the project artifacts in the version repository during a labeling operation. In one exemplified illustrations, the delivery checklist may include document title, document type, document category, security level, document number and file name. Further, the document categories may include plan, requirement, design, procedure/SOP/process flow/work instructions/etc., report, manual, notice/release note/memo etc. Each of these categories may be pre-assigned with a code. The code may be one alphanumeric character Further, the security level may include internal use only, general and public use, confidential proprietary and registered secret document. Similarly, each of these security levels may be assigned with a level code. The level code may also be at least one alphanumeric code. These codes may be adopted for forming the document number for indexing purposes. The document number may further include numeric code representing the year and versions of the document, Further, the document number and the document title may be adopted for forming the file name. In an embodiment, the comparison generator examines a date of the project artifacts in the version repository against a baseline date during the labeling operation.

[0035] The method then includes a step 114 of performing the labeling operation on the project artifacts matched with the hash values to obtain a release label through a label generator. Once the project artifacts verified against the delivery checklist and the hash values are verified, the label generator will generate a release label to the project artifacts in the version repositoiy. Further, the method includes the step 116 of receiving the release label from the version repository through a report generator to generate an audit report. The audit report is stored in the version repository.

[0036] In an embodiment, the report generator generates an exception message on determining a mismatch of the hash values during comparison of the hash values. The

method then includes the step 1.18 of releasing the project- artifacts. For audit reporting, the report generator pulls specific release label. Only release labels with the matching hashes are uploaded for report generation. In an embodiment, the version repository performs a backend verification of the hash values for each project artifacts.

[0037] FIG. 2 illustrates an exemplary block diagram 108 of uploading the project artifacts with the corresponding hash values in a version repository, in accordance with an embodiment of the present invention. At block 202, the project artifacts are uploaded into the temporary storage (folder or repository). The project artifacts are secured with SHA I (Secure Hash Algorithm l) which is a cryptographic hash function. At block 204, the hash value is generated and assigned for each project artifact. The hash values include public keys. At block 206, the project artifacts are stored with the corresponding hash value in the version repository. At block 208, the project artifacts along with the corresponding hash values are uploaded to the version repository.

[0038] FIG. 3 exemplifies a process 300 to upload the project artifacts into the version repository, in accordance with an embodiment of the present invention. At step 302, the hash generator generates hash values corresponding to each project artifacts. In One embodiment, Secure Hash Algorithm (SHA) can be adapted for generating hash values. In another embodiment, Message-Digest Algorithm (MD5) can be adapted for generating the hash value. At step 304, hash values are assigned to the project artifacts and stored in the version repository. At step 306, a requirement document is prepared and stored together with the hash value in the version repository. Returning to the step 304, the hash values assigned to the project artifacts are compared with the stored: hash values at step 308. At step 312, if the hash values assigned to project artifacts and the stored hash values are different, the process performs a step 310 of re-assigning a new hash value to the project artifacts. The re-assigned and stored hash value is return to the step 308 for comparison again. Similarly, if the newly assigned artifact’s hash is different at the step 312, the process loops to the step 310 to re-assign another hash value, again until the hash value is the same as the stored hash value. The process performs a step 314 of assigning and storing the hash value on determining the same hash value assigned to the corresponding project artifacts.

[0039] At step 316, the process examines a date of the project artifacts in the version repository against a baseline date during the labeling operation. If the baseline date is the same, the process performs a step 318 of assigning a hash value for the baseline folder; If the baseline date is different, the process performs the step 310 of re-assigning a new hash value to the project artifacts. At step 320, the hash values assigned to the project artifacts are matched with the stored hash values to upload the release label into report form to perform a step 324 of generating the audit report. At step 326, the control loop ends.

[0040] FIG. 4 illustrates an exemplary block diagram 400 of baseline project artifacts for release, in accordance with an embodiment of the present invention*. The project artifacts 406 with SHA-1 408 are retrieved from the version repository 612. Hash value 402 along with the public key 404 are retrieved from the version repository 612 to verify the hash value at 410. At step 412, the hash values are matched with each other. If the hash values do not match, the project artifacts are rejected and return to the step 108 of FIG, 1, At step 414, in case the hash value is the same, the project artifacts are compared to the delivery checklist. If the project artifacts are not the same as compared to the delivery checklist, the project artifacts are rejected and return to the. step 108 of FIG. 1.

[0041] If the project artifacts exist in the deliver)' list, at step 416, the process performs a step to determine whether the project artifacts are meeting the baseline date as planned in the delivery checklist. If the project artifacts are not in the delivery list, the process returns to the step 108 of FIG. 1. If the project artifacts meet the baselihe date as planned in the checklist, the process applies release label or release TAG 420 to baseline the project artifacts with SHA1 422. At step 418, if the project artifacts miss the planned date, the date is re-planned and updated in the delivery checklist. The report generator 610 receives the release label from the version repository 612 (shown in FIG. 6) and generates an audit report 613.

[0042] FIG. 5 illustrates an exemplary block diagram 500 of generating an audit report, in accordance with an embodiment of the present invention. The release label or release TAG 506 along with the SHA1 508 retrieved from the version repository 612. The hash value 402 along with the public key 404 are retrieved from the version repository 612 to verify the hash value at 4.10: Then the process checks if there is any discrepancy in the hash value. At step 510, if the hash value stored in the temporary storage (TAG folder) equals to the hash value stored in the Version repository, the release label is. uploaded for report generation. If the hash value stored in the temporary storage (TAG folder) does not equal to the hash value stored in the version repository, an exception message is

prompted, and the process returns to the steps performed by block diagram 400 of FIG, 4. The release label is uploaded in the report generator 610 to generate the audit report 613,.

[0043] FIG. 6 illustrates a system 600 for generating hash values for a project artifact 601: before being stored in a version repository 612, in accordance with an embodiment of the present invention, The system 600 comprises a hash generator 602, a temporary storage 604, a version repository 612, a comparison generator 606, a label generator 608, and a report generator 610. The hash generator 602 generates one or more hash values corresponding to each project artifacts. The temporary storage 604 receives the generated hash values and the project artifacts from the hash generator 602. The version repository 612 stores the project artifacts 601 with the corresponding hash values.

[0044] The comparison generator 606 retrieves the project artifacts 601 and the hash values from the version repository 612 and matches the project artifacts 601 with the hash values. The comparison generator 606 further compares the matched project artifacts 601 against a delivery checklist to determine an existence of the project artifacts 601. in the version repository 612 during a labeling operation. The comparison generator 606 examines a date of the project artifacts in the version repository 612 against a baseline date during the labeling operation.

[0045] The label generator 608 performs the labeling operation on the project artifacts 601 matched with the hash values to obtain a release label. The label generator 608 uploads the release label in the version repository 612. The report generator 610 receives the release label from the version repository 612 and generates an audit report 613. The report generator 610 generates an exception message on determining a mismatch of the hash values during of the comparison of the hash values. The version repository 612 performs a backend verification of the hash values for each project artifacts 601,

[0046] Thus the present system and method incorporate security features (encryption and decryption) into the current labeling operation and configuration audit report generation. The hash value of each project artifact 601 (requirement book, etc.) will be generated each time the project artifacts 601 are uploaded into or downloaded from the version repository 612 and stored. During the release labeling operation, those values were compared to determine the authenticity and integrity of the project artifacts 601. The ones that have matching values will then be compared to the delivery checklist to determine

their existence and baseline date compliance;. Only project artifacts 601 that met those criteria can be labeled for release in the version repository 612, The releases are audited through the generated audit report 613. For report preparation, specific release label is uploaded to the report generator 610. Only release label with the matching hash values are allowed to be uploaded to ensure the authenticity, and the integrity of the package maintained throughout the release process.

[0047] While embodiments of the present invention have been illustrated and described, it will be clear that the invention is not limited to these embodiments only. Numerous modifications, changes, variations, substitutions, and.equivalents will be apparent to those skilled in the art, without departing from the scope of the invention, as described in the claims.