JR/T 0291-2024
Financial Industry Open Source Software Application Evaluation Standards (English Version)
- Standard No.
- JR/T 0291-2024
- Language
- Chinese, Available in English version
- Release Date
- 2024
- Published By
- Professional Standard - Finance CN / JR
- Latest
- JR/T 0291-2024
- Introduction
Standard Background and Industry Value
This specification was jointly developed by the Science and Technology Department of the People's Bank of China, the four major state-owned commercial banks and leading technology companies, marking the entry of open source governance in my country's financial industry into the standardization implementation stage.
Open source basic software Operating system, database and other infrastructure Linux, MySQL Open source components Middleware, development framework, etc. Spring, Redis Open source tools Assisted development and operation tools Jenkins, Prometheus
Core evaluation indicator system
6.1 Introducing the evaluation three-dimensional model
Typical case: When a bank introduced the Kafka message queue, it needed to complete the following:
- Preliminary stage: Check the compliance of the Apache 2.0 license and verify the community activity (the number of commits in the past three months is ≥200)
- Final stage: Stress test TPS ≥ 500,000/second, verify the automatic switching time of cluster failure ≤ 30 seconds
7.2 Key indicators in the maintenance stage
Evaluation dimensions Simple use category In-depth use category Vulnerability response High-risk vulnerabilities will be fixed within 72 hours Possess vulnerability hot fix capability Monitoring coverage Basic operation indicator monitoring Core algorithm performance monitoring
Implementation recommendations
Organizational safeguards
- Establish an open source governance committee, with a joint review mechanism composed of technology, risk, and legal departments
- Build an open source software product library to achieve unified management of component versions (refer to clause 8.4)
Technical Implementation Route
- Toolchain Integration: Embed SCA tools (such as Black Duck) into CI/CD pipelines
- Automated Assessment: Develop assessment scripts based on specifications to automatically generate scoring reports for chapters 6.2-6.3
Best Practices: In the Redis upgrade assessment, a securities company passed:
- Compatibility testing: Verify the impact of API changes from version 6.0 to 7.0 (refer to 6.3.4)
- Performance comparison: Memory usage is reduced by 12% under the same load (refer to Table 10)
JR/T 0291-2024 Referenced Document
- JR/T 0289-2024 Open Source Technology for the Financial Industry Terminology
JR/T 0291-2024 history
- 2024 JR/T 0291-2024 Financial Industry Open Source Software Application Evaluation Standards
Topics on standards and specifications
Standard and Specification
IEEE P3390/D2, October 2025 IEEE Draft Standard for Security Management Capability Framework of Open Source Software Supply Chain for Software Providers
VDI/VDE 3516 Blatt 1-2013 Validation in GxP area - Open-source software
SAE JA1002-2012 Software Reliability Program Standard
SAE JA1002-2004 Software Reliability Program Standard
GOST R 71436-2024 Information technology. Open source software. Delivery specification
AWWA JAW64049 Journal AWWA — Build or Buy? — The Answer Isn't So Simple Anymore
ASME VVUQ 60.1-2025 Considerations and Questionnaire for Selecting Computational Physics Simulation Software: An ASME Guideline
DIN EN ISO 16739-1:2021 Industry Foundation Classes (IFC) for data sharing in the construction and facility management industries - Part 1: Data schema (ISO 16739-1:2018); English
AS/NZS ISO/IEC/IEEE 15026.3:2025 Systems and software engineering - Systems and software assurance, Part 3: System integrity levels
IEEE Std 828-2005 IEEE Standard for Software Configuration Management Plans - Redline