With the development of software technology in the automotive industry, open-source components are increasingly penetrating into the automotive systems. Researching the security of open-source software is an important topic in automotive software security. In this paper, the OTA update package of In-Vehicle Infotainment components in intelligent cockpits is analyzed to obtain the internal file system and summarize the general structure of the automotive IVI component file system and the functionality corresponding to common file paths. By analyzing the linking information of executable files in the firmware package, the dynamic linking library information of the executable files is collected to expand the coverage of components and prevent the omission of third-party components. Subsequently, the Software Composition Analysis technique is used to identify the most frequently used third-party components in the sample firmware. The results are validated by comparing the function call relationships between the sample files and the source code of the third-party components through reverse engineering analysis. Static analysis methods and patch comparison techniques are combined to verify the presence of Common Vulnerabilities and Exposures vulnerabilities in the identified third-party components. Finally, based on the experimental results, relevant recommendations are provided for the security of intelligent cockpit software.