Musard Balliu
César Soto-Valero
ABSTRACT
Modern software applications are virtually never built entirely in-house. As a matter of fact, they reuse many third-party dependencies, which form the core of their software supply chain [1]. The large number of dependencies in an application has turned into a major challenge for both security and reliability. For example, to compromise a high-value application, malicious actors can choose to attack a less well-guarded dependency of the project [2]. Even when there is no malicious intent, bugs can propagate through the software supply chain and cause breakages in applications. Gathering accurate, upto- date information about all dependencies included in an application is, therefore, of vital importance.
- R. Cox, "Surviving Software Dependencies," Communications of the ACM, vol. 62, no. 9, pp. 36--43, 2019.Google Scholar
Digital Library
- P. Ladisa, H. Plate, M. Martinez, and O. Barais, "SoK: Taxonomy of Attacks on Open-Source Software Supply Chains," in Proceedings of the IEEE Symposium on Security and Privacy (SP), may 2023.Google Scholar
- M. Balliu, B. Baudry, S. Bobadilla, M. Ekstedt, M. Monperrus, J. Ron, A. Sharma, G. Skoglund, C. Soto-Valero, and M. Wittlinger, "Challenges of Producing Software Bill of Materials for Java," IEEE Security & Privacy, pp. 2--13, 2023.Google Scholar
- C. Soto-Valero, N. Harrand, M. Monperrus, and B. Baudry, "A comprehensive study of bloated dependencies in the Maven ecosystem," Empirical Software Engineering, vol. 26, p. 45, Mar. 2021.Google ScholarDigital Library
Index Terms
- Software Bill of Materials in Java
Recommendations
On the Way to SBOMs: Investigating Design Issues and Solutions in Practice
The increase of software supply chain threats has underscored the necessity for robust security mechanisms, among which the Software Bill of Materials (SBOM) stands out as a promising solution. SBOMs, by providing a machine-readable inventory of software ...
Are Software Dependency Supply Chain Metrics Useful in Predicting Change of Popularity of NPM Packages?
PROMISE'18: Proceedings of the 14th International Conference on Predictive Models and Data Analytics in Software EngineeringBackground: As software development becomes more interdependent, unique relationships among software packages arise and form complex software ecosystems. Aim: We aim to understand the behavior of these ecosystems better through the lens of software ...
An Empirical Study on Software Bill of Materials: Where We Stand and the Road Ahead
ICSE '23: Proceedings of the 45th International Conference on Software EngineeringThe rapid growth of software supply chain attacks has attracted considerable attention to software bill of materials (SBOM). SBOMs are a crucial building block to ensure the transparency of software supply chains that helps improve software supply ...
Comments