Understanding the Software Bill Of Material for supply-chain management in Open Source projects

Axelsson, Veronica, Larsson, Frida

January 2023

There has been an increase in the discussion about Software Bills of Material (SBOM) in the last few years, following a number of big-scale supply-chain attacks and vulnerabilities discovered in Open Source third-party packages. However, there is a lot to be done before the software community as a whole can fully reap the benefits SBOMs are claimed to provide.  The objective of this thesis is to investigate how far the Open Source software (OSS) community has come in adopting SBOMs, and how the existing SBOMs evolve, focusing on the Software Package Data Exchange (SPDX) format. For the purpose of this investigation an archival study was conducted, looking for SBOMs in OSS projects on GitHub and analyzing their content and evolution. This is one of the first large-scale searches for SBOMs in OSS projects, with the objective to research the practice of SBOM.  Only a fraction of the repositories that were inspected contained a SBOM, and most of them were found in Go projects. The SBOMs could be found in the source code of the repository, but the majority were found amongst the assets in the releases. Overall, the SBOMs were updated frequently using the latest SPDX format, and most stayed consistent with the quality of the content over time.

SBOM

Software Bill of Material

SPDX

supply-chain management

Software Engineering

Programvaruteknik

Exploring the Dynamics of Software Bill of Materials (SBOMs) and Security Integration in Open Source Projects

Ambala, Anvesh

January 2024

Background.The rapid expansion of open-source software has introduced significant security challenges, particularly concerning supply chain attacks. Software supply chain attacks, such as the NotPetya attack, have underscored the critical need for robust security measures. Managing dependencies and protecting against such attacks have become important, leading to the emergence of Software Bill of Materials (SBOMs) as a crucial tool. SBOMs offer a comprehensive inventory of software components, aiding in identifying vulnerabilities and ensuring software integrity. Objectives. Investigate the information contained within SBOMs in Python and Gorepositories on GitHub. Analyze the evolution of SBOM fields over time to understand how software dependencies change. Examine the impact of the US Executive Order of May 2021 on the quality of SBOMs across software projects. Conduct dynamic vulnerability scans in repositories with SBOMs, focusing on identifying types and trends of vulnerabilities. Methods. The study employs archival research and quasi-experimentation, leveraging data from GitHub repositories. This approach facilitates a comprehensive analysis of SBOM contents, their evolution, and the impact of policy changes and security measures on software vulnerability trends. Results. The study reveals that SBOMs are becoming more complex as projects grow, with Python projects generally having more components than Go projects. Both ecosystems saw reductions in vulnerabilities in later versions. The US Executive Order of 2021 positively impacted SBOM quality, with measures like structural elements and NTIA guidelines showing significant improvements post-intervention. Integrating security scans with SBOMs helped identify a wide range of vulnerabilities. Projects varied in critical vulnerabilities, highlighting the need for tailored security strategies. CVSS scores and CWE IDs provided insights into vulnerability severity and types. Conclusions. The thesis highlights the crucial role of SBOMs in improving software security practices in open-source projects. It shows that policy interventions like the US Executive Order and security scans can significantly enhance SBOM quality, leading to better vulnerability management and detection strategies. The findings contribute to the development of robust dependency management and vulnerability detection methodologies in open-source software projects.

Supply chain

SBOM

Software Bill of Materials

US Executive Order May 2021

Open-Source Software

Vulnerability

cyber security.

Software Engineering

Programvaruteknik

Open Source Security and Quality Assessment : Analysera beroenden i program / Open Source Security and Quality Assessment : Analyze dependencies in programs

Gibro, Edvin, Glansholm, Bacilika, Holta, Viktor, Karlsson, Simon, Kjellin, Jessica, Randow, Max, Simonson, Erik, Söderström, Jakob

January 2024

Denna rapport behandlar projektet: Open Source Security and Quality Assessment (OSSQA) som utvecklades på uppdrag av cybersäkerhetsföretaget Advenica AB. Detta projekt genomfördes av åtta studenter i kursen TDDD96, Kandidatprojekt i programvaruutveckling på Linköpings universitet, under våren 2024. Rapporten presenterar projektets genomförande, resultat och slutsatser och går dessutom in i detalj på bland annat hur värde skapades för kunden, vilka erfarenheter som har lyckats samlas in av medlemmarna i gruppen under projektet samt andra relevanta aspekter av projektet. Resultatet av projektet blev en produkt som analyserar mjukvaruprojekt och betygsätter dess beroenden för att till sist presentera ett resultat på säkerheten och kvaliteten på hela projektet. Den resulterande produkten ansågs ha god användarvänlighet som uppmättes till 77,5 poäng enligt SUS-metoden. Kunden fick därmed en produkt levererad som uppnådde deras förväntningar och som var enkel både att använda och att vidareutveckla. Projektgruppen har även lyckats samla in många värdefulla erfarenheter.

SBOM

CycloneDX

System Anatomy

OpenSSF Scorecard

Cybersecurity

Software Development

Datavetenskap

Datateknik

Systemanatomi

Programvaruutveckling

Cybersäkerhet

Software Engineering

Programvaruteknik