Return to search

Towards Understanding and Securing the OSS Supply Chain

Free and Open-Source Software (FOSS) has become an integral part of the
software supply chain in the past decade. Various entities (automated tools
and humans) are involved at different stages of the software supply chain.
Some actions that occur in the chain may result in vulnerabilities or malicious
code injected in a published artifact distributed in a package repository.
At the end of the software supply chain, developers or end-users may consume
the resulting artifacts altered in transit, including benign and malicious
injection.

This dissertation starts from the first link in the software supply chain,
‘developers’. Since many developers do not update their vulnerable software
libraries, thus exposing the user of their code to security risks. To understand
how they choose, manage and update the libraries, packages, and other
Open-Source Software (OSS) that become the building blocks of companies’
completed products consumed by end-users, twenty-five semi-structured interviews
were conducted with developers of both large and small-medium enterprises
in nine countries. All interviews were transcribed, coded, and analyzed
according to applied thematic analysis.

Although there are many observations about developers’ attitudes on selecting
dependencies for their projects, additional quantitative work is needed
to validate whether behavior matches or whether there is a gap. Therefore,
we provide an extensive empirical analysis of twelve quality and popularity
factors that should explain the corresponding popularity (adoption) of PyPI
packages was conducted using our tool called py2src.

At the end of the software supply chain, software libraries (or packages)
are usually downloaded directly from the package registries via package dependency
management systems under the comfortable assumption that no discrepancies are introduced in the last mile between the source code and
their respective packages. However, such discrepancies might be introduced
by manual or automated build tools (e.g., metadata, Python bytecode files)
or for evil purposes (malicious code injects). To identify differences between
the published Python packages in PyPI and the source code stored on Github,
we developed a new approach called LastPyMile . Our approach has been
shown to be promising to integrate within the current package dependency
management systems or company workflow for vetting packages at a minimal
cost.

With the ever-increasing numbers of software bugs and security vulnerabilities,
the burden of secure software supply chain management on developers
and project owners increases. Although automated program repair approaches
promise to reduce the burden of bug-fixing tasks by suggesting likely correct
patches for software bugs, little is known about the practical aspects of using
APR tools, such as how long one should wait for a tool to generate a bug fix.
To provide a realistic evaluation of five state-of-the-art APR tools, 221 bugs
from 44 open-source Java projects were run within a reasonable developers’
time and effort.

Identiferoai:union.ndltd.org:unitn.it/oai:iris.unitn.it:11572/333508
Date14 March 2022
CreatorsVu Duc, Ly
ContributorsVu Duc, Ly, Massacci, Fabio
PublisherUniversità degli studi di Trento, place:TRENTO
Source SetsUniversità di Trento
LanguageEnglish
Detected LanguageEnglish
Typeinfo:eu-repo/semantics/doctoralThesis
Rightsinfo:eu-repo/semantics/openAccess
Relationfirstpage:1, lastpage:161, numberofpages:161

Page generated in 0.0022 seconds