SIT: An accurate, compliant SBOM generator with incremental construction
This program is tentative and subject to change.
SBOM (Software Bill of Materials) is a comprehensive list of components, relationships and metadata associated with software, essential for ensuring software component transparency in the software supply chain. The complexity of SBOM and the massive workload of writing SBOMs call for the assistance of automation. However, existing automated tools excessively rely on parsing dependency manifest and source code without verifying the accuracy of the information. Worse, existing SBOM generators sometimes fail to yield a specification-compliant SBOM. Additionally, existing SBOM generators can not compose a complete SBOM with information that developers know best and entries hidden in the dependencies’ metadata in one go. To address the inaccuracy, non-compliance and incompleteness issues of SBOM generation, we propose SIT, an accurate, compliant SBOM generator with incremental construction. Through incremental construction, SIT aggregates manually maintained SBOMs and dependency SBOMs and exports SBOMs for editing, enhancing the correctness and completeness of SBOMs. This capability is built on SBOM IR, a flexible intermediate format that consolidates essential information and acts as a bridge for software representations. By integrating SBOM IR with official SBOM JSON schemas, SIT ensures all generated SBOMs are compliant to SBOM specifications. Additionally, SIT enhances SBOM accuracy with cross-validation, resolving inconsistencies with the real environment. SIT is publicly available at https://github.com/osslab-pku/SIT, and a demonstration video can be found at https://youtu.be/LbzslijVPLc.
This program is tentative and subject to change.
Thu 1 MayDisplayed time zone: Eastern Time (US & Canada) change
11:00 - 12:30 | Analysis 2SE In Practice (SEIP) / Journal-first Papers / Demonstrations at 205 Chair(s): Mahmoud Alfadel University of Calgary | ||
11:00 15mTalk | SIT: An accurate, compliant SBOM generator with incremental construction Demonstrations Changguo Jia Peking University, NIANYU LI ZGC Lab, China, Kai Yang School of Computer, Electronics and Information, Guangxi University, Minghui Zhou Peking University | ||
11:15 15mTalk | Towards Better Static Analysis Bug Reports in the Clang Static Analyzer SE In Practice (SEIP) Kristóf Umann Eötvös Loránd University, Faculty of Informatics, Dept. of Programming Languages and Compilers, Zoltán Porkoláb Ericsson | ||
11:30 15mTalk | Automatic Identification of Game Stuttering via Gameplay Videos Analysis Journal-first Papers Emanuela Guglielmi University of Molise, Gabriele Bavota Software Institute @ Università della Svizzera Italiana, Rocco Oliveto University of Molise, Simone Scalabrino University of Molise | ||
11:45 15mTalk | LLM Driven Smart Assistant for Data Mapping SE In Practice (SEIP) Arihant Bedagkar Tata Consultancy Services, Sayandeep Mitra Tata Consultancy Services, Raveendra Kumar Medicherla TCS Research, Tata Consultancy Services, Ravindra Naik TCS Research, TRDDC, India, Samiran Pal Tata Consultancy Services | ||
12:00 15mTalk | On the Diagnosis of Flaky Job Failures: Understanding and Prioritizing Failure Categories SE In Practice (SEIP) Henri Aïdasso École de technologie supérieure (ÉTS), Francis Bordeleau École de Technologie Supérieure (ETS), Ali Tizghadam TELUS Pre-print | ||
12:15 7mTalk | AddressWatcher: Sanitizer-Based Localization of Memory Leak Fixes Journal-first Papers Aniruddhan Murali University of Waterloo, Mahmoud Alfadel University of Calgary, Mei Nagappan University of Waterloo, Meng Xu University of Waterloo, Chengnian Sun University of Waterloo | ||