Policy-driven Software Bill of Materials on GitHub: An Empirical Study
Background. The Software Bill of Materials (SBOM) is a machine-readable list of all the software dependencies included in a software. SBOM emerged as way to assist securing the software supply chain. However, despite mandates from governments to use SBOM, research on this artifact is still in its early stages. Aims. We want to understand the current state of SBOM in open-source projects, focusing specifically on policy-driven SBOMs—i.e., SBOM created to achieve security goals, such as enhancing project transparency and ensuring compliance, rather than being used as fixtures for tools or artificially generated for benchmarking or academic research purposes. Method. We performed a mining software repository study to collect and carefully select SBOM files hosted on GitHub. We analyzed the information reported in policy-driven SBOMs and the vulnerabilities associated with the declared dependencies by means of descriptive statistics. Results. We show that only 0.56% of popular GitHub repositories contain policy-driven SBOM. The declared dependencies contain 2,202 unique vulnerabilities, while 22% of them do not report licensing information. Conclusion. Our findings provide insights for SBOM usage to support security assessment and licensing.
Wed 3 DecDisplayed time zone: Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna change
11:30 - 13:00 | Software Composition, Compliance, and SecurityResearch Papers / Short Papers and Posters / Industry Papers at Sala degli Affreschi (Fresco Room) Chair(s): Eriks Klotins Blekinge Institute of Technology | ||
11:30 15mTalk | AI Alignment for Ethical Compliance and Risk Mitigation in Industrial Applications Research Papers Rushali Gupta Lund University, Qunying Song University College London, Matthias Wagner Lund University, Emelie Engstrom Lund University, Emma Söderberg Lund University, Markus Borg CodeScene, Per Runeson Lund University | ||
11:45 15mTalk | FOSS-chain: using blockchain for Open Source Software license compliance Research Papers Kypros Iacovou University of Cyprus, Georgia Kapitsaki University of Cyprus, Evangelia Vanezi University of Cyprus File Attached | ||
12:00 15mTalk | Pipelines Under Pressure: An Empirical Study of Security Misconfigurations of GitHub Workflows Research Papers Edoardo Riggio Software Institute - USI, Lugano, Cesare Pautasso Software Institute, Faculty of Informatics, USI Lugano DOI | ||
12:15 15mTalk | Policy-driven Software Bill of Materials on GitHub: An Empirical Study Research Papers Oleksii Novikov Blekinge Institute of Technology, Davide Fucci Blekinge Institute of Technology, Oleksandr Adamov Blekinge Institute of Technology, Daniel Mendez Blekinge Institute of Technology and fortiss | ||
12:30 10mTalk | Cross-Domain Evaluation of Transformer-Based Vulnerability Detection on Open & Industry Data Industry Papers Moritz Mock Free University of Bozen-Bolzano, Thomas Forrer Wurth Phoenix S.r.l., Barbara Russo Free University of Bolzano DOI Pre-print File Attached | ||
12:40 7mTalk | Detecting and Characterizing Low and No Functionality Packages in the NPM Ecosystem Short Papers and Posters Napasorn Tevarut Kasetsart University, Brittany Reid Nara Institute of Science and Technology, Yutaro Kashiwa Nara Institute of Science and Technology, Pattara Leelaprute Kasetsart University, Arnon Rungsawang Kasetsart University, Bundit Manaskasemsak Kasetsart University, Hajimu Iida Nara Institute of Science and Technology File Attached | ||
12:47 7mTalk | An Empirical Study of Security-Policy Related Issues in Open Source Projects Short Papers and Posters Rintaro Kanaji Nara Institute of Science and Technology, Brittany Reid Nara Institute of Science and Technology, Yutaro Kashiwa Nara Institute of Science and Technology, Raula Gaikovina Kula The University of Osaka, Hajimu Iida Nara Institute of Science and Technology File Attached | ||