Understanding the Software Bill Of Material for supply-chain management in Open Source projects
2023 (engelsk)Independent thesis Basic level (degree of Bachelor), 10 poäng / 15 hp
Oppgave
Abstract [en]
There has been an increase in the discussion about Software Bills of Material (SBOM) in the last few years, following a number of big-scale supply-chain attacks and vulnerabilities discovered in Open Source third-party packages. However, there is a lot to be done before the software community as a whole can fully reap the benefits SBOMs are claimed to provide.
The objective of this thesis is to investigate how far the Open Source software (OSS) community has come in adopting SBOMs, and how the existing SBOMs evolve, focusing on the Software Package Data Exchange (SPDX) format. For the purpose of this investigation an archival study was conducted, looking for SBOMs in OSS projects on GitHub and analyzing their content and evolution. This is one of the first large-scale searches for SBOMs in OSS projects, with the objective to research the practice of SBOM.
Only a fraction of the repositories that were inspected contained a SBOM, and most of them were found in Go projects. The SBOMs could be found in the source code of the repository, but the majority were found amongst the assets in the releases. Overall, the SBOMs were updated frequently using the latest SPDX format, and most stayed consistent with the quality of the content over time.
sted, utgiver, år, opplag, sider
2023. , s. 32
Emneord [en]
SBOM, Software Bill of Material, SPDX, supply-chain management
HSV kategori
Identifikatorer
URN: urn:nbn:se:bth-24821OAI: oai:DiVA.org:bth-24821DiVA, id: diva2:1767221
Fag / kurs
PA1445 Kandidatkurs i Programvaruteknik
Utdanningsprogram
PAGWE Web Programming
Veileder
Examiner
2023-06-152023-06-132023-06-15bibliografisk kontrollert