Understanding the Software Bill Of Material for supply-chain management in Open Source projects
2023 (English)Independent thesis Basic level (degree of Bachelor), 10 credits / 15 HE credits
Student thesis
Abstract [en]
There has been an increase in the discussion about Software Bills of Material (SBOM) in the last few years, following a number of big-scale supply-chain attacks and vulnerabilities discovered in Open Source third-party packages. However, there is a lot to be done before the software community as a whole can fully reap the benefits SBOMs are claimed to provide.
The objective of this thesis is to investigate how far the Open Source software (OSS) community has come in adopting SBOMs, and how the existing SBOMs evolve, focusing on the Software Package Data Exchange (SPDX) format. For the purpose of this investigation an archival study was conducted, looking for SBOMs in OSS projects on GitHub and analyzing their content and evolution. This is one of the first large-scale searches for SBOMs in OSS projects, with the objective to research the practice of SBOM.
Only a fraction of the repositories that were inspected contained a SBOM, and most of them were found in Go projects. The SBOMs could be found in the source code of the repository, but the majority were found amongst the assets in the releases. Overall, the SBOMs were updated frequently using the latest SPDX format, and most stayed consistent with the quality of the content over time.
Place, publisher, year, edition, pages
2023. , p. 32
Keywords [en]
SBOM, Software Bill of Material, SPDX, supply-chain management
National Category
Software Engineering
Identifiers
URN: urn:nbn:se:bth-24821OAI: oai:DiVA.org:bth-24821DiVA, id: diva2:1767221
Subject / course
PA1445 Kandidatkurs i Programvaruteknik
Educational program
PAGWE Web Programming
Supervisors
Examiners
2023-06-152023-06-132023-06-15Bibliographically approved