Change search
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
Understanding the Software Bill Of Material for supply-chain management in Open Source projects
Blekinge Institute of Technology, Faculty of Computing, Department of Computer Science.
Blekinge Institute of Technology, Faculty of Computing, Department of Computer Science.
2023 (English)Independent thesis Basic level (degree of Bachelor), 10 credits / 15 HE creditsStudent thesis
Abstract [en]

There has been an increase in the discussion about Software Bills of Material (SBOM) in the last few years, following a number of big-scale supply-chain attacks and vulnerabilities discovered in Open Source third-party packages. However, there is a lot to be done before the software community as a whole can fully reap the benefits SBOMs are claimed to provide. 

The objective of this thesis is to investigate how far the Open Source software (OSS) community has come in adopting SBOMs, and how the existing SBOMs evolve, focusing on the Software Package Data Exchange (SPDX) format. For the purpose of this investigation an archival study was conducted, looking for SBOMs in OSS projects on GitHub and analyzing their content and evolution. This is one of the first large-scale searches for SBOMs in OSS projects, with the objective to research the practice of SBOM. 

Only a fraction of the repositories that were inspected contained a SBOM, and most of them were found in Go projects. The SBOMs could be found in the source code of the repository, but the majority were found amongst the assets in the releases. Overall, the SBOMs were updated frequently using the latest SPDX format, and most stayed consistent with the quality of the content over time. 

Place, publisher, year, edition, pages
2023. , p. 32
Keywords [en]
SBOM, Software Bill of Material, SPDX, supply-chain management
National Category
Software Engineering
Identifiers
URN: urn:nbn:se:bth-24821OAI: oai:DiVA.org:bth-24821DiVA, id: diva2:1767221
Subject / course
PA1445 Kandidatkurs i Programvaruteknik
Educational program
PAGWE Web Programming
Supervisors
Examiners
Available from: 2023-06-15 Created: 2023-06-13 Last updated: 2023-06-15Bibliographically approved

Open Access in DiVA

Understanding the Software Bill Of Material for supply-chain management in Open Source projects(820 kB)224 downloads
File information
File name FULLTEXT01.pdfFile size 820 kBChecksum SHA-512
1e9bb1ad498fdd8ecbcc4d6cdc59a7756979a9889e1a1077055926d50396f9ac8244b11952f30f6e22ed01d670f3d5089da28e6fd12ce62db92c2dfd58bee9ee
Type fulltextMimetype application/pdf

By organisation
Department of Computer Science
Software Engineering

Search outside of DiVA

GoogleGoogle Scholar
Total: 224 downloads
The number of downloads is the sum of all downloads of full texts. It may include eg previous versions that are now no longer available

urn-nbn

Altmetric score

urn-nbn
Total: 535 hits
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf