bth.se
EnglishSvenskaNorsk
Change search
ExportLink to record
Permanent link

Direct link
BETA

Project

Project type/Form of grant
Project grant
Title [en]
SESAM – Secure Software Engineering Through Sensible AutoMation
Abstract [en]
The rising complexity and sophistication of cyber threats necessitate proactive security measures in software development. Traditional methods, which often incorporate security checks late in the Software Development Life Cycle (SDLC), are inadequate due to their high cost and inefficiency. There are several barriers to integrate security measures early in the development— such as supporting developers in understanding and implementing security measures, integrating security into existing workflows, avoid productivity disruptions. The project will empower developers with tools and practices to seamlessly integrate security.
Publications (2 of 2) Show all publications
Novikov, O., Fucci, D., Adamov, O. & Mendez, D. (2026). Policy-Driven Software Bill of Materials on GitHub: An Empirical Study. In: Scanniello G., Romano S., Francese R., Lenarduzzi V., Vegas S. (Ed.), Product-Focused Software Process Improvement: 26th International Conference, PROFES 2025, Salerno, Italy, December 1–3, 2025, Proceedings. Paper presented at 26th International Conference on Product-Focused Software Process Improvement, PROFES 2025, Salerno, Dec 1-3, 2025 (pp. 253-268).
Open this publication in new window or tab >>Policy-Driven Software Bill of Materials on GitHub: An Empirical Study
2026 (English)In: Product-Focused Software Process Improvement: 26th International Conference, PROFES 2025, Salerno, Italy, December 1–3, 2025, Proceedings / [ed] Scanniello G., Romano S., Francese R., Lenarduzzi V., Vegas S., 2026, p. 253-268Conference paper, Published paper (Refereed)
Abstract [en]

Background. The Software Bill of Materials (SBOM) is a machine-readable list of all the software dependencies included in a software. SBOM emerged as way to assist securing the software supply chain. However, despite mandates from governments to use SBOM, research on this artifact is still in its early stages.

Aims. We want to understand the current state of SBOM in open-source projects, focusing specifically on policy-driven SBOMs—i.e., SBOM created to achieve security goals, such as enhancing project transparency and ensuring compliance, rather than being used as fixtures for tools or artificially generated for benchmarking or academic research purposes.

Method. We performed a mining software repository study to collect and carefully select 620 SBOM files hosted on GitHub. We analyzed the information reported in policy-driven SBOMs and the vulnerabilities associated with the declared dependencies by means of descriptive statistics.

Results. We show that only 0.56% of popular GitHub repositories contain policy-driven SBOM. The declared dependencies contain 2,202 unique vulnerabilities, while 22% of them do not report licensing information.

Conclusion. Our findings provide insights for SBOM usage to support security assessment and licensing. 
Series
Lecture Notes in Computer Science, ISSN 0302-9743 ; 16361
Keywords
dependencies, open-source, SBOM, software security, Supply chain attacks, vulnerabilities, Network security, Open systems, Supply chains, Bill of materials, Dependency, Empirical studies, Policy driven, Software bill of material, Software dependencies, Supply chain attack, Vulnerability, Open source software
National Category
Software Engineering
Identifiers
urn:nbn:se:bth-28990 (URN)10.1007/978-3-032-12089-2_16 (DOI)001718768800016 ()2-s2.0-105023309206 (Scopus ID)9783032120885 (ISBN)
Conference
26th International Conference on Product-Focused Software Process Improvement, PROFES 2025, Salerno, Dec 1-3, 2025
Funder
Knowledge Foundation, 20180010Knowledge Foundation, 20230087
Available from: 2025-12-12 Created: 2025-12-12 Last updated: 2026-04-17Bibliographically approved
Fucci, D., Di Penta, M., Romano, S. & Scanniello, G. (2025). Augmenting Software Bills of Materials with Software Vulnerability Description: A Preliminary Study on GitHub. In: Li, J (Ed.), FSE Companion '25: Proceedings of the 33rd ACM International Conference on the Foundations of Software Engineering. Paper presented at 33rd ACM International Conference on the Foundations of Software Engineering, FSE Companion 2025, Trondheim, June 23-27, 2025 (pp. 631-635). Association for Computing Machinery (ACM)
Open this publication in new window or tab >>Augmenting Software Bills of Materials with Software Vulnerability Description: A Preliminary Study on GitHub
2025 (English)In: FSE Companion '25: Proceedings of the 33rd ACM International Conference on the Foundations of Software Engineering / [ed] Li, J, Association for Computing Machinery (ACM), 2025, p. 631-635Conference paper, Published paper (Refereed)
Abstract [en]

Software Bills of Material (SBOMs) are becoming a consolidated-and often enforced by governmental regulations-way to describe software composition. However, based on recent studies, SBOMs suffer from limited support for their consumption and lack information beyond simple dependencies, especially regarding software vulnerabilities. This paper reports the results of a preliminary study in which we augmented SBOMs of 40 open-source projects with information about Common Vulnerabilities and Exposures (CVE) exposed by project dependencies. Our augmented SBOMs have been evaluated by submitting pull requests and by asking project owners to answer a survey. Although, in most cases, augmented SBOMs were not directly accepted because owners required a continuous SBOM update, the received feedback shows the usefulness of the suggested SBOM augmentation.
Place, publisher, year, edition, pages
Association for Computing Machinery (ACM), 2025
Keywords
SBOM, Software repositories, VEX, Vulnerabilities management
National Category
Software Engineering
Identifiers
urn:nbn:se:bth-28600 (URN)10.1145/3696630.3728513 (DOI)001593214400070 ()2-s2.0-105013970463 (Scopus ID)9798400712760 (ISBN)
Conference
33rd ACM International Conference on the Foundations of Software Engineering, FSE Companion 2025, Trondheim, June 23-27, 2025
Funder
Knowledge Foundation, 20230087Knowledge Foundation, 20180010
Available from: 2025-09-05 Created: 2025-09-05 Last updated: 2025-12-15Bibliographically approved
Principal InvestigatorFucci, Davide
Coordinating organisation
Blekinge Institute of Technology
Funder
Period
2024-01-01 - 2027-12-31
National Category
Software Engineering
Identifiers
DiVA, id: project:9549Project, id: 20230087

Search in DiVA

Software Engineering

Search outside of DiVA

GoogleGoogle Scholar

Link to external project page

v. 2.47.0
|
WCAG
|
BTH Library
|
Publish/Register
|
How to publish/register
|
Diva portal
|
SwePub
|
Uppsök