Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
125 tokens/sec
GPT-4o
53 tokens/sec
Gemini 2.5 Pro Pro
42 tokens/sec
o3 Pro
4 tokens/sec
GPT-4.1 Pro
47 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

The Code the World Depends On: A First Look at Technology Makers' Open Source Software Dependencies (2404.11763v1)

Published 17 Apr 2024 in cs.SE and cs.CR

Abstract: Open-source software (OSS) supply chain security has become a topic of concern for organizations. Patching an OSS vulnerability can require updating other dependent software products in addition to the original package. However, the landscape of OSS dependencies is not well explored: we do not know what packages are most critical to patch, hindering efforts to improve OSS security where it is most needed. There is thus a need to understand OSS usage in major software and device makers' products. Our work takes a first step toward closing this knowledge gap. We investigate published OSS dependency information for 108 major software and device makers, cataloging how available and how detailed this information is and identifying the OSS packages that appear the most frequently in our data.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (9)
  1. Cybersecurity & Infrastructure Security Agency (CISA). Software bill of materials (SBOM). https://www.cisa.gov/sbom, 2024.
  2. Cyber Safety Review Board. Review of the December 2021 log4j event. https://www.cisa.gov/sites/default/files/publications/CSRB-Report-on-Log4-July-11-2022_508.pdf, 2022.
  3. Software identification ecosystem option analysis. https://www.cisa.gov/sites/default/files/2023-10/Software-Identification-Ecosystem-Option-Analysis-508c.pdf, 2023.
  4. Open Source Security Foundation. OpenSSF responds to the CISA RFC on software identification ecosystem analysis. https://openssf.org/blog/2023/12/11/openssf-responds-to-the-cisa-rfc-on-software-identification-ecosystem-analysis/, 2023.
  5. Sonatype. State of the software supply chain. https://www.sonatype.com/hubfs/2023%20Sonatype-%209th%20Annual%20State%20of%20the%20Software%20Supply%20Chain-%20Update.pdf, 2023.
  6. Boms away! inside the minds of stakeholders: A comprehensive study of bills of materials for software systems. In International Conference on Software Engineering (ICSE), pages 1–13, 2024.
  7. Software bill of materials (SBOM) sharing lifecycle report. https://www.osti.gov/biblio/1969133, 2023.
  8. Jai Vijayan. Why log4j mitigation is fraught with challenges. https://www.darkreading.com/application-security/why-log4j-mitigation-is-fraught-with-challenges, 2021.
  9. An empirical study on software bill of materials: Where we stand and the road ahead. In International Conference on Software Engineering (ICSE), pages 2630–2642. IEEE, 2023.

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now
X Twitter Logo Streamline Icon: https://streamlinehq.com

Tweets