research-article
Authors: Andreas Halbritter and Dominik Merli
ARES '24: Proceedings of the 19th International Conference on Availability, Reliability and Security
July 2024
Article No.: 55, Pages 1 - 9
Published: 30 July 2024 Publication History
- 0citation
- 0
- Downloads
Metrics
Total Citations0Total Downloads0Last 12 Months0
Last 6 weeks0
New Citation Alert added!
This alert has been successfully added and will be sent to:
You will be notified whenever a record that you have chosen has been cited.
To manage your alert preferences, click on the button below.
Manage my Alerts
New Citation Alert!
Please log in to your account
- View Options
- References
- Media
- Tables
- Share
Abstract
Recent vulnerabilities in software like Log4j raise the question whether the software supply chain is secured sufficiently. Governmental initiatives in the United States (US) and the European Union (EU) demand a Software Bill of Materials (SBOM) for solving this issue. An SBOM has to be produced by using creation tools and it has to be accurate and complete. In the past, there had been investigations in this field of research. However, no detailed investigation of several tools producing SBOMs has been conducted regarding accuracy and reliability. For this reason, we present a selection of four popular programming languages: Python, C, Rust and Typescript. For web application software we consider Python and Typescript while for system-level software C and Rust are investigated. They build the base for four sample software projects and their package manager. For manual checking, the software projects are kept small with a small amount of packages and a single dependency. The open-source analysis tools are categorized as programming language dependent and general tools, and run in the standard execution mode on the software projects. The results were checked against completeness and the National Telecommunications and Information Administration (NTIA) minimum and recommended elements. There is no recommendation for a specific tool as no tool fulfills every requirement, only two tools can be recommended in a limited way. Many tools do not provide a complete SBOM, as they do not depict every test package and dependency. Governmental initiatives should define further specifications on SBOM for example regarding their accuracy and depth. Further research in this field, for example for proprietary tools or other programming languages is desirable.
References
[1]
2017. lock. Retrieved 2024-05-10 from https://github.com/canova/lock-rs
[2]
2019. left-pad. Retrieved 2024-05-10 from https://github.com/left-pad/left-pad
[3]
2020. doc-comment. Retrieved 2024-05-10 from https://github.com/GuillaumeGomez/doc-comment
[4]
2021. Alert Apache Log4j vulnerabilities. Retrieved 2024-05-10 from https://www.ncsc.gov.uk/news/apache-log4j-vulnerability
[5]
2021. Critical vulnerability in Java library Log4j. Retrieved 2024-05-10 from https://www.bsi.bund.de/EN/Themen/Unternehmen-und-Organisationen/Informationen-und-Empfehlungen/Empfehlungen-nach-Angriffszielen/Webanwendungen/log4j/log4j.html?nn=1010576
[6]
2021. sbom minimum elements report. Retrieved 2024-05-01 from https://www.ntia.doc.gov/files/ntia/publications/sbom_minimum_elements_report.pdf
[7]
2021. SolarWinds Cyberattack Demands Significant Federal and Private-Sector Response (infographic) | U.S. GAO. Retrieved 2024-05-10 from https://www.gao.gov/blog/solarwinds-cyberattack-demands-significant-federal-and-private-sector-response-infographic
[8]
2022. attr: Simple decorator to set attributes of target function or class in a DRY way.Retrieved 2024-05-09 from https://github.com/denis-ryzhkov/attr
[9]
2022. Cyber Resilience Act. Retrieved 2023-08-30 from https://eur-lex.europa.eu/resource.html?uri=cellar:864f472b-34e9-11ed-9c68-01aa75ed71a1.0020.02/DOC_1&format=PDF
[10]
2023. chalk. Retrieved 2024-05-10 from https://github.com/chalk/chalk
[11]
2023. CycloneDX/cyclonedx-conan. Retrieved 2024-05-10 from https://github.com/CycloneDX/cyclonedx-conan
[12]
2023. is-empty-obj. Retrieved 2024-05-10 from https://github.com/IonicaBizau/is-empty-obj
[13]
2024. click: Composable command line interface toolkit. Retrieved 2024-05-10 from https://github.com/pallets/click
[14]
2024. conan-io/conan-extensions. Retrieved 2024-05-09 from https://github.com/conan-io/conan-extensions/tree/main/extensions/commands/sbom
[15]
2024. Covenant. Retrieved 2024-05-10 from https://github.com/patriksvensson/covenant
[16]
2024. CycloneDX/cdxgen. Retrieved 2024-05-10 from https://github.com/CycloneDX/cdxgen
[17]
2024. CycloneDX/cyclonedx-node-npm. Retrieved 2024-05-10 from https://github.com/CycloneDX/cyclonedx-node-npm
[18]
2024. CycloneDX/cyclonedx-python. Retrieved 2024-05-10 from https://github.com/CycloneDX/cyclonedx-python
[19]
2024. dotenv. Retrieved 2024-05-10 from https://github.com/motdotla/dotenv
[20]
2024. dotenv-expand. Retrieved 2024-05-10 from https://github.com/motdotla/dotenv-expand#readme
[21]
2024. either. Retrieved 2024-05-10 from https://github.com/rayon-rs/either
[22]
2024. googletest. Retrieved 2024-05-10 from https://github.com/google/googletest
[23]
2024. Jinja2. Retrieved 2024-05-10 from https://github.com/pallets/jinja/
[24]
2024. JSON for Modern C++. Retrieved 2024-05-10 from https://github.com/nlohmann/json
[25]
2024. Kritische Backdoor in XZ für Linux. Retrieved 2024-05-01 from https://www.bsi.bund.de/SharedDocs/Cybersicherheitswarnungen/DE/2024/2024-223608-1032.pdf?__blob=publicationFile&v=5
[26]
2024. lodash. Retrieved 2024-05-10 from https://github.com/lodash/lodash
[27]
2024. lz4. Retrieved 2024-05-10 from https://github.com/lz4/lz4
[28]
2024. MarkupSafe: Safely add untrusted strings to HTML/XML markup.Retrieved 2024-05-10 from https://github.com/pallets/markupsafe
[29]
2024. num-traits. Retrieved 2024-05-10 from https://github.com/rust-num/num-traits
[30]
2024. OpenSSL. Retrieved 2024-05-10 from https://github.com/openssl/openssl
[31]
2024. petl. Retrieved 2024-05-10 from https://github.com/petl-developers/petl
[32]
2024. Project History CycloneDX. Retrieved 2024-05-10 from https://cyclonedx.org/about/history/
[33]
2024. Pygments: Pygments is a syntax highlighting package written in Python.Retrieved 2024-05-10 from https://github.com/pygments/pygments
[34]
2024. sbom4python. Retrieved 2024-05-10 from https://github.com/anthonyharrison/sbom4python
[35]
2024. sbom4rust. Retrieved 2024-05-09 from https://github.com/anthonyharrison/sbom4rust
[36]
2024. SPDX – Linux Foundation Projects Site. Retrieved 2024-05-10 from https://spdx.dev/about/overview/
[37]
2024. Sqlite3. Retrieved 2024-05-10 from https://github.com/conan-io/conan-center-index/tree/master/recipes/sqlite3
[38]
2024. Sqlite3. Retrieved 2024-05-10 from https://www.sqlite.org/about.html
[39]
2024. strsim. Retrieved 2024-05-10 from https://github.com/rapidfuzz/strsim-rs
[40]
2024. Syft. Retrieved 2024-05-10 from https://github.com/anchore/syft
[41]
Arushi Arora, Virginia Wright, and Christina Garman. 2022. Strengthening the Security of Operational Technology: Understanding Contemporary Bill of Materials. Journal of Critical Infrastructure Policy 3, 1 (2022), 111–135. https://doi.org/10.18278/jcip.3.1.8 arXiv:https://onlinelibrary.wiley.com/doi/pdf/10.18278/jcip.3.1.8
[42]
Musard Balliu, Benoit Baudry, Sofia Bobadilla, Mathias Ekstedt, Martin Monperrus, Javier Ron, Aman Sharma, Gabriel Skoglund, César Soto-Valero, and Martin Wittlinger. 2023. Challenges of Producing Software Bill of Materials for Java. IEEE Security Privacy 21, 6 (2023), 12–23. https://doi.org/10.1109/MSEC.2023.3302956
Digital Library
[43]
Seth Carmody, Andrea Coravos, Ginny Fahs, Audra Hatch, Janine Medina, Beau Woods, and Joshua Corman. 2021. Building resilient medical technology supply chains with a software bill of materials. npj Digital Medicine 4, 1 (2021), 1–6.
[44]
Chris Clark, Robin Gandhi, Christopher Gates, Art Manion, Bob Martin, Chandan Nandakumaraiah, Brendan O’Connor, Kate Stewart, JC Herz, Tim Walsh, David Waltermire, and Steve Springett. 2019. ntia sbom formats and standards whitepaper - version 20191025. Retrieved 2024-05-01 from https://www.ntia.gov/files/ntia/publications/ntia_sbom_formats_and_standards_whitepaper_-_version_20191025.pdf
[45]
William Enck and Laurie Williams. 2022. Top Five Challenges in Software Supply Chain Security: Observations From 30 Industry and Government Organizations. IEEE Security Privacy 20, 2 (2022), 96–100. https://doi.org/10.1109/MSEC.2022.3142338
[46]
Joseph R.Biden Jr.2021. Executive Order on Improving the Nation’s Cybersecurity. Retrieved 2024-05-10 from https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/
[47]
Trevor Stalnaker, Nathan Wintersgill, Oscar Chaparro, Massimiliano DiPenta, DanielM German, and Denys Poshyvanyk. 2024. BOMs Away! Inside the Minds of Stakeholders: A Comprehensive Study of Bills of Materials for Software Systems. In Proceedings of the IEEE/ACM 46th International Conference on Software Engineering(ICSE ’24). Association for Computing Machinery, New York, NY, USA, Article 44, 13pages. https://doi.org/10.1145/3597503.3623347
Digital Library
[48]
Santiago Torres-Arias, Dan Geer, and JohnSpeed Meyers. 2023. A Viewpoint on Knowing Software: Bill of Materials Quality When You See It. IEEE Security Privacy 21, 6 (2023), 50–54. https://doi.org/10.1109/MSEC.2023.3315887
Digital Library
[49]
Boming Xia, Tingting Bi, Zhenchang Xing, Qinghua Lu, and Liming Zhu. 2023. An Empirical Study on Software Bill of Materials: Where We Stand and the Road Ahead. In 2023 IEEE/ACM 45th International Conference on Software Engineering (ICSE). 2630–2642. https://doi.org/10.1109/ICSE48619.2023.00219
Digital Library
[50]
Nusrat Zahan, Elizabeth Lin, Mahzabin Tamanna, William Enck, and Laurie Williams. 2023. Software Bills of Materials Are Required. Are We There Yet?IEEE Security Privacy 21, 2 (2023), 82–88. https://doi.org/10.1109/MSEC.2023.3237100
Digital Library
Index Terms
Accuracy Evaluation of SBOM Tools for Web Applications and System-Level Software
Security and privacy
Software and application security
Software security engineering
Web application security
Software and its engineering
Software creation and management
Software post-development issues
Maintaining software
Software notations and tools
Software libraries and repositories
Software maintenance tools
Recommendations
- SBOM Generation Tools Under Microscope: A Focus on The npm Ecosystem
SAC '24: Proceedings of the 39th ACM/SIGAPP Symposium on Applied Computing
Generating accurate Software Bill of Materials (SBOM) is challenging due to the complex dependencies in the diverse components used in software and also the way software is built into executables. A handful of tools claim the capability of automatic SBOM ...
Read More
- Evaluation of Four, Free and Open Source DICOM Software Tools
PCI '11: Proceedings of the 2011 15th Panhellenic Conference on Informatics
Nowadays, there is a huge variety of Digital Imaging and Communications in Medicine (DICOM) software tools. Some of these tools can only display DICOM images and some other offer additional features, such as volume rendering and options for further ...
Read More
- Management and Integrated Tools
After a brief overview, tools representing a broad spectrum of management features are described in separate presentations. DSCC and Configuration Management Assistant offer a user-definable development framework in which other tools and systems can be ...
Read More
Comments
Information & Contributors
Information
Published In
ARES '24: Proceedings of the 19th International Conference on Availability, Reliability and Security
July 2024
2032 pages
ISBN:9798400717185
DOI:10.1145/3664476
Copyright © 2024 Owner/Author.
This work is licensed under a Creative Commons Attribution-ShareAlike International 4.0 License.
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 30 July 2024
Check for updates
Author Tags
- C
- Evaluation
- Package manager
- Python
- Rust
- Software Bill of Materials
- Software Security
- Tool accuracy
- Typescript
Qualifiers
- Research-article
- Research
- Refereed limited
Conference
ARES 2024
ARES 2024: The 19th International Conference on Availability, Reliability and Security
July 30 - August 2, 2024
Vienna, Austria
Acceptance Rates
Overall Acceptance Rate 228 of 451 submissions, 51%
Contributors
Other Metrics
View Article Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
Total Citations
Total Downloads
- Downloads (Last 12 months)0
- Downloads (Last 6 weeks)0
Other Metrics
View Author Metrics
Citations
View Options
View options
Get Access
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in
Full Access
Get this Publication
Media
Figures
Other
Tables
