MSR4SBOM

Mining Software Repositories for Enhanced Software Bills of Materials

MSR4SBOM is a project that aims to deliver a framework that analyzes the content of software repositories and Software Bill of Materials (SBOMs) to provide context-sensitive recommendations.

Find Out More

MOTIVATIONS

A Software Bill of Materials (SBOM) describes, in a structured and machine-readable format, the open-source and proprietary components that constitute a software product, including their licenses, versions, vendors, vulnerabilities, and dependency relationships. SBOMs enable practitioners to gain visibility into the software supply chain and monitor any risks associated with software security, licensing, and more.

Public administrations have been promoting SBOMs to have secure and accountable software products. For example, in 2021, the United States Government, per President Biden’s Executive Order 14028, laid down that any organization releasing software products to federal agencies must provide SBOMs for the released software products. Moreover, in 2022, the European Commission proposed a cybersecurity regulation (namely, Cyber Resilience Act) outlining that software producers must document the vulnerabilities and components of their software products with SBOMs. As a result, SBOMs are expected to shortly become the de-facto standard for any organization that develops or maintains software products in both industrial and open-source contexts. 

{
  "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
  "bomFormat": "CycloneDX",
  "specVersion": "1.6",
  "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",
  "version": 1,
  "components": [
    {
      "type": "library",
      "group": "org.example",
      "name": "mylibrary",
      "version": "1.0.0",
      "cpe": "cpe:/a:example:mylibrary:1.0.0",
      "purl": "pkg:maven/org.example/mylibrary@1.0.0",
      "externalReferences": [
        {
          "type": "advisories",
          "url": "https://example.org/security/advisories.json"
        }
      ]
    }
  ]
}

Example illustrating a component (specifically, a library) in an SBOM, according to the CycloneDX standard and the JSON format (source).

CHALLENGES

MSR4SBOM aims to exploit the long-lasting experience of the team in the diverse areas of Software Engineering to develop innovative solutions for creating and validating enhanced SBOMs. Specifically, MSR4SBOM will address the following challenges:

Granularity problem

Dealing with software supply chains requires handling and integrating information and dependencies from components at different levels of granularity (e.g., libraries, or code snippets).

Dependencies complexity

The set of dependencies that SBOMs need to consider is complex and originates from different sources (e.g., software/hardware configurations, static/dynamic linking, services, or files).

Lack of processes for SBOMs

The high heterogeneity of components requires customized processes to produce and consume SBOMs. Limited reuse capabilities of SBOMs could hinder managing licensing/security concerns.

OBJECTIVES

MSR4SBOM aims to address the following four objectives:

State-of-the-practice

Understanding how extensively SBOMs are used by industrial and open-source practitioners, along with the associated challenges and needs.

Enhanced SBOMs

Developing approaches and tools to create enhanced and fine-grained SBOMs, with detailed information on licensing/security concerns.

SBOM infrastructures

Developing recommender systems to notify developers when events related to the components of enhanced SBOMs occur.

Assessment

Conducting in-field empirically evaluation of the proposed approaches and tools to promote their adoption by industrial and open-source practitioners.

TEAM


...
UNISA

University of Salerno
Prof. Giuseppe Scanniello
 (Principal Investigator)
Prof. Simone Romano
Prof. Rita Francese
Sabato Nocera
Pietro Cassieri
...
UNISANNIO

University of Sannio
Prof. Massimiliano Di Penta
(Co-Principal Investigator)
Prof. Fiorella Zampetti
Daniele Bifolco

NEWS

October 2024
 Presentation 🇪🇸 ESEM: International Symposium on Empirical Software Engineering and Measurement MSR4SBOM: Mining Software Repositories for enhanced Software Bills of Materials
October 2024
 Presentation 🇺🇸 ICSME: International Conference on Software Maintenance and Evolution If it’s not SBOM, then what? How Italian Practitioners Manage the Software Supply Chain
June 2024
 Presentation 🇮🇹 EASE: International Conference on Evaluation and Assessment in Software Engineering On the Accuracy of GitHub's Dependency Graph
October 2023
 Presentation 🇨🇴 ICSME: International Conference on Software Maintenance and Evolution Software Bill of Materials Adoption: A Mining Study from GitHub

PUBLICATIONS

  • Giuseppe Scanniello, Massimiliano Di Penta, Simone Romano, Rita Francese, Sabato Nocera, Pietro Cassieri, Daniele Bifolco, and Fiorella Zampetti «MSR4SBOM: Mining Software Repositories for enhanced Software Bills of Materials» Proceedings of the 18th International Symposium on Empirical Software Engineering and Measurement (ESEM), ACM, 2024, pp. 589-593. https://dl.acm.org/doi/abs/10.1145/3674805.3695390

  • Sabato Nocera, Massimiliano Di Penta, Rita Francese, Simone Romano, and Giuseppe Scanniello «If it’s not SBOM, then what? How Italian Practitioners Manage the Software Supply Chain» Proceedings of the 40th International Conference on Software Maintenance and Evolution (ICSME), IEEE, 2024, pp. 730-740. https://doi.org/10.1109/ICSME58944.2024.00077

  • Daniele Bifolco, Sabato Nocera, Simone Romano, Massimiliano Di Penta, Rita Francese, and Giuseppe Scanniello «On the Accuracy of GitHub’s Dependency Graph» Proceedings of the 28th International Conference on Evaluation and Assessment in Software Engineering (EASE), ACM, 2024, pp. 242-251. https://doi.org/10.1145/3661167.3661175

  • Sabato Nocera, Simone Romano, Massimiliano Di Penta, Rita Francese, and Giuseppe Scanniello «Software Bill of Materials Adoption: A Mining Study from GitHub» Proceedings of the 39th International Conference on Software Maintenance and Evolution (ICSME), IEEE, 2023, pp. 39-49. https://doi.org/10.1109/ICSME58846.2023.00016