AROMA: Automatic Reproduction of Maven Artifacts DOI
Mehdi Keshani, Tudor-Gabriel Velican, Gideon Bot

et al.

Proceedings of the ACM on software engineering., Journal Year: 2024, Volume and Issue: 1(FSE), P. 836 - 858

Published: July 12, 2024

Modern software engineering establishes supply chains and relies on tools libraries to improve productivity. However, reusing external in a project presents security risk when the source of component is unknown or consistency cannot be verified. The SolarWinds attack serves as popular example which injection malicious code into library affected thousands customers caused loss billions dollars. Reproducible builds present mitigation strategy, they can confirm origin reused components. A large reproducibility community has formed for Debian, but Maven ecosystem, backbone Java chain, remains understudied comparison. Central an initiative that curates list reproducible libraries, limited challenging maintain due manual efforts. Our research aims support these efforts ecosystem through automation. We investigate feasibility automatically finding from its release recovering information about original environment. tool, AROMA, obtain this critical artifact repository several heuristics we use results reproduction attempts packages. Overall, our approach achieves accuracy up 99.5% compared field-by-field existing approach. In some instances, even detected flaws manually maintained list, such broken links. reveal automatic feasible 23.4% packages using 8% are fully reproducible. demonstrate ability successfully reproduce new have contributed them repository. Additionally, highlight actionable insights, outline future work area, make dataset available public.

Language: Английский

Research Directions in Software Supply Chain Security DOI Open Access
Laurie Williams, Giacomo Benedetti, Sivana Hamer

et al.

ACM Transactions on Software Engineering and Methodology, Journal Year: 2025, Volume and Issue: unknown

Published: Jan. 27, 2025

Reusable software libraries, frameworks, and components, such as those provided by open-source ecosystems third-party suppliers, accelerate digital innovation. However, recent years have shown almost exponential growth in attackers leveraging these artifacts to launch supply chain attacks. Past well-known attacks include the SolarWinds, log4j, xz utils incidents. Supply are considered three major attack vectors: through vulnerabilities malware accidentally or intentionally injected into dependencies/components/containers ; infiltrating build infrastructure during deployment processes; targeted techniques aimed at humans involved development, social engineering. Plummeting trust could decelerate innovation if industry reduces its use of reduce risks. This paper contains perspectives knowledge obtained from intentional outreach with practitioners understand their practical challenges extensive research efforts. We then provide an overview current efforts secure chain. Finally, we propose a future agenda close vectors support industry.

Language: Английский

Citations

2
An Empirical Study on Software Bill of Materials: Where We Stand and the Road Ahead DOI
Boming Xia, Tingting Bi, Zhenchang Xing

et al.

Published: May 1, 2023

The rapid growth of software supply chain attacks has attracted considerable attention to bill materials (SBOM). SBOMs are a crucial building block ensure the transparency chains that helps improve security. Although there significant efforts from academia and industry facilitate SBOM development, it is still unclear how practitioners perceive what challenges adopting in practice. Furthermore, existing SBOM-related studies tend be ad-hoc lack engineering focuses. To bridge this gap, we conducted first empirical study interview survey practitioners. We applied mixed qualitative quantitative method for gathering data 17 interviewees 65 respondents 15 countries across five continents understand field. summarized 26 statements grouped them into three topics on SBOM's states Based results, derived goal model highlighted future directions where can put their effort.

Language: Английский

Citations

38
It’s like flossing your teeth: On the Importance and Challenges of Reproducible Builds for Software Supply Chain Security DOI
Marcel Fourné, Dominik Wermke, William Enck

et al.

2022 IEEE Symposium on Security and Privacy (SP), Journal Year: 2023, Volume and Issue: unknown, P. 1527 - 1544

Published: May 1, 2023

The 2020 Solarwinds attack was a tipping point that caused heightened awareness about the security of software supply chain and in particular large amount trust placed build systems. Reproducible Builds (R-Bs) provide strong foundation to defenses for arbitrary attacks against systems by ensuring given same source code, environment, instructions, bitwise-identical artifacts are created. Unfortunately, much industry believes R-Bs too far out reach most projects. goal this paper is help identify path become commonplace property.To end, we conducted series 24 semi-structured expert interviews with participants from Reproducible-Builds.org project, finding self-effective work highly motivated developers collaborative communication upstream projects key contributors R-Bs. We identified range motivations can encourage open strive R-Bs, including indicators quality, benefits, more efficient caching artifacts. also experiences hinder adoption, which often revolves around conclude recommendations on how better integrate efforts free community.

Language: Английский

Citations

10
On business adoption and use of reproducible builds for open and closed source software DOI Creative Commons
Simon Butler, Jonas Gamalielsson, Björn Lundell

et al.

Software Quality Journal, Journal Year: 2022, Volume and Issue: 31(3), P. 687 - 719

Published: Nov. 29, 2022

Abstract Reproducible builds (R-Bs) are software engineering practices that reliably create bit-for-bit identical binary executable files from specified source code. R-Bs applied in some open (OSS) projects and distributions to allow verification the distributed has been built released The use of advocated maintenance development OSS security applications. Nonetheless, industry application appears limited, we seek understand whether awareness is low or if significant technical business reasons prevent wider adoption. Through interviews with practitioners managers, this study explores utility applying businesses primary secondary sectors supporting their We find safety-critical domains, valuable for traceability support collaborative development. also found valued as processes seen a badge quality, but without tangible value proposition. There good industrial development, principle establishing correspondence between code offers opportunities further

Language: Английский

Citations

7
Options Matter: Documenting and Fixing Non-Reproducible Builds in Highly-Configurable Systems DOI
Georges Aaron Randrianaina, Djamel Eddine Khelladi, Olivier Zendra

et al.

Published: April 15, 2024

Language: Английский

Citations

1
Debugging Unreproducible Builds using eBPF DOI

V. K. Yadav,

Himanshu

Published: June 5, 2024

Language: Английский

Citations

0
Detecting Build Dependency Errors in Incremental Builds DOI
Jun Lyu, Shanshan Li, He Zhang

et al.

Published: Sept. 11, 2024

Citations

0
AROMA: Automatic Reproduction of Maven Artifacts DOI
Mehdi Keshani, Tudor-Gabriel Velican, Gideon Bot

et al.

Proceedings of the ACM on software engineering., Journal Year: 2024, Volume and Issue: 1(FSE), P. 836 - 858

Published: July 12, 2024

Modern software engineering establishes supply chains and relies on tools libraries to improve productivity. However, reusing external in a project presents security risk when the source of component is unknown or consistency cannot be verified. The SolarWinds attack serves as popular example which injection malicious code into library affected thousands customers caused loss billions dollars. Reproducible builds present mitigation strategy, they can confirm origin reused components. A large reproducibility community has formed for Debian, but Maven ecosystem, backbone Java chain, remains understudied comparison. Central an initiative that curates list reproducible libraries, limited challenging maintain due manual efforts. Our research aims support these efforts ecosystem through automation. We investigate feasibility automatically finding from its release recovering information about original environment. tool, AROMA, obtain this critical artifact repository several heuristics we use results reproduction attempts packages. Overall, our approach achieves accuracy up 99.5% compared field-by-field existing approach. In some instances, even detected flaws manually maintained list, such broken links. reveal automatic feasible 23.4% packages using 8% are fully reproducible. demonstrate ability successfully reproduce new have contributed them repository. Additionally, highlight actionable insights, outline future work area, make dataset available public.

Language: Английский

Citations

0