Augmenting Software Bills of Materials with Software Vulnerability Description : A Preliminary Study on GitHub

Fucci, Davide; Di Penta, Massimiliano; Romano, Simone; Scanniello, Giuseppe

diva-portal.org

Digitala Vetenskapliga Arkivet

Enkel sökning

Avancerad sökning -
Forskningspublikationer Avancerad sökning -
Studentuppsatser Statistik

English Svenska Norsk

Ändra sökning

Referera ExporteraLänk till posten

Permanent länk

https://urn.kb.se/resolve?urn=urn:nbn:se:bth-28600

Direktlänk

https://www.diva-portal.org/smash/record.jsf?pid=diva2:1995498

Referera

Referensformat

apa
ieee
modern-language-association-8th-edition
vancouver
Annat format

Fler format

Språk

de-DE
en-GB
en-US
fi-FI
nn-NO
nn-NB
sv-SE
Annat språk

Fler språk

Utmatningsformat

html
text
asciidoc
rtf

Augmenting Software Bills of Materials with Software Vulnerability Description: A Preliminary Study on GitHub

Fucci, Davide

Blekinge Tekniska Högskola, Fakulteten för datavetenskaper, Institutionen för programvaruteknik.ORCID-id: 0000-0002-0679-4361

Di Penta, Massimiliano

University of Sannio, Italy.ORCID-id: 0000-0002-0340-9747

Romano, Simone

University of Salerno, Salerno, Italy.ORCID-id: 0000-0003-4880-3622

Scanniello, Giuseppe

University of Salerno, Salerno, Italy.ORCID-id: 0000-0003-0024-7508

2025 (Engelska)Ingår i: FSE Companion '25: Proceedings of the 33rd ACM International Conference on the Foundations of Software Engineering / [ed] Li, J, Association for Computing Machinery (ACM), 2025, s. 631-635Konferensbidrag, Publicerat paper (Refereegranskat)

Abstract [en]

Software Bills of Material (SBOMs) are becoming a consolidated-and often enforced by governmental regulations-way to describe software composition. However, based on recent studies, SBOMs suffer from limited support for their consumption and lack information beyond simple dependencies, especially regarding software vulnerabilities. This paper reports the results of a preliminary study in which we augmented SBOMs of 40 open-source projects with information about Common Vulnerabilities and Exposures (CVE) exposed by project dependencies. Our augmented SBOMs have been evaluated by submitting pull requests and by asking project owners to answer a survey. Although, in most cases, augmented SBOMs were not directly accepted because owners required a continuous SBOM update, the received feedback shows the usefulness of the suggested SBOM augmentation.

Ort, förlag, år, upplaga, sidor

Association for Computing Machinery (ACM), 2025. s. 631-635

Nyckelord [en]

SBOM, Software repositories, VEX, Vulnerabilities management

Nationell ämneskategori

Programvaruteknik

Identifikatorer

URN: urn:nbn:se:bth-28600DOI: 10.1145/3696630.3728513ISI: 001593214400070Scopus ID: 2-s2.0-105013970463ISBN: 9798400712760 (tryckt)OAI: oai:DiVA.org:bth-28600DiVA, id: diva2:1995498

Konferens

33rd ACM International Conference on the Foundations of Software Engineering, FSE Companion 2025, Trondheim, June 23-27, 2025

Ingår i projekt

SERT- Software Engineering ReThought, KK-stiftelsen SESAM – Secure Software Engineering Through Sensible AutoMation, KK-stiftelsen

Forskningsfinansiär

KK-stiftelsen, 20230087KK-stiftelsen, 20180010Tillgänglig från: 2025-09-05 Skapad: 2025-09-05 Senast uppdaterad: 2025-12-15Bibliografiskt granskad

Open Access i DiVA

fulltext(510 kB)

29 nedladdningar

Filinformation

Filnamn FULLTEXT01.pdfFilstorlek 510 kBChecksumma SHA-512

30be54297d810541cabc7fcbb50d436b547b671b19e9f7c33c8b3fe6c14e2bd052d9992c5a298c0e4dafac5e3287d26c77b6cce786c7b7d6d97a5e9d826daf60

Typ fulltextMimetyp application/pdf

Övriga länkar

Förlagets fulltext Open Access

Scopus

Sök vidare i DiVA

Totalt: 29 nedladdningar

Antalet nedladdningar är summan av nedladdningar för alla fulltexter. Det kan inkludera t.ex tidigare versioner som nu inte längre är tillgängliga.

doi

isbn

urn-nbn

Totalt: 972 träffar