1 of 24

Benoit Baudry :: baudry@kth.se

OPPORTUNITIES FOR BUILDING ROBUST SOFTWARE SUPPLY CHAINS

2 of 24

  • Software supply chain

  • For all companies: the suppliers of all IT products in their ecosystem

  • For software companies: the suppliers of tools, libraries and packages to build a software application

3 of 24

Software Development

4 of 24

Software Supply Chain

5 of 24

Software Supply Chain

6 of 24

  • event-stream (link)

7 of 24

  • event-stream (link)
  • SolarWinds’ Orion (link)

8 of 24

  • event-stream (link)
  • SolarWinds’ Orion (link)
  • Kaseya’s VSA (link)

9 of 24

  • event-stream (link)
  • SolarWinds’ Orion (link)
  • Kaseya’s VSA (link)
  • Disturb once, affect millions of customers / users

10 of 24

Software Supply Chain

11 of 24

Robust Software Supply Chain

  • Dependency management
  • Secure the development pipeline

12 of 24

SBOM

  • The software bill of material
    • List the elements of the supply chain
    • Name, version, hash
  • SBOM formats: CycloneDX, SPDX
  • SBOM extractors specific to a language
  • SBOM used to document, reproduce, scan for vulnerabilities

13 of 24

Software Suppliers

14 of 24

Debloat dependencies

15 of 24

15

Open source library for code analysis, 75 dependencies

https://github.com/INRIA/spoon

Example: Spoon library

16 of 24

16

Maven excludes 31 redundant dependencies

https://github.com/INRIA/spoon

Example: Spoon library

17 of 24

17

DepClean detects 13 bloated dependencies

https://github.com/INRIA/spoon

Example: Spoon library

18 of 24

18

JAR Size (MB)

#Classes

Before

16.2

7 425

After

12.7

5 593

Reduction

27.6%

24.7%

debloat

Debloated Spoon library

19 of 24

DepClean

  • Detect and report bloated dependencies
    • In the context of an artifact
    • On the whole dependency tree
  • Automatic generation of a debloated pom.xml file
  • Open source

https://github.com/castor-software/depclean

20 of 24

Bloated dependencies

  • Bloated dependencies matter for maintenance and security

21 of 24

More Hardening Techniques

  • Software composition analysis
    • Renovate
    • OWASP dependency checker
  • Reproducible builds
  • Runtime SBOM and integrity checks

22 of 24

Future research

  • Diversity in the supply chain
    • Increase the diversity of software suppliers
    • Diversify continuous integration
  • Software integrity
    • Dependency update
    • Runtime sense of self

23 of 24

SSF CHAINS

  • Consistent Hardening and Analysis of Software Supply Chains
  • chains.proj.kth.se

24 of 24

24

  • A Longitudinal Analysis of Bloated Java Dependencies (C. Soto-Valero, T. Durieux, B. Baudry). ESEC/FSE 2021.
  • A comprehensive study of bloated dependencies in the Maven ecosystem (C. Soto-Valero, N. Harrand, M. Monperrus, B. Baudry). In Empirical Software Engineering, volume 26, 2021.
  • Software reuse (C. W. Krueger). ACM Comput. Surv., 24(2), 1992.
  • The evolution of java build systems (S. McIntosh, B. Adams, and A. E. Hassan). Empirical Software Engineering, 17(4), 2012.
  • Slimium: Debloating the Chromium Browser with Feature Subsetting (C. Qian, H. Koo, C. Seok Oh, T. Kim, W. Lee). CCS 2020

References