The increasing complexity of modern software systems has intensified reliance on third-party and open-source components, expanding the Software Supply Chain (SSC) and its vulnerability to attacks. Ensuring transparency in the Software Supply Chain is essential to assessing security risks and responding to incidents. The Software Bill of Materials (SBOM) has emerged as a fundamental tool to list all components of a software product and support vulnerability assessment. However, current SBOM generation tools often produce incomplete or inaccurate outputs, especially in ecosystems like Python, where the lack of standardized metadata formats and dependency specifications hinders correctness and completeness. Moreover, most SBOM generation approaches operate statically, which leads to missing runtime dependency infor- mation. This information is fundamental to determining the actual usage of dependencies included in the software. This poses a limitation in security management tasks. It makes maintainers waste time assessing unreachable dependencies, delaying responses to real security issues. This Thesis advances Software Supply Chain transparency in both static and dynamic contexts through two main contributions. First, it presents a systematic evaluation of SBOM generation tools in the Python ecosystem, identifying ecosystem and tool-related issues that degrade SBOM quality and consequently affect vulnerability assessment. Building on these findings, it introduces PIP-SBOM, a solution based on the pip package installer that achieves higher precision than the best existing tool. Second, it proposes a novel approach for runtime dependency introspection in Java, Classport, which embeds dependency metadata into binaries and retrieves it at runtime with negligible performance overhead. Evaluations on real-world projects demonstrate the feasibility, accuracy, and efficiency of the proposed approaches, providing actionable insights and novel techniques to enhance Software Supply Chain transparency and security in both buildtime and runtime scenarios.
Transparent Dependencies: Improving Software Supply Chain Visibility at Build Time and Runtime / Cofano, S.. - (2026 Mar 27). [10.13118/serena-cofano_phd2026-03-27]
Transparent Dependencies: Improving Software Supply Chain Visibility at Build Time and Runtime
serena cofano
2026
Abstract
The increasing complexity of modern software systems has intensified reliance on third-party and open-source components, expanding the Software Supply Chain (SSC) and its vulnerability to attacks. Ensuring transparency in the Software Supply Chain is essential to assessing security risks and responding to incidents. The Software Bill of Materials (SBOM) has emerged as a fundamental tool to list all components of a software product and support vulnerability assessment. However, current SBOM generation tools often produce incomplete or inaccurate outputs, especially in ecosystems like Python, where the lack of standardized metadata formats and dependency specifications hinders correctness and completeness. Moreover, most SBOM generation approaches operate statically, which leads to missing runtime dependency infor- mation. This information is fundamental to determining the actual usage of dependencies included in the software. This poses a limitation in security management tasks. It makes maintainers waste time assessing unreachable dependencies, delaying responses to real security issues. This Thesis advances Software Supply Chain transparency in both static and dynamic contexts through two main contributions. First, it presents a systematic evaluation of SBOM generation tools in the Python ecosystem, identifying ecosystem and tool-related issues that degrade SBOM quality and consequently affect vulnerability assessment. Building on these findings, it introduces PIP-SBOM, a solution based on the pip package installer that achieves higher precision than the best existing tool. Second, it proposes a novel approach for runtime dependency introspection in Java, Classport, which embeds dependency metadata into binaries and retrieves it at runtime with negligible performance overhead. Evaluations on real-world projects demonstrate the feasibility, accuracy, and efficiency of the proposed approaches, providing actionable insights and novel techniques to enhance Software Supply Chain transparency and security in both buildtime and runtime scenarios.| File | Dimensione | Formato | |
|---|---|---|---|
|
Cofano-phdthesis.pdf
accesso aperto
Tipologia:
Tesi di dottorato
Licenza:
Creative commons
Dimensione
558.21 kB
Formato
Adobe PDF
|
558.21 kB | Adobe PDF | Visualizza/Apri |
I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
