Augmenting Software Bills of Materials with Software Vulnerability Description: A Preliminary Study on GitHub
- URL: http://arxiv.org/abs/2503.13998v1
- Date: Tue, 18 Mar 2025 08:04:22 GMT
- Title: Augmenting Software Bills of Materials with Software Vulnerability Description: A Preliminary Study on GitHub
- Authors: Davide Fucci, Massimiliano Di Penta, Simone Romano, Giuseppe Scannielllo,
- Abstract summary: This paper reports the results of a preliminary study in which we augmented SBOMs of 40 open-source projects with information about Common Vulnerabilities and Exposures.<n>Our augmented SBOMs have been evaluated by submitting pull requests and by asking project owners to answer a survey.<n>Although, in most cases, augmented SBOMs were not directly accepted because owners required a continuous SBOM update, the received feedback shows the usefulness of the suggested SBOM augmentation.
- Score: 8.727176816793179
- License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
- Abstract: Software Bills of Material (SBOMs) are becoming a consolidated, often enforced by governmental regulations, way to describe software composition. However, based on recent studies, SBOMs suffer from limited support for their consumption and lack information beyond simple dependencies, especially regarding software vulnerabilities. This paper reports the results of a preliminary study in which we augmented SBOMs of 40 open-source projects with information about Common Vulnerabilities and Exposures (CVE) exposed by project dependencies. Our augmented SBOMs have been evaluated by submitting pull requests and by asking project owners to answer a survey. Although, in most cases, augmented SBOMs were not directly accepted because owners required a continuous SBOM update, the received feedback shows the usefulness of the suggested SBOM augmentation.
Related papers
- Retrieval-Augmented Generation with Conflicting Evidence [57.66282463340297]
Large language model (LLM) agents are increasingly employing retrieval-augmented generation (RAG) to improve the factuality of their responses.
In practice, these systems often need to handle ambiguous user queries and potentially conflicting information from multiple sources.
We propose RAMDocs (Retrieval with Ambiguity and Misinformation in Documents), a new dataset that simulates complex and realistic scenarios for conflicting evidence for a user query.
arXiv Detail & Related papers (2025-04-17T16:46:11Z) - A Dataset of Software Bill of Materials for Evaluating SBOM Consumption Tools [6.081142345739704]
A Software Bill of Materials (SBOM) is a list of components used in software.
Numerous tools support software dependency management through SBOMs.
There is no publicly available dataset specifically designed for this purpose.
We present a dataset of SBOMs generated from real-world Java projects.
arXiv Detail & Related papers (2025-04-09T13:35:02Z) - Wild SBOMs: a Large-scale Dataset of Software Bills of Materials from Public Code [4.1920378271058425]
Developers gain productivity by reusing readily available Free and Open Source Software (FOSS) components.
One approach to handle those difficulties is to use Software Bill of Materials (SBOMs)
A large scale study on SBOM practices based on SBOM files produced in the wild is still lacking.
arXiv Detail & Related papers (2025-03-19T09:20:28Z) - Fostering Appropriate Reliance on Large Language Models: The Role of Explanations, Sources, and Inconsistencies [66.30619782227173]
Large language models (LLMs) can produce erroneous responses that sound fluent and convincing.
We identify several features of LLM responses that shape users' reliance.
We find that explanations increase reliance on both correct and incorrect responses.
We observe less reliance on incorrect responses when sources are provided or when explanations exhibit inconsistencies.
arXiv Detail & Related papers (2025-02-12T16:35:41Z) - SBOM Challenges for Developers: From Analysis of Stack Overflow Questions [2.1122022139737426]
The proportion of resolved questions about SBOM use is 15.0% which is extremely low.<n>The number of new questions has increased steadily from 2020 to 2023.<n>SBOM users have three major challenges on SBOM tools.
arXiv Detail & Related papers (2025-02-06T11:08:29Z) - Supply Chain Insecurity: The Lack of Integrity Protection in SBOM Solutions [0.0]
The Software Bill of Materials (SBOM) is paramount in ensuring software supply chain security.<n>Under the Executive Order issued by President Biden, the adoption of the SBOM has become obligatory within the United States.<n>This work presents an in-depth and systematic investigation into the integrity of SBOMs.
arXiv Detail & Related papers (2024-12-06T15:52:12Z) - An Overview and Catalogue of Dependency Challenges in Open Source Software Package Registries [52.23798016734889]
This article provides a catalogue of dependency-related challenges that come with relying on OSS packages or libraries.
The catalogue is based on the scientific literature on empirical research that has been conducted to understand, quantify and overcome these challenges.
arXiv Detail & Related papers (2024-09-27T16:20:20Z) - The Impact of SBOM Generators on Vulnerability Assessment in Python: A Comparison and a Novel Approach [56.4040698609393]
Software Bill of Materials (SBOM) has been promoted as a tool to increase transparency and verifiability in software composition.
Current SBOM generation tools often suffer from inaccuracies in identifying components and dependencies.
We propose PIP-sbom, a novel pip-inspired solution that addresses their shortcomings.
arXiv Detail & Related papers (2024-09-10T10:12:37Z) - UniRAG: Universal Retrieval Augmentation for Large Vision Language Models [76.30799731147589]
We introduce UniRAG, a plug-and-play technique that adds relevant retrieved information to prompts as few-shot examples during inference.<n>Unlike the common belief that Retrieval Augmentation (RA) mainly improves generation or understanding of uncommon entities, our evaluation results on the MSCOCO dataset with common entities show that both proprietary models and smaller open-source models significantly enhance their generation quality.
arXiv Detail & Related papers (2024-05-16T17:58:45Z) - BOMs Away! Inside the Minds of Stakeholders: A Comprehensive Study of
Bills of Materials for Software Systems [11.719062411327952]
Software Bills of Materials (SBOMs) have emerged as tools to facilitate the management of software dependencies, vulnerabilities, licenses, and the supply chain.
Recent studies have shown that SBOMs are still an early technology not yet adequately adopted in practice.
We identify 12 major challenges facing the creation and use of SBOMs, including those related to the SBOM content, deficiencies in SBOM tools, SBOM maintenance and verification, and domain-specific challenges.
arXiv Detail & Related papers (2023-09-21T16:11:00Z) - On the Security Blind Spots of Software Composition Analysis [46.1389163921338]
We present a novel approach to detect vulnerable clones in the Maven repository.
We retrieve over 53k potential vulnerable clones from Maven Central.
We detect 727 confirmed vulnerable clones and synthesize a testable proof-of-vulnerability project for each of those.
arXiv Detail & Related papers (2023-06-08T20:14:46Z) - SAIS: Supervising and Augmenting Intermediate Steps for Document-Level
Relation Extraction [51.27558374091491]
We propose to explicitly teach the model to capture relevant contexts and entity types by supervising and augmenting intermediate steps (SAIS) for relation extraction.
Based on a broad spectrum of carefully designed tasks, our proposed SAIS method not only extracts relations of better quality due to more effective supervision, but also retrieves the corresponding supporting evidence more accurately.
arXiv Detail & Related papers (2021-09-24T17:37:35Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.