Package Dashboard: A Cross-Ecosystem Framework for Dual-Perspective Analysis of Software Packages

• URL: http://arxiv.org/abs/2512.01630v1
• Date: Mon, 01 Dec 2025 12:52:03 GMT
• Title: Package Dashboard: A Cross-Ecosystem Framework for Dual-Perspective Analysis of Software Packages
• Authors: Ziheng Liu, Runzhi He, Minghui Zhou,
• Abstract summary: Package Dashboard is a cross-ecosystem framework that provides a unified platform for supply chain analysis.<n>By combining dependency resolution with repository analysis, it reduces cognitive load and improves traceability.
• Score: 10.345664674440139
• License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
• Abstract: Software supply chain attacks have revealed blind spots in existing SCA tools, which are often limited to a single ecosystem and assess either software artifacts or community activity in isolation. This fragmentation across tools and ecosystems forces developers to manually reconcile scattered data, undermining risk assessments. We present Package Dashboard, a cross-ecosystem framework that provides a unified platform for supply chain analysis, enabling a holistic, dual-perspective risk assessment by integrating package metadata, vulnerability information, and upstream community health metrics. By combining dependency resolution with repository analysis, it reduces cognitive load and improves traceability. Demonstrating the framework's versatility, a large-scale study of 374,000 packages across five Linux distributions shows its ability to uncover not only conventional vulnerabilities and license conflicts but also overlooked risks such as archived or inaccessible repositories. Ultimately, Package Dashboard provides a unified view of risk, equipping developers and DevSecOps engineers with actionable insights to strengthen the transparency, trustworthiness, and traceability of open-source ecosystems. Package Dashboard is publicly available at https://github.com/n19htfall/PackageDashboard, and a demonstration video can be found at https://youtu.be/y9ncftP8KPQ. Besides, the online version is available at https://pkgdash.osslab-pku.org.

Related papers

• Why Authors and Maintainers Link (or Don't Link) Their PyPI Libraries to Code Repositories and Donation Platforms [83.16077040470975]
  Metadata of libraries on the Python Package Index (PyPI) plays a critical role in supporting the transparency, trust, and sustainability of open-source libraries.<n>This paper presents a large-scale empirical study combining two targeted surveys sent to 50,000 PyPI authors and maintainers.<n>We analyze more than 1,400 responses using large language model (LLM)-based topic modeling to uncover key motivations and barriers related to linking repositories and donation platforms.
  arXiv  Detail & Related papers  (2026-01-21T16:13:57Z)
• A Large Scale Empirical Analysis on the Adherence Gap between Standards and Tools in SBOM [54.38424417079265]
  A Software Bill of Materials (SBOM) is a machine-readable artifact that organizes software information.<n>Following standards, organizations have developed tools for generating and utilizing SBOMs.<n>This paper presents the first large-scale, two-stage empirical analysis of the adherence gap, using our automated evaluation framework, SAP.
  arXiv  Detail & Related papers  (2026-01-09T08:26:05Z)
• Automated SBOM-Driven Vulnerability Triage for IoT Firmware: A Lightweight Pipeline for Risk Prioritization [0.0]
  This paper presents a lightweight, automated pipeline designed to extract file systems from Linux-based IoT firmware.<n>It generates a comprehensive Software Bill of Materials, map identified components to known vulnerabilities, and apply a multi-factor triage scoring model.<n>We describe the architecture, the normalization challenges of embedded Linux, and a scoring methodology intended to reduce alert fatigue.
  arXiv  Detail & Related papers  (2026-01-04T00:09:01Z)
• UniBOM -- A Unified SBOM Analysis and Visualisation Tool for IoT Systems and Beyond [0.23332469289621785]
  This paper introduces UniBOM, an advanced tool for Software Bill of Materials generation, analysis, and visualisation.<n>UniBOM integrates binary, vulnerability, and source code analysis, enabling fine-grained vulnerability detection and risk management.<n>Key features include historical tracking, AI-based classification by severity and memory safety, and support for non-package-managed C/C++ dependencies.
  arXiv  Detail & Related papers  (2025-11-27T11:50:58Z)
• An LLM-based Quantitative Framework for Evaluating High-Stealthy Backdoor Risks in OSS Supply Chains [16.099037403682594]
  Open-source software supply chain contributes to efficient and convenient engineering practices.<n>Lack of maintenance for underlying dependencies and insufficient community auditing create challenges in ensuring source code security.<n>We propose a fine-grained project evaluation framework for backdoor risk assessment in open-source software.
  arXiv  Detail & Related papers  (2025-11-17T13:10:36Z)
• Integrated Simulation Framework for Adversarial Attacks on Autonomous Vehicles [42.02003282828958]
  This paper introduces a novel, open-source integrated simulation framework designed to generate adversarial attacks targeting both perception and communication layers of AVs.<n>Our implementation supports diverse perception-level attacks on LiDAR sensor data, along with communication-level threats such as V2X message manipulation and GPS spoofing.<n>We demonstrate the framework's effectiveness by evaluating the impact of generated adversarial scenarios on a state-of-the-art 3D object detector.
  arXiv  Detail & Related papers  (2025-08-31T20:53:08Z)
• Substation Bill of Materials: A Novel Approach to Managing Supply Chain Cyber-risks on IEC 61850 Digital Substations [44.99833362998488]
  Substation Bill of Materials (Subs-BOM) is capable of modeling all the IEDs in a DS and their relationships from a cybersecurity perspective.<n>Subs-BOM provides energy utilities with an accurate and complete inventory of the devices, the firmware they are running, and the services that are deployed into the DS.
  arXiv  Detail & Related papers  (2025-03-25T13:28:36Z)
• Tracking Down Software Cluster Bombs: A Current State Analysis of the Free/Libre and Open Source Software (FLOSS) Ecosystem [0.43981305860983705]
  This study provides a summary of the current state of available FLOSS package repositories.<n>It addresses the challenge of identifying problematic areas within a software ecosystem.<n>The results indicate that while there are well-maintained projects within the FLOSS ecosystem, there are also high-impact projects that are susceptible to supply chain attacks.
  arXiv  Detail & Related papers  (2025-02-12T08:57:57Z)
• A Machine Learning-Based Approach For Detecting Malicious PyPI Packages [4.311626046942916]
  In modern software development, the use of external libraries and packages is increasingly prevalent.<n>This reliance on reusing code introduces serious risks for deployed software in the form of malicious packages.<n>We propose a data-driven approach that uses machine learning and static analysis to examine the package's metadata, code, files, and textual characteristics.
  arXiv  Detail & Related papers  (2024-12-06T18:49:06Z)
• The Impact of SBOM Generators on Vulnerability Assessment in Python: A Comparison and a Novel Approach [56.4040698609393]
  Software Bill of Materials (SBOM) has been promoted as a tool to increase transparency and verifiability in software composition. Current SBOM generation tools often suffer from inaccuracies in identifying components and dependencies. We propose PIP-sbom, a novel pip-inspired solution that addresses their shortcomings.
  arXiv  Detail & Related papers  (2024-09-10T10:12:37Z)
• SPOQchain: Platform for Secure, Scalable, and Privacy-Preserving Supply Chain Tracing and Counterfeit Protection [46.68279506084277]
  This work proposes SPOQchain, a novel blockchain-based platform that provides comprehensive traceability and originality verification. It provides an analysis of privacy and security aspects, demonstrating the need and qualification of SPOQchain for the future of supply chain tracing.
  arXiv  Detail & Related papers  (2024-08-30T07:15:43Z)
• Enhancing Supply Chain Visibility with Knowledge Graphs and Large Language Models [49.898152180805454]
  This paper presents a novel framework leveraging Knowledge Graphs (KGs) and Large Language Models (LLMs) to enhance supply chain visibility. Our zero-shot, LLM-driven approach automates the extraction of supply chain information from diverse public sources. With high accuracy in NER and RE tasks, it provides an effective tool for understanding complex, multi-tiered supply networks.
  arXiv  Detail & Related papers  (2024-08-05T17:11:29Z)
• A Large-scale Fine-grained Analysis of Packages in Open-Source Software Ecosystems [13.610690659041417]
  Malicious packages have less metadata content and utilize fewer static and dynamic functions than legitimate ones. One dimension in fine-grained information (FGI) has sufficient distinguishable capability to detect malicious packages.
  arXiv  Detail & Related papers  (2024-04-17T15:16:01Z)
• On the Security Blind Spots of Software Composition Analysis [46.1389163921338]
  We present a novel approach to detect vulnerable clones in the Maven repository. We retrieve over 53k potential vulnerable clones from Maven Central. We detect 727 confirmed vulnerable clones and synthesize a testable proof-of-vulnerability project for each of those.
  arXiv  Detail & Related papers  (2023-06-08T20:14:46Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.