Papers
Topics
Authors
Recent
Detailed Answer
Quick Answer
Concise responses based on abstracts only
Detailed Answer
Well-researched responses based on abstracts and relevant paper content.
Custom Instructions Pro
Preferences or requirements that you'd like Emergent Mind to consider when generating responses
Gemini 2.5 Flash
Gemini 2.5 Flash 44 tok/s
Gemini 2.5 Pro 41 tok/s Pro
GPT-5 Medium 13 tok/s Pro
GPT-5 High 15 tok/s Pro
GPT-4o 86 tok/s Pro
Kimi K2 208 tok/s Pro
GPT OSS 120B 447 tok/s Pro
Claude Sonnet 4 36 tok/s Pro
2000 character limit reached

The Code the World Depends On: A First Look at Technology Makers' Open Source Software Dependencies (2404.11763v1)

Published 17 Apr 2024 in cs.SE and cs.CR

Abstract: Open-source software (OSS) supply chain security has become a topic of concern for organizations. Patching an OSS vulnerability can require updating other dependent software products in addition to the original package. However, the landscape of OSS dependencies is not well explored: we do not know what packages are most critical to patch, hindering efforts to improve OSS security where it is most needed. There is thus a need to understand OSS usage in major software and device makers' products. Our work takes a first step toward closing this knowledge gap. We investigate published OSS dependency information for 108 major software and device makers, cataloging how available and how detailed this information is and identifying the OSS packages that appear the most frequently in our data.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (9)
  1. Cybersecurity & Infrastructure Security Agency (CISA). Software bill of materials (SBOM). https://www.cisa.gov/sbom, 2024.
  2. Cyber Safety Review Board. Review of the December 2021 log4j event. https://www.cisa.gov/sites/default/files/publications/CSRB-Report-on-Log4-July-11-2022_508.pdf, 2022.
  3. Software identification ecosystem option analysis. https://www.cisa.gov/sites/default/files/2023-10/Software-Identification-Ecosystem-Option-Analysis-508c.pdf, 2023.
  4. Open Source Security Foundation. OpenSSF responds to the CISA RFC on software identification ecosystem analysis. https://openssf.org/blog/2023/12/11/openssf-responds-to-the-cisa-rfc-on-software-identification-ecosystem-analysis/, 2023.
  5. Sonatype. State of the software supply chain. https://www.sonatype.com/hubfs/2023%20Sonatype-%209th%20Annual%20State%20of%20the%20Software%20Supply%20Chain-%20Update.pdf, 2023.
  6. Boms away! inside the minds of stakeholders: A comprehensive study of bills of materials for software systems. In International Conference on Software Engineering (ICSE), pages 1–13, 2024.
  7. Software bill of materials (SBOM) sharing lifecycle report. https://www.osti.gov/biblio/1969133, 2023.
  8. Jai Vijayan. Why log4j mitigation is fraught with challenges. https://www.darkreading.com/application-security/why-log4j-mitigation-is-fraught-with-challenges, 2021.
  9. An empirical study on software bill of materials: Where we stand and the road ahead. In International Conference on Software Engineering (ICSE), pages 2630–2642. IEEE, 2023.

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now
List To Do Tasks Checklist Streamline Icon: https://streamlinehq.com

Collections

Sign up for free to add this paper to one or more collections.

User Circle Single Streamline Icon: https://streamlinehq.com Sign Up
Lightbulb On Streamline Icon: https://streamlinehq.com

Continue Learning

We haven't generated follow-up questions for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Generate Now
X Twitter Logo Streamline Icon: https://streamlinehq.com

Tweets