Description
With 97% of shipped software containing Open Source Code,
Supply Chain Attacks have gained high attention over the
past years. Incidents like the XZ backdoor or the SolarWinds
attack show how widespread the potential damage of such
an attack can be, but also how difficult it is to protect
the open source ecosystem against them. One possible aid
against Supply Chain Attacks are so called Software Bill
of Materials (SBOM), a list of third party dependencies in
software projects. With big stakeholders like the European
Union now adding SBOMs as a tool for cyber security, the
question arises how well they can defend against Supply
Chain Attacks - both theoretically and practically. This
thesis attempts to answer this question in two parts. By
providing an overview on SBOMs in theory we show their
theoretical use against Supply Chain Attacks. By developing
tooling to analyze different influences on the generation of
SBOMs we present some insight on their practical use and
how to further examine their usability. Our results for an
analysis on the Rust ecosystem shows that not all SBOMs
are generated equally. Factors like different generation tools,
the existence of metadata or the used standard for the
SBOM format can have a strong influence on the generated
SBOM, leading to varying results for the same repository.
We conclude from our analysis that the existence of metadata
has the highest influence on the created SBOMs. Based
on these preliminary results we identify both mandatory and
optional future work for our tooling to present a comprehensive
and detailed analysis on the creation of Software
Bills of Materials in the Rust Ecosystem.
|
