Description
With the number of software supply chain attacks increasing drastically, Software
Bill of Materials (SBOMs) have been proposed to mitigate the impact by providing
transparency in the dependency composition of software. They, however, are static
artifacts that capture only a momentary state, without any historical information,
which is often necessary for incident response. As modern software is characterized by
agile methods and frequent updates, these inventories are often outdated in practice,
hindering effective vulnerability management. To address this limitation, this thesis
presents the design and implementation of a specialized SBOM Version Control System
(SBOM-VCS) prototype that coexists with traditional source code versioning systems.
Core functionality includes tracking the evolution of dependencies, comparing them
across project versions, and locating their occurrences, all while using SBOMs as the
underlying data source. The evaluation showed the viability of the proposed semantic
set-theoretic approach instead of a textual one and highlighted its superiority. This
work establishes a proof-of-concept for overcoming the temporal shortcomings of
SBOMs and lays out the groundwork for dynamic SBOM management, treating them
as queryable assets for security operations rather than just compliance documents.
|
