Almost two-thirds (61%) of U.S. businesses were directly impacted by a software supply chain attack in the 12-month period ending in April 2023
— Gartner® Report on Software Supply Chain Security


“Free and Open Source Software (FOSS) constitutes 70-90% of any given piece of modern software solutions.” -- (OpenSSF) 80 (2022)

Developers are challenged with several conflicting priorities, so security is not always top of mind.

Seventy percent of security and IT leaders believe that software supply chain attacks are their biggest security blind spot. --Venafi

As Sonatype dissects the intricacies of open source adoption and consumption, they validate a frustrating truth—development practices remain rife with inconsistency. When choices are made poorly, this inconsistency translates into increased risks, discontent among developers, and, perhaps most significantly, a loss of both time and money. This year sonatype found:

  • 1 in 8 open source downloads have known risk.
  • 245,000 malicious packages discovered — 2X all previous years combined
  • 18.6% of open source projects across Java and JavaScript that were maintained in 2022, are no longer maintained today
  • 96% of vulnerable downloaded releases had a fixed version available
  • 10 superior versions of components are typically available for every nonoptimal component upgrade made

Get an introduction

Let's build a trusted digital society together.

Leveraging Software Heritage to Enhance Cybersecurity

Towards an infrastructure for large scale software security Our objective is to explore several of the new possibilities offered by the availability of Software Heritage to blend to- gether the “vertical” and “horizontal” approaches to software supply chain security.

Software Heritage

Extend and improve the SWH infrastructure, with functionalities of interest to support its interaction with tools for vulnerability detection

Software security analysis at scale

Identification of vulnerabilities in a project

Tracing impact of vulnerabilities

Identification of dependencies in order to identify risks and manage the impact of change

Open source developer assistance

Automatic correction of vulnerabilities

Some publications on the topic

We found them relevant to read

P. Ladisa, S. Ponta, A. Sabetta, M. Martinez and O. Barais, "Journey to the Center of Software Supply Chain Attacks" in IEEE Security & Privacy, vol. 21, no. 06, pp. 34-49, 2023. doi: 10.1109/MSEC.2023.3302066

Chris Lamb, Stefano Zacchiroli. Reproducible Builds: Increasing the Integrity of Software Supply Chains. In IEEE Software, volume 39, issue 2, pp. 62-70. ISSN 0740-7459, IEEE Computer Society. 2022.

Roberto Di Cosmo and Stefano Zacchiroli. The Software Heritage Open Science Ecosystem, pages 33--61. Springer International Publishing, Cham, 2023.

Roberto Di Cosmo. Construire le pilier logiciel de la Science Ouverte. In Open Science European Conferencem (OSEC 2022), pages 183--193. OpenEdition Press, 2022.

Coccinelle: 10 years of automated evolution in the Linux kernel - J Lawall, G Muller - 2018 USENIX Annual Technical Conference (USENIX ATC 18), 601-614

Static type analysis by abstract interpretation of Python programs - R Monat, A Ouadjaout, A Miné - 34th European Conference on Object-Oriented Programming (ECOOP 2020) 36 2020

HyperAST: Enabling efficient analysis of software histories at scale - Quentin Le Dilavrec, Djamel Eddine Khelladi, Arnaud Blouin, Jean-Marc Jézéquel - Proceedings of the 37th IEEE/ACM International Conference on Automated Software Engineering, 2022

HyperDiff: Computing Source Code Diffs at Scale - Quentin Le Dilavrec, Djamel Eddine Khelladi, Arnaud Blouin, Jean-Marc Jézéquel Proceedings of the 31st ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering, 2023