SahithiKasim
commented
11 months ago Elements of the Supply Chain
| Paper Title | Research Question or Goal | Sample or Dataset Used | Coverage of Supply Chain Elements |
|---|---|---|---|
| Practical Automated Detection of Malicious npm Packages | - Does Amalfi find malicious packages in practice? - Is it accurate enough to be useful? - Is training and classification fast enough to be useable? |
1.7 million packages from npm public registry | Publish, Identify Bugs |
| Structure and evolution of package dependency networks | - What are the static characteristics of package dependency networks? - How do package dependency networks evolve? - How vulnerable are package dependency networks to a removal of a random project? |
Package repositories and GitHub dependencies of npm, RubyGems, and Crates that are published in central repository and applications | Publish, Identify Bugs |
| On the impact of security vulnerabilities in the npm and RubyGems dependency networks | - How prevalent are disclosed vulnerabilities in npm and RubyGems packages? - How much time elapses until a vulnerability is disclosed? - For how long do packages remain affected by disclosed vulnerabilities? - To what extent are dependents exposed to their vulnerable dependencies? - How are vulnerabilities spread in the dependency tree? - Do exposed dependents upgrade their vulnerable dependencies when a vulnerability fix is released? - To what extent are dependents exposed to their vulnerable dependencies at their release time? |
npm and RubyGems packages from libraries.io and external GitHub projects with run-time dependencies present in Snyk.io security reports | Publish, Issue Tracker |
| On the impact of security vulnerabilities in the npm package dependency network | - How many packages are known to be affected by vulnerabilities? - How long do packages remain vulnerable? - When are vulnerabilities discovered? - When are vulnerabilities fixed? |
610k JavaScript packages present in Snyk.io security reports | Publish, Issue Tracker |
| Small World with High Risks: A Study of Security Threats in the npm Ecosystem | The goal is to study the security risks for users of npm by systematically analyzing dependencies between packages, the maintainers responsible for these packages, and publicly reported security issues. | package dependencies, maintainers, and vulnerabilities of npm | Publish, Issue Tracker |
| The Debsources Dataset: two decades of free and open source software | - How does the size of Debian evolve over time? - How much Debian changes between releases? - How has the popularity of programming languages changed over the last 20 years? - Which licenses apply to Debian source code files? - Which licenses can be found in Debian source packages? - How has license use evolved in Debian over time? |
source code and metadata of 10 Debian stable releases published over the past two decades (corresponding to 82 thousand packages) and | Upstream code, Publish |
| Detection, assessment and mitigation of vulnerabilities in open source dependencies | - To determine the differences in the findings reported by the tools - Steady and OWASP DC. - To evaluate the coverage of Steady’s vulnerability database. - To identify strengths and weaknesses of the two approaches. |
300 large enterprise projects under active development which have an average of 260 dependencies | Publish, Identify Bugs |
| Dependency Smells in JavaScript Projects | - How prevalent are JavaScript dependency smells? - How do Developers Perceive Dependency Smells and Their Negative Impact? - Why are These Smells Introduced in JavaScript Projects? |
open-source JavaScript projects from GitHub with at least 10 commits since January 2019 and 10 contributing authors | Publish, Identify Bugs |
A literature review of empirical papers studying OSS supply chains explaining what data used, i.e., what are elements of the supply chain are used.