Explore the vast range of titles available.

With the rapid growth of the software industry, the software supply chain (SSC) has become the most intricate system in the complete software life cycle, and the security threat situation is becoming increasingly severe. For the description of the SSC, the relevant research mainly focuses on the perspective of developers, lacking a comprehensive understanding of the SSC. This paper proposes a chain portrait framework of the SSC based on a resource perspective, which comprehensively depicts the threat model and threat surface indicator system of the SSC. The portrait model includes an SSC threat model and an SSC threat indicator matrix. The threat model has 3 levels and 32 dimensions and is based on a generative artificial intelligence model. The threat indicator matrix is constructed using the Attack Net model comprising 14-dimensional attack strategies and 113-dimensional attack techniques. The proposed portrait model’s effectiveness is verified through existing SSC security events, domain experts, and event visualization based on security analysis models.

本文是首篇对开源密码软件供应链安全问题进行调研、分析和总结的综述文章. 首先, 通过梳理和分析关于开源软件供应链、加密算法等相关领域文献, 探讨了开源软件供应链与开源密码软件供应链的差异, 明确了开源密码软件供应链的研究范围; 其次, 以密码软件供应链典型安全事件作为切入点, 构建了开源密码软件供应链风险模型; 再次, 针对梳理出来的各类安全风险, 横向参考了实体供应链风险管理成熟案例以及开源密码软件的风险应对措施, 总结了开源密码软件供应链的安全风险防控手段. 最后, 指出了开源密码软件供应链领域所面临的挑战和机遇, 并指出了未来的研究方向.

Open source software (OSS) is essential for modern society and, while substantial research has been done on individual (typically central) projects, only a limited understanding of the periphery of the entire OSS ecosystem exists. For example, how are the tens of millions of projects in the periphery interconnected through technical dependencies, code sharing, or knowledge flow? To answer such questions we: a) create a very large and frequently updated collection of version control data in the entire FLOSS ecosystems named World of Code (WoC), that can completely cross-reference authors, projects, commits, blobs, dependencies, and history of the FLOSS ecosystems and b) provide capabilities to efficiently correct, augment, query, and analyze that data. Our current WoC implementation is capable of being updated on a monthly basis and contains over 18B Git objects. To evaluate its research potential and to create vignettes for its usage, we employ WoC in conducting several research tasks. In particular, we find that it is capable of supporting trend evaluation, ecosystem measurement, and the determination of package usage. We expect WoC to spur investigation into global properties of OSS development leading to increased resiliency of the entire OSS ecosystem. Our infrastructure facilitates the discovery of key technical dependencies, code flow, and social networks that provide the basis to determine the structure and evolution of the relationships that drive FLOSS activities and innovation.

Modern software development is a complex engineering process where developer code cohabits with an increasingly larger number of external open-source components. Even though these components facilitate sharing and reusing code along with other benefits related to maintenance and code quality, they are often the seeds of vulnerabilities in the software supply chain leading to attacks with severe consequences. Indeed, one common strategy used to conduct attacks is to exploit or inject other security flaws in new versions of dependency packages. It is thus important to keep dependencies updated in a software development project. Unfortunately, several prior studies have highlighted that, to a large extent, developers struggle to keep track of the dependency package updates, and do not quickly incorporate security patches. Therefore, automated dependency-update bots have been proposed to mitigate the impact and the emergence of vulnerabilities in open-source projects. In our study, we focus on Dependabot, a dependency management bot that has gained popularity on GitHub recently. It allows developers to keep a lookout on project dependencies and reduce the effort of monitoring the safety of the software supply chain. We performed a large empirical study on dependency updates and security pull requests to understand: (1) the degree and reasons of Dependabot’s popularity; (2) the patterns of developers’ practices and techniques to deal with vulnerabilities in dependencies; (3) the management of security pull requests (PRs), the threat lifetime, and the fix delay; and (4) the factors that significantly correlate with the acceptance of security PRs and fast merges. To that end, we collected a dataset of 9,916,318 pull request-related issues made in 1,743,035 projects on GitHub for more than 10 different programming languages. In addition to the comprehensive quantitative analysis, we performed a manual qualitative analysis on a representative sample of the dataset, and we substantiated our findings by sending a survey to developers that use dependency management tools. Our study shows that Dependabot dominates more than 65% of dependency management activity, mainly due to its efficiency, accessibility, adaptivity, and availability of support. We also found that developers handle dependency vulnerabilities differently, but mainly rely on the automation of PRs generation to upgrade vulnerable dependencies. Interestingly, Dependabot’s and developers’ security PRs are highly accepted, and the automation allows to accelerate their management, so that fixes are applied in less than one day. However, the threat of dependency vulnerabilities remains hidden for 512 days on average, and patches are disclosed after 362 days due to the reliance on the manual effort of security experts. Also, project characteristics, the amount of PR changes, as well as developer and dependency features seem to be highly correlated with the acceptance and fast merges of security PRs.

Context Due to the dependency relations among software, vulnerabilities in software supply chains (SSC) may cause more serious security threats than independent software systems. This poses new challenges for ensuring software security including the spread of risks and the increase in maintenance costs. Objective To address the challenges, there needs a deep understanding of how a vulnerability is in SSC in terms of vulnerability source, propagation, localization, and repair. However, no studies have been conducted specifically for this purpose. Method To fill this gap, we provide an experience study of real-world vulnerability characteristics in the context of SSCs. Specifically, we examine the vulnerability source first and further study the fine-grained vulnerability propagation, localization, and repair of libraries and their corresponding client programs. Results The key findings are summarized as follows: a) 99% of vulnerabilities in client programs are caused by their dependencies, and 81.26% of SSC vulnerabilities detected by package-level analysis are false positives; b) for vulnerability localization, the vulnerability database does not have enough information to help direct localization, but the vulnerability descriptions in the open-source vulnerability database provide much important information for indirect localization. c) client developers deal with vulnerable dependencies in many ways including upgrading dependencies, modifying client code, and deleting relevant code or vulnerable dependencies. Conclusions Based on these observations, we make suggestions for future research in this direction: a) when testing important client programs, vulnerability detection tools should pay attention to both client code and the dependent libraries; b) localizing vulnerability based on vulnerability descriptions is not straightforward, hence a proper combination of program analysis and description analysis is expected to improve localization accuracy; c) there can be various strategies for dealing with vulnerable libraries, and automating the enforcement of those strategies will be expected.

Blockchain technology, is conceptualised as a type of disruptive technology and is regarded as one of the prime tools of Industry 4.0 today. The varied features of Blockchain like smart contract, decentralisation, transparency, traceability, data immutability and data privacy along with a consensus mechanism make it suitable to be utilized in the complex and multi—echelon supply chains of today. These factors improve the production processes and make the existing supply chains agile, resilient and responsive in the long term. Blockchain also add an aspect of sustainability which correlates with the phenomenon of circular economy in today’s world. Hence firms should compare and evaluate the significance of the traditional supply chain and blockchain-enabled supply chain in bringing the concept of sustainability in the supply chain today. This paper aims to highlight the benefits of blockchain in supply chain management with the help of a literature review along with opinions of experts from the agricultural sector. The key benefits identified are data privacy, decentralisation, immutability of data, smart contract, improved sustainability, building of resilient supply chains, transparency and shared database. These potential benefits of blockchain are assessed using the analytical hierarchical process technique. Global desirability index for traditional supply chain and blockchain—enabled supply chain is calculated. The high value of global desirability index of the blockchain-enabled supply chain over the traditional supply chain suggests that the application of blockchain technology in the supply chain is justified for bringing sustainability in the supply chain. This study aims to offer meaningful implications for practitioners so that they can take suitable measures for adoption of this technology.

Food holds a major role in human beings’ lives and in human societies in general across the planet. The food and agriculture sector is considered to be a major employer at a worldwide level. The large number and heterogeneity of the stakeholders involved from different sectors, such as farmers, distributers, retailers, consumers, etc., renders the agricultural supply chain management as one of the most complex and challenging tasks. It is the same vast complexity of the agriproducts supply chain that limits the development of global and efficient transparency and traceability solutions. The present paper provides an overview of the application of blockchain technologies for enabling traceability in the agri-food domain. Initially, the paper presents definitions, levels of adoption, tools and advantages of traceability, accompanied with a brief overview of the functionality and advantages of blockchain technology. It then conducts an extensive literature review on the integration of blockchain into traceability systems. It proceeds with discussing relevant existing commercial applications, highlighting the relevant challenges and future prospects of the application of blockchain technologies in the agri-food supply chain.

With the evolution of modern software development paradigms, component reuse, and low-code approaches have emerged as mainstream in software development. However, developers often lack an in-depth understanding of reused code. The inability of components to operate autonomously leads to insufficient testing of software functionalities and security, further exacerbating the contradiction between the increasing complexity of software architectures and the demand for accurate and efficient software automation testing. This, in turn, increases the frequency of software supply chain security incidents. This paper proposes a test-driven generation framework, LLM4TDG, based on large language models (LLMs). By formally defining the constraint dependency graph and converting it into context constraints, LLMs’ ability to understand natural language descriptions such as test requirements and documents is enhanced. Constraint reasoning and backtracking mechanisms are then used to generate test drivers that satisfy the defined constraints automatically. Using the EvalPlus dataset, we evaluate the comprehensive capabilities of LLM4TDG in test case generation using four general-domain LLMs and five code-generation-domain LLMs. The experimental results indicate that our approach significantly enhances LLMs’ ability to comprehend constraints in testing objectives, achieving a 47.62% increase in constraint understanding across 147 testing tasks. Employing LLM4TDG significantly improves the average pass@k metric of all LLMs by 10.41%. The pass@k metric for CodeQwen-chat has improved by up to 18.66%. The metric surpasses the state-of-the-art GPT-4, with a performance of 92.16% on HUMANEVAL and 87.14% on HUMANEVAL+, which enhances the error correction and functional correctness in test-driven code generation. Meanwhile, Our experiments were conducted on a dataset of Python third-party libraries containing malicious behavior in the context of security testing tasks, validating the effectiveness of our method in real-world applications and its generalization capabilities.

PurposeThe postponement principle concerns defining when and where value is added, usually referring to hardware components for physical products. However, in modern supply chains, software’s importance is increasing, impacting the timing and location of value-adding operations. Lacking insights into software-driven implications for postponement, we aim at elaborating on the postponement principle by contextualizing its evolution when integrating different objects (i.e. hardware and software).Design/methodology/approachWe adopted an abductive approach to elaborate on the existing knowledge with original empirical insights. A single-case study with four subcases allowed us to explore postponement dimensions in the context of a global high-tech enterprise offering products that integrate hardware and software objects. As global supply chains involve multiple jurisdictions with heterogeneous regulations, we also analyzed in depth the emerging fiscal and legal implications.FindingsBesides where and when value is added, the study illustrates that deciding who (i.e. what legal entity) is carrying out what operation on what kind of object is highly important. Moreover, fiscal and legal implications for the various legal entities strongly depend on what operations are executed and in which jurisdiction (where). The study identifies critical interrelationships among postponement dimensions when integrating hardware and software objects, highlighting the importance of understanding and managing their reciprocity with the emerging fiscal and legal risks.Originality/valueWe elaborate on the postponement principle by contextualizing its applications when integrating hardware and software objects in global supply chains, which include multiple jurisdictions. By formalizing the impact of the who dimension, the study contributes to developing the interorganizational perspective for postponement. Moreover, it extends the traditional cost perspective for postponement beyond the trade-off between responsiveness and cost-efficiency, suggesting that firms applying global postponement should extend their focus to also examine fiscal and legal risks for all the legal entities involved.

Industry 5.0 (I5.0) is the next industrial revolution that will leverage human intervention in collaboration with intelligent, logical, and smart machines to attain even more user-preferred and resource-efficient manufacturing and supply chain solutions. The main aim of this article is to study I5.0 technologies in supply chains when these are affected by disruptive phenomena such as those created by wars, climate change or pandemics. A systematic literature review methodology was conducted to understand the present knowledge connected with this theme. This study summarises 194 research articles from the period 2009 to 2022 to understand the present knowledge connected with this theme. The research findings show a significant gap related to the adoption of I5.0 technologies to prevent or overcome supply chain disruptions. 194 articles, including journal and review articles, were identified in the literature. The study provides a novel and insightful concept related to I5.0 within the context of supply chain disruptions. The potential applications of I5.0 and Industry 4.0 are elaborately discussed in three areas, namely: (1) disruptions in supply chains due to pandemics; (2) disruptions in supply chains due to war; and (3) disruptions in supply chains due to climate change. Finally, this study highlights research implications and proposes future research avenues that will contribute to further exploring the adoption of I5.0 technologies to prevent, manage and overcome disruptions in supply chains.