Lightning Talk: Software Dark Matter is the Enemy of Software Transparency - Santiago Torres-Arias

Описание: Don't miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe in Amsterdam, The Netherlands from 18 - 21 April, 2023. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Lightning Talk: Software Dark Matter is the Enemy of Software Transparency - Santiago Torres-Arias, Purdue University

Software transparency has become the north star for many interested in software supply chain security. For instance, advocates of software bills of materials (SBOMs) believe that SBOMs provide the data layer that will allow software producers and consumers to achieve software transparency. But there's an unrecognized impediment to achieving software transparency and to creating accurate and complete SBOMs: software dark matter. Software dark matter are files that are unregistered by a package manager, effectively invisible to many software composition analysis tools and vulnerability scanners. This software dark matter reduces the utility of security tools and complicates the quest for software transparency. To understand the magnitude of the software dark matter problem, this project analyzed 350 popular Docker Hub images, quantifying the software dark matter percentage. The average popular container is approximately 30 percent dark matter. Using an average weighted by the number of files, the typical container is 60 percent dark matter. The talk finishes with a call to avoid software dark matter in container images.