The US Executive Order of 2021 and the EU Cyber Resilience Act of 2024 highlighted the importance of the concept of the supply chain (Software Bill of Materials, SBOM) in terms of software security. This is a formal, machine-analysable inventory of everything that goes into creating a software artefact. Among other things, an SBOM makes it possible to determine whether a piece of software is theoretically affected by vulnerabilities and to respond accordingly. A project's software dependencies, whether direct or indirect, are one of the key elements of its supply chain. As part of a previous thesis, in collaboration with an industrial partner, we proposed tool-based solutions for analyzing a project's software dependencies, capable of scaling up to a complete ecosystem of dependencies (such as Java/Maven with its millions of libraries and hundreds of millions of dependency relationships between them). We also proposed a solution based on multi-objective, multi-criteria optimisation for the construction of dependency evolution plans, integrating quality and security criteria and taking into account possible breaking changes. In the latter case, dependency updates may be partially incompatible with the code or tests of the project concerned. The datasets and tools developed as part of this initial work were used for the challenge of mining large volumes of software data from a major conference in the field.
The thesis proposed here aims to further advance existing contributions by addressing several scientific challenges: • defining a formal model for describing SBOMs that is more structured than emerging standards; • extending the dependency analysis approach to take into account the broader nature of SBOMs (e.g. integrating parts related to language versions, compilers and builders into the construction of software artefacts). This extension should make it possible to detect the risks of an SBOM in terms of software compromise or obsolescence; • Taking into account the actual impact of risks: as opposed to current approaches based on simple dependency path analysis (the SBOM declares a direct or indirect dependency on a vulnerable element), the code should be analysed from a semantic perspective (the context of use means that the vulnerability can actually be triggered) in order to rule out false negatives. • Proposal of algorithms enabling SBOM updates to address these issues. • Solutions for automatic code repair, based on impact analysis of SBOM changes and similar modifications detected in the dependency graph of the software ecosystems concerned.
This subject lies at the intersection of software science, empirical software engineering, abstract programme analysis, data mining, and the implementation of algorithms on large graphs.