An Empirically Grounded Reference Architecture for Software Supply Chain Metadata Management
Nguyen Khoi Tran, Samodha Pallewatta, M. Ali Babar
TL;DR
Facing rising SSC attacks, the paper introduces an empirically grounded Reference Architecture (RA) for Software Supply Chain Metadata Management (SCM2) to deliver machine-readable, authenticated metadata across artefacts’ lifecycles. It builds a domain model and architectural blueprint from industry-driven SSC security frameworks and validates the RA by mapping five widely used tools to its architecture. The evaluation reveals a SBOM-centric, container-focused practice with uneven adoption of signing and notarisation, highlighting gaps in end-to-end lifecycle coverage. The authors propose a path toward decentralised, multi-user SCM2 ecosystems to enable origin-based, authenticated, and notarised SSC metadata generation and distribution.
Abstract
With the rapid rise in Software Supply Chain (SSC) attacks, organisations need thorough and trustworthy visibility over the entire SSC of their software inventory to detect risks early and identify compromised assets rapidly in the event of an SSC attack. One way to achieve such visibility is through SSC metadata, machine-readable and authenticated documents describing an artefact's lifecycle. Adopting SSC metadata requires organisations to procure or develop a Software Supply Chain Metadata Management system (SCM2), a suite of software tools for performing life cycle activities of SSC metadata documents such as creation, signing, distribution, and consumption. Selecting or developing an SCM2 is challenging due to the lack of a comprehensive domain model and architectural blueprint to aid practitioners in navigating the vast design space of SSC metadata terminologies, frameworks, and solutions. This paper addresses the above-mentioned challenge by presenting an empirically grounded Reference Architecture (RA) comprising of a domain model and an architectural blueprint for SCM2 systems. Our proposed RA is constructed systematically on an empirical foundation built with industry-driven and peer-reviewed SSC security frameworks. Our theoretical evaluation, which consists of an architectural mapping of five prominent SSC security tools on the RA, ensures its validity and applicability, thus affirming the proposed RA as an effective framework for analysing existing SCM2 solutions and guiding the engineering of new SCM2 systems.