Table of Contents
Fetching ...

Operationalizing Research Software for Supply Chain Security

Kelechi G. Kalu, Soham Rattan, Taylor R. Schorlemmer, George K. Thiruvathukal, Jeffrey C. Carver, James C. Davis

TL;DR

The paper tackles the problem that inconsistent operationalization of research software hinders comparable RSSC security research. It develops an RSSC-oriented taxonomy derived from SSC concepts, validated through a targeted scoping review, and applies it to a large RSE corpus to produce labeled data, a codebook, and a reproducible labeling pipeline. A taxonomy-aware security analysis using OpenSSF Scorecard is contextualized with an Apache baseline to show how scope and stratification affect interpretation of repository-centric security signals. The work provides a foundational infrastructure for cumulative, comparable RSSC security evidence and highlights how governance and distribution patterns shape observed security practices.

Abstract

Empirical studies of research software are hard to compare because the literature operationalizes ``research software'' inconsistently. Motivated by the research software supply chain (RSSC) and its security risks, we introduce an RSSC-oriented taxonomy that makes scope and operational boundaries explicit for empirical research software security studies. We conduct a targeted scoping review of recent repository mining and dataset construction studies, extracting each work's definition, inclusion criteria, unit of analysis, and identification heuristics. We synthesize these into a harmonized taxonomy and a mapping that translates prior approaches into shared taxonomy dimensions. We operationalize the taxonomy on a large community-curated corpus from the Research Software Encyclopedia (RSE), producing an annotated dataset, a labeling codebook, and a reproducible labeling pipeline. Finally, we apply OpenSSF Scorecard as a preliminary security analysis to show how repository-centric security signals differ across taxonomy-defined clusters and why taxonomy-aware stratification is necessary for interpreting RSSC security measurements.

Operationalizing Research Software for Supply Chain Security

TL;DR

The paper tackles the problem that inconsistent operationalization of research software hinders comparable RSSC security research. It develops an RSSC-oriented taxonomy derived from SSC concepts, validated through a targeted scoping review, and applies it to a large RSE corpus to produce labeled data, a codebook, and a reproducible labeling pipeline. A taxonomy-aware security analysis using OpenSSF Scorecard is contextualized with an Apache baseline to show how scope and stratification affect interpretation of repository-centric security signals. The work provides a foundational infrastructure for cumulative, comparable RSSC security evidence and highlights how governance and distribution patterns shape observed security practices.

Abstract

Empirical studies of research software are hard to compare because the literature operationalizes ``research software'' inconsistently. Motivated by the research software supply chain (RSSC) and its security risks, we introduce an RSSC-oriented taxonomy that makes scope and operational boundaries explicit for empirical research software security studies. We conduct a targeted scoping review of recent repository mining and dataset construction studies, extracting each work's definition, inclusion criteria, unit of analysis, and identification heuristics. We synthesize these into a harmonized taxonomy and a mapping that translates prior approaches into shared taxonomy dimensions. We operationalize the taxonomy on a large community-curated corpus from the Research Software Encyclopedia (RSE), producing an annotated dataset, a labeling codebook, and a reproducible labeling pipeline. Finally, we apply OpenSSF Scorecard as a preliminary security analysis to show how repository-centric security signals differ across taxonomy-defined clusters and why taxonomy-aware stratification is necessary for interpreting RSSC security measurements.
Paper Structure (19 sections, 1 figure, 3 tables)