Dirty-Waters: Detecting Software Supply Chain Smells

TL;DR

This paper introduces Dirty-Waters, a tool for detecting software supply chain smells in open-source projects, revealing prevalent risks in dependency usage that can threaten software security.

Contribution

It defines the concept of software supply chain smells and presents a novel tool for their detection, addressing a gap in assessing dependency risks.

Findings

All analyzed projects contained supply chain smells.

Many smells were detected across all versions tested.

Smells serve as clear indicators of potential security risks.

Abstract

Using open-source dependencies is essential in modern software development. However, this practice implies significant trust in third-party code, while there is little support for developers to assess this trust. As a consequence, attacks have been increasingly occurring through third-party dependencies. These are called software supply chain attacks. In this paper, we target the problem of projects that use dependencies while unaware of the potential risks posed by their software supply chain. We define the novel concept of software supply chain smell and present Dirty-Waters, a novel tool for detecting software supply chain smells. We evaluate Dirty-Waters on three JavaScript projects across nine versions and demonstrate the prevalence of all proposed software supply chain smells. Not only are there smells in all projects, but there are many of them, which immediately reveal potential risks and provide clear indicators for developers to act on the security of their supply chain.