Tracking Down Software Cluster Bombs: A Current State Analysis of the Free/Libre and Open Source Software (FLOSS) Ecosystem

TL;DR

This paper analyzes the current state of FLOSS package repositories, highlighting vulnerabilities and proposing methods to monitor and improve software supply chain security in response to legal and security challenges.

Contribution

It provides a comprehensive analysis of FLOSS ecosystems, identifies security vulnerabilities, and suggests a framework for future research and monitoring tools.

Findings

Presence of well-maintained projects and high-impact vulnerable projects

High susceptibility of critical projects to supply chain attacks

Need for improved interfaces and tools for ecosystem analysis

Abstract

Throughout computer history, it has been repeatedly demonstrated that critical software vulnerabilities can significantly affect the components involved. In the Free/Libre and Open Source Software (FLOSS) ecosystem, most software is distributed through package repositories. Nowadays, monitoring critical dependencies in a software system is essential for maintaining robust security practices. This is particularly important due to new legal requirements, such as the European Cyber Resilience Act, which necessitate that software projects maintain a transparent track record with Software Bill of Materials (SBOM) and ensure a good overall state. This study provides a summary of the current state of available FLOSS package repositories and addresses the challenge of identifying problematic areas within a software ecosystem. These areas are analyzed in detail, quantifying the current state of the FLOSS ecosystem. The results indicate that while there are well-maintained projects within the FLOSS ecosystem, there are also high-impact projects that are susceptible to supply chain attacks. This study proposes a method for analyzing the current state and identifies missing elements, such as interfaces, for future research.