Research directions in software supply chain security

Williams, Laurie · 2025 · DOI 10.1145/3714464

6 Pith papers cite this work. Polarity classification is still indexing.

6 Pith papers citing it

open at publisher browse 6 citing papers

citation-role summary

background 2 method 1

citation-polarity summary

background 2 use method 1

representative citing papers

Analysis of Commit Signing on Github

cs.SE · 2026-04-15 · unverdicted · novelty 8.0

Ecosystem-scale measurement shows commit signing on GitHub is rarely deliberate or sustained by developers, with rising lapse rates and unrevoked expired keys, so supply-chain security frameworks relying on it do not hold in practice.

Trust Me, Import This: Dependency Steering Attacks via Malicious Agent Skills

cs.CR · 2026-05-10 · unverdicted · novelty 7.0

Malicious Skills induce coding agents to hallucinate and import attacker-controlled packages at high rates while evading detection.

Weaponizing the Commons: A Taxonomy and Detection Framework of Abuse on GitHub

cs.SE · 2026-04-20 · unverdicted · novelty 7.0

A taxonomy of GitHub abuse behaviors is proposed along with a detection framework achieving F1-scores exceeding 89% on a manually labeled dataset of 392 instances.

Towards Predicting Multi-Vulnerability Attack Chains in Software Supply Chains from Software Bill of Materials Graphs

cs.SE · 2026-04-04 · unverdicted · novelty 6.0

The paper shows that heterogeneous graph attention networks can classify vulnerable components in real SBOMs at 91% accuracy and that a simple MLP can predict documented multi-vulnerability chains with 0.93 ROC-AUC.

Execution-bound advisory automation for agentic AI: a reproducible AIBOM-driven CSAF-VEX framework

cs.SE · 2026-06-16 · unverdicted · novelty 4.0

Presents a framework for generating cryptographically signed CSAF VEX advisories for agentic AI by binding SBOM/AIBOM artifacts to deterministic environment capture and runtime telemetry.

Classport: Designing Runtime Dependency Introspection for Java

cs.SE · 2025-10-23

citing papers explorer

Showing 5 of 5 citing papers after filters.

Analysis of Commit Signing on Github cs.SE · 2026-04-15 · unverdicted · none · ref 61
Ecosystem-scale measurement shows commit signing on GitHub is rarely deliberate or sustained by developers, with rising lapse rates and unrevoked expired keys, so supply-chain security frameworks relying on it do not hold in practice.
Weaponizing the Commons: A Taxonomy and Detection Framework of Abuse on GitHub cs.SE · 2026-04-20 · unverdicted · none · ref 40
A taxonomy of GitHub abuse behaviors is proposed along with a detection framework achieving F1-scores exceeding 89% on a manually labeled dataset of 392 instances.
Towards Predicting Multi-Vulnerability Attack Chains in Software Supply Chains from Software Bill of Materials Graphs cs.SE · 2026-04-04 · unverdicted · none · ref 30
The paper shows that heterogeneous graph attention networks can classify vulnerable components in real SBOMs at 91% accuracy and that a simple MLP can predict documented multi-vulnerability chains with 0.93 ROC-AUC.
Execution-bound advisory automation for agentic AI: a reproducible AIBOM-driven CSAF-VEX framework cs.SE · 2026-06-16 · unverdicted · none · ref 61
Presents a framework for generating cryptographically signed CSAF VEX advisories for agentic AI by binding SBOM/AIBOM artifacts to deterministic environment capture and runtime telemetry.
Classport: Designing Runtime Dependency Introspection for Java cs.SE · 2025-10-23 · unreviewed · ref 30

Research directions in software supply chain security

citation-role summary

citation-polarity summary

fields

years

verdicts

roles

polarities

representative citing papers

citing papers explorer