{"record_type":"pith_number_record","schema_url":"https://pith.science/schemas/pith-number/v1.json","pith_number":"pith:2026:5A7AA3XWNMFT6XJEW4APNHRNNF","short_pith_number":"pith:5A7AA3XW","schema_version":"1.0","canonical_sha256":"e83e006ef66b0b3f5d24b700f69e2d695515938e2e003fca46c98b7f403135b2","source":{"kind":"arxiv","id":"2606.22827","version":1},"attestation_state":"computed","paper":{"title":"What You See Is Not What You Execute: Memory-Based Runtime SBOM Generation for Supply Chain Security","license":"http://creativecommons.org/licenses/by-nc-nd/4.0/","headline":"","cross_cats":["cs.SE"],"primary_cat":"cs.CR","authors_text":"Andrew Case, Hala Alia, Irfan Ahmed","submitted_at":"2026-06-22T04:08:26Z","abstract_excerpt":"Modern software development relies heavily on third-party components from public repositories, expanding the software supply chain attack surface. In response to these growing risks, federal initiatives have advanced the Software Bill of Materials (SBOM) as a standardized mechanism for improving transparency by describing software components, dependencies, and their relationships. However, SBOMs built from metadata or filesystem artifacts fail to capture the components loaded and executed at runtime, especially in dynamic ecosystems such as Python. Moreover, generating runtime SBOMs through in"},"verification_status":{"content_addressed":true,"pith_receipt":true,"author_attested":false,"weak_author_claims":0,"strong_author_claims":0,"externally_anchored":false,"storage_verified":false,"citation_signatures":0,"replication_records":0,"graph_snapshot":true,"references_resolved":false,"formal_links_present":false},"canonical_record":{"source":{"id":"2606.22827","kind":"arxiv","version":1},"metadata":{"license":"http://creativecommons.org/licenses/by-nc-nd/4.0/","primary_cat":"cs.CR","submitted_at":"2026-06-22T04:08:26Z","cross_cats_sorted":["cs.SE"],"title_canon_sha256":"3a94babba95a04a24e7af161a7f60ce8de000b6cd4e7e2aad22891b1077fce35","abstract_canon_sha256":"a2e14ea17fdc3427ddeaa573a786ba4161d45111ec2bfacc3c4b998901660cdc"},"schema_version":"1.0"},"receipt":{"kind":"pith_receipt","key_id":"pith-v1-2026-05","algorithm":"ed25519","signed_at":"2026-06-23T02:14:00.517031Z","signature_b64":"rjkszzPGtmYMkdXbEZgDpphowIneJ9Wu0O99mDcvoUAOvz28LS8L0AVwqDUJI8IZ3IbArcMd/7h4Sa37DwT5Ag==","signed_message":"canonical_sha256_bytes","builder_version":"pith-number-builder-2026-05-17-v1","receipt_version":"0.3","canonical_sha256":"e83e006ef66b0b3f5d24b700f69e2d695515938e2e003fca46c98b7f403135b2","last_reissued_at":"2026-06-23T02:14:00.516578Z","signature_status":"signed_v1","first_computed_at":"2026-06-23T02:14:00.516578Z","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54"},"graph_snapshot":{"paper":{"title":"What You See Is Not What You Execute: Memory-Based Runtime SBOM Generation for Supply Chain Security","license":"http://creativecommons.org/licenses/by-nc-nd/4.0/","headline":"","cross_cats":["cs.SE"],"primary_cat":"cs.CR","authors_text":"Andrew Case, Hala Alia, Irfan Ahmed","submitted_at":"2026-06-22T04:08:26Z","abstract_excerpt":"Modern software development relies heavily on third-party components from public repositories, expanding the software supply chain attack surface. In response to these growing risks, federal initiatives have advanced the Software Bill of Materials (SBOM) as a standardized mechanism for improving transparency by describing software components, dependencies, and their relationships. However, SBOMs built from metadata or filesystem artifacts fail to capture the components loaded and executed at runtime, especially in dynamic ecosystems such as Python. Moreover, generating runtime SBOMs through in"},"claims":{"count":0,"items":[],"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"source":{"id":"2606.22827","kind":"arxiv","version":1},"verdict":{"id":null,"model_set":{},"created_at":null,"strongest_claim":"","one_line_summary":"","pipeline_version":null,"weakest_assumption":"","pith_extraction_headline":""},"integrity":{"clean":true,"summary":{"advisory":0,"critical":0,"by_detector":{},"informational":0},"endpoint":"/pith/2606.22827/integrity.json","findings":[],"available":true,"detectors_run":[],"snapshot_sha256":"c28c3603d3b5d939e8dc4c7e95fa8dfce3d595e45f758748cecf8e644a296938"},"references":{"count":0,"sample":[],"resolved_work":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57","internal_anchors":0},"formal_canon":{"evidence_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"author_claims":{"count":0,"strong_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"builder_version":"pith-number-builder-2026-05-17-v1"},"aliases":[{"alias_kind":"arxiv","alias_value":"2606.22827","created_at":"2026-06-23T02:14:00.516637+00:00"},{"alias_kind":"arxiv_version","alias_value":"2606.22827v1","created_at":"2026-06-23T02:14:00.516637+00:00"},{"alias_kind":"doi","alias_value":"10.48550/arxiv.2606.22827","created_at":"2026-06-23T02:14:00.516637+00:00"},{"alias_kind":"pith_short_12","alias_value":"5A7AA3XWNMFT","created_at":"2026-06-23T02:14:00.516637+00:00"},{"alias_kind":"pith_short_16","alias_value":"5A7AA3XWNMFT6XJE","created_at":"2026-06-23T02:14:00.516637+00:00"},{"alias_kind":"pith_short_8","alias_value":"5A7AA3XW","created_at":"2026-06-23T02:14:00.516637+00:00"}],"events":[],"event_summary":{},"paper_claims":[],"inbound_citations":{"count":1,"internal_anchor_count":1,"sample":[{"citing_arxiv_id":"2607.01136","citing_title":"Skills Are Not Islands: Measuring Dependency and Risk in Agent Skill Supply Chains","ref_index":47,"is_internal_anchor":true}]},"formal_canon":{"evidence_count":0,"sample":[],"anchors":[]},"links":{"html":"https://pith.science/pith/5A7AA3XWNMFT6XJEW4APNHRNNF","json":"https://pith.science/pith/5A7AA3XWNMFT6XJEW4APNHRNNF.json","graph_json":"https://pith.science/api/pith-number/5A7AA3XWNMFT6XJEW4APNHRNNF/graph.json","events_json":"https://pith.science/api/pith-number/5A7AA3XWNMFT6XJEW4APNHRNNF/events.json","paper":"https://pith.science/paper/5A7AA3XW"},"agent_actions":{"view_html":"https://pith.science/pith/5A7AA3XWNMFT6XJEW4APNHRNNF","download_json":"https://pith.science/pith/5A7AA3XWNMFT6XJEW4APNHRNNF.json","view_paper":"https://pith.science/paper/5A7AA3XW","resolve_alias":"https://pith.science/api/pith-number/resolve?arxiv=2606.22827&json=true","fetch_graph":"https://pith.science/api/pith-number/5A7AA3XWNMFT6XJEW4APNHRNNF/graph.json","fetch_events":"https://pith.science/api/pith-number/5A7AA3XWNMFT6XJEW4APNHRNNF/events.json","actions":{"anchor_timestamp":"https://pith.science/pith/5A7AA3XWNMFT6XJEW4APNHRNNF/action/timestamp_anchor","attest_storage":"https://pith.science/pith/5A7AA3XWNMFT6XJEW4APNHRNNF/action/storage_attestation","attest_author":"https://pith.science/pith/5A7AA3XWNMFT6XJEW4APNHRNNF/action/author_attestation","sign_citation":"https://pith.science/pith/5A7AA3XWNMFT6XJEW4APNHRNNF/action/citation_signature","submit_replication":"https://pith.science/pith/5A7AA3XWNMFT6XJEW4APNHRNNF/action/replication_record"}},"created_at":"2026-06-23T02:14:00.516637+00:00","updated_at":"2026-06-23T02:14:00.516637+00:00"}