{"bundle_type":"pith_open_graph_bundle","bundle_version":"1.0","pith_number":"pith:2026:5A7AA3XWNMFT6XJEW4APNHRNNF","short_pith_number":"pith:5A7AA3XW","canonical_record":{"source":{"id":"2606.22827","kind":"arxiv","version":1},"metadata":{"license":"http://creativecommons.org/licenses/by-nc-nd/4.0/","primary_cat":"cs.CR","submitted_at":"2026-06-22T04:08:26Z","cross_cats_sorted":["cs.SE"],"title_canon_sha256":"3a94babba95a04a24e7af161a7f60ce8de000b6cd4e7e2aad22891b1077fce35","abstract_canon_sha256":"a2e14ea17fdc3427ddeaa573a786ba4161d45111ec2bfacc3c4b998901660cdc"},"schema_version":"1.0"},"canonical_sha256":"e83e006ef66b0b3f5d24b700f69e2d695515938e2e003fca46c98b7f403135b2","source":{"kind":"arxiv","id":"2606.22827","version":1},"source_aliases":[{"alias_kind":"arxiv","alias_value":"2606.22827","created_at":"2026-06-23T02:14:00Z"},{"alias_kind":"arxiv_version","alias_value":"2606.22827v1","created_at":"2026-06-23T02:14:00Z"},{"alias_kind":"doi","alias_value":"10.48550/arxiv.2606.22827","created_at":"2026-06-23T02:14:00Z"},{"alias_kind":"pith_short_12","alias_value":"5A7AA3XWNMFT","created_at":"2026-06-23T02:14:00Z"},{"alias_kind":"pith_short_16","alias_value":"5A7AA3XWNMFT6XJE","created_at":"2026-06-23T02:14:00Z"},{"alias_kind":"pith_short_8","alias_value":"5A7AA3XW","created_at":"2026-06-23T02:14:00Z"}],"events":[{"event_type":"record_created","subject_pith_number":"pith:2026:5A7AA3XWNMFT6XJEW4APNHRNNF","target":"record","payload":{"canonical_record":{"source":{"id":"2606.22827","kind":"arxiv","version":1},"metadata":{"license":"http://creativecommons.org/licenses/by-nc-nd/4.0/","primary_cat":"cs.CR","submitted_at":"2026-06-22T04:08:26Z","cross_cats_sorted":["cs.SE"],"title_canon_sha256":"3a94babba95a04a24e7af161a7f60ce8de000b6cd4e7e2aad22891b1077fce35","abstract_canon_sha256":"a2e14ea17fdc3427ddeaa573a786ba4161d45111ec2bfacc3c4b998901660cdc"},"schema_version":"1.0"},"canonical_sha256":"e83e006ef66b0b3f5d24b700f69e2d695515938e2e003fca46c98b7f403135b2","receipt":{"kind":"pith_receipt","key_id":"pith-v1-2026-05","algorithm":"ed25519","signed_at":"2026-06-23T02:14:00.517031Z","signature_b64":"rjkszzPGtmYMkdXbEZgDpphowIneJ9Wu0O99mDcvoUAOvz28LS8L0AVwqDUJI8IZ3IbArcMd/7h4Sa37DwT5Ag==","signed_message":"canonical_sha256_bytes","builder_version":"pith-number-builder-2026-05-17-v1","receipt_version":"0.3","canonical_sha256":"e83e006ef66b0b3f5d24b700f69e2d695515938e2e003fca46c98b7f403135b2","last_reissued_at":"2026-06-23T02:14:00.516578Z","signature_status":"signed_v1","first_computed_at":"2026-06-23T02:14:00.516578Z","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54"},"source_kind":"arxiv","source_id":"2606.22827","source_version":1,"attestation_state":"computed"},"signer":{"signer_id":"pith.science","signer_type":"pith_registry","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54"},"created_at":"2026-06-23T02:14:00Z","supersedes":[],"prev_event":null,"signature":{"signature_status":"signed_v1","algorithm":"ed25519","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signature_b64":"DHQmIQ/ZjOiOxTI6VKikrOZGyT/4Satfkmo4oFfjquVcm3qG0tZVAPjTgm/Y/VwYknNMLNfykav9EbpbMzvMDg==","signed_message":"open_graph_event_sha256_bytes","signed_at":"2026-07-02T22:50:41.931045Z"},"content_sha256":"edf20472fa221b46dbc5218c64f8a57d2e1155caabd279a5815aaae9d35d04c1","schema_version":"1.0","event_id":"sha256:edf20472fa221b46dbc5218c64f8a57d2e1155caabd279a5815aaae9d35d04c1"},{"event_type":"graph_snapshot","subject_pith_number":"pith:2026:5A7AA3XWNMFT6XJEW4APNHRNNF","target":"graph","payload":{"graph_snapshot":{"paper":{"title":"What You See Is Not What You Execute: Memory-Based Runtime SBOM Generation for Supply Chain Security","license":"http://creativecommons.org/licenses/by-nc-nd/4.0/","headline":"","cross_cats":["cs.SE"],"primary_cat":"cs.CR","authors_text":"Andrew Case, Hala Alia, Irfan Ahmed","submitted_at":"2026-06-22T04:08:26Z","abstract_excerpt":"Modern software development relies heavily on third-party components from public repositories, expanding the software supply chain attack surface. In response to these growing risks, federal initiatives have advanced the Software Bill of Materials (SBOM) as a standardized mechanism for improving transparency by describing software components, dependencies, and their relationships. However, SBOMs built from metadata or filesystem artifacts fail to capture the components loaded and executed at runtime, especially in dynamic ecosystems such as Python. Moreover, generating runtime SBOMs through in"},"claims":{"count":0,"items":[],"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"source":{"id":"2606.22827","kind":"arxiv","version":1},"verdict":{"id":null,"model_set":{},"created_at":null,"strongest_claim":"","one_line_summary":"","pipeline_version":null,"weakest_assumption":"","pith_extraction_headline":""},"integrity":{"clean":true,"summary":{"advisory":0,"critical":0,"by_detector":{},"informational":0},"endpoint":"/pith/2606.22827/integrity.json","findings":[],"available":true,"detectors_run":[],"snapshot_sha256":"c28c3603d3b5d939e8dc4c7e95fa8dfce3d595e45f758748cecf8e644a296938"},"references":{"count":0,"sample":[],"resolved_work":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57","internal_anchors":0},"formal_canon":{"evidence_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"author_claims":{"count":0,"strong_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"builder_version":"pith-number-builder-2026-05-17-v1"},"verdict_id":null},"signer":{"signer_id":"pith.science","signer_type":"pith_registry","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54"},"created_at":"2026-06-23T02:14:00Z","supersedes":[],"prev_event":null,"signature":{"signature_status":"signed_v1","algorithm":"ed25519","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signature_b64":"24wkHo+ONfTHqrzxD7khcx6aSGZvZDE64lflagdXJ/0wbQyWh3x74ftdqP06/3PN3LT1wsy5PrJGe/Cx32+fCA==","signed_message":"open_graph_event_sha256_bytes","signed_at":"2026-07-02T22:50:41.931431Z"},"content_sha256":"5df08e373e59a9f616b27e5f2de87611150178da61d30854f7d4a0c5682a9e09","schema_version":"1.0","event_id":"sha256:5df08e373e59a9f616b27e5f2de87611150178da61d30854f7d4a0c5682a9e09"}],"timestamp_proofs":[],"mirror_hints":[{"mirror_type":"https","name":"Pith Resolver","base_url":"https://pith.science","bundle_url":"https://pith.science/pith/5A7AA3XWNMFT6XJEW4APNHRNNF/bundle.json","state_url":"https://pith.science/pith/5A7AA3XWNMFT6XJEW4APNHRNNF/state.json","well_known_bundle_url":"https://pith.science/.well-known/pith/5A7AA3XWNMFT6XJEW4APNHRNNF/bundle.json","status":"primary"}],"public_keys":[{"key_id":"pith-v1-2026-05","algorithm":"ed25519","format":"raw","public_key_b64":"stVStoiQhXFxp4s2pdzPNoqVNBMojDU/fJ2db5S3CbM=","public_key_hex":"b2d552b68890857171a78b36a5dccf368a953413288c353f7c9d9d6f94b709b3","fingerprint_sha256_b32_first128bits":"RVFV5Z2OI2J3ZUO7ERDEBCYNKS","fingerprint_sha256_hex":"8d4b5ee74e4693bcd1df2446408b0d54","rotates_at":null,"url":"https://pith.science/pith-signing-key.json","notes":"Pith uses this Ed25519 key to sign canonical record SHA-256 digests. Verify with: ed25519_verify(public_key, message=canonical_sha256_bytes, signature=base64decode(signature_b64))."}],"merge_version":"pith-open-graph-merge-v1","built_at":"2026-07-02T22:50:41Z","links":{"resolver":"https://pith.science/pith/5A7AA3XWNMFT6XJEW4APNHRNNF","bundle":"https://pith.science/pith/5A7AA3XWNMFT6XJEW4APNHRNNF/bundle.json","state":"https://pith.science/pith/5A7AA3XWNMFT6XJEW4APNHRNNF/state.json","well_known_bundle":"https://pith.science/.well-known/pith/5A7AA3XWNMFT6XJEW4APNHRNNF/bundle.json"},"state":{"state_type":"pith_open_graph_state","state_version":"1.0","pith_number":"pith:2026:5A7AA3XWNMFT6XJEW4APNHRNNF","merge_version":"pith-open-graph-merge-v1","event_count":2,"valid_event_count":2,"invalid_event_count":0,"equivocation_count":0,"current":{"canonical_record":{"metadata":{"abstract_canon_sha256":"a2e14ea17fdc3427ddeaa573a786ba4161d45111ec2bfacc3c4b998901660cdc","cross_cats_sorted":["cs.SE"],"license":"http://creativecommons.org/licenses/by-nc-nd/4.0/","primary_cat":"cs.CR","submitted_at":"2026-06-22T04:08:26Z","title_canon_sha256":"3a94babba95a04a24e7af161a7f60ce8de000b6cd4e7e2aad22891b1077fce35"},"schema_version":"1.0","source":{"id":"2606.22827","kind":"arxiv","version":1}},"source_aliases":[{"alias_kind":"arxiv","alias_value":"2606.22827","created_at":"2026-06-23T02:14:00Z"},{"alias_kind":"arxiv_version","alias_value":"2606.22827v1","created_at":"2026-06-23T02:14:00Z"},{"alias_kind":"doi","alias_value":"10.48550/arxiv.2606.22827","created_at":"2026-06-23T02:14:00Z"},{"alias_kind":"pith_short_12","alias_value":"5A7AA3XWNMFT","created_at":"2026-06-23T02:14:00Z"},{"alias_kind":"pith_short_16","alias_value":"5A7AA3XWNMFT6XJE","created_at":"2026-06-23T02:14:00Z"},{"alias_kind":"pith_short_8","alias_value":"5A7AA3XW","created_at":"2026-06-23T02:14:00Z"}],"graph_snapshots":[{"event_id":"sha256:5df08e373e59a9f616b27e5f2de87611150178da61d30854f7d4a0c5682a9e09","target":"graph","created_at":"2026-06-23T02:14:00Z","signer":{"key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signer_id":"pith.science","signer_type":"pith_registry"},"payload":{"graph_snapshot":{"author_claims":{"count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57","strong_count":0},"builder_version":"pith-number-builder-2026-05-17-v1","claims":{"count":0,"items":[],"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"formal_canon":{"evidence_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"integrity":{"available":true,"clean":true,"detectors_run":[],"endpoint":"/pith/2606.22827/integrity.json","findings":[],"snapshot_sha256":"c28c3603d3b5d939e8dc4c7e95fa8dfce3d595e45f758748cecf8e644a296938","summary":{"advisory":0,"by_detector":{},"critical":0,"informational":0}},"paper":{"abstract_excerpt":"Modern software development relies heavily on third-party components from public repositories, expanding the software supply chain attack surface. In response to these growing risks, federal initiatives have advanced the Software Bill of Materials (SBOM) as a standardized mechanism for improving transparency by describing software components, dependencies, and their relationships. However, SBOMs built from metadata or filesystem artifacts fail to capture the components loaded and executed at runtime, especially in dynamic ecosystems such as Python. Moreover, generating runtime SBOMs through in","authors_text":"Andrew Case, Hala Alia, Irfan Ahmed","cross_cats":["cs.SE"],"headline":"","license":"http://creativecommons.org/licenses/by-nc-nd/4.0/","primary_cat":"cs.CR","submitted_at":"2026-06-22T04:08:26Z","title":"What You See Is Not What You Execute: Memory-Based Runtime SBOM Generation for Supply Chain Security"},"references":{"count":0,"internal_anchors":0,"resolved_work":0,"sample":[],"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"source":{"id":"2606.22827","kind":"arxiv","version":1},"verdict":{"created_at":null,"id":null,"model_set":{},"one_line_summary":"","pipeline_version":null,"pith_extraction_headline":"","strongest_claim":"","weakest_assumption":""}},"verdict_id":null}}],"author_attestations":[],"timestamp_anchors":[],"storage_attestations":[],"citation_signatures":[],"replication_records":[],"corrections":[],"mirror_hints":[],"record_created":{"event_id":"sha256:edf20472fa221b46dbc5218c64f8a57d2e1155caabd279a5815aaae9d35d04c1","target":"record","created_at":"2026-06-23T02:14:00Z","signer":{"key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signer_id":"pith.science","signer_type":"pith_registry"},"payload":{"attestation_state":"computed","canonical_record":{"metadata":{"abstract_canon_sha256":"a2e14ea17fdc3427ddeaa573a786ba4161d45111ec2bfacc3c4b998901660cdc","cross_cats_sorted":["cs.SE"],"license":"http://creativecommons.org/licenses/by-nc-nd/4.0/","primary_cat":"cs.CR","submitted_at":"2026-06-22T04:08:26Z","title_canon_sha256":"3a94babba95a04a24e7af161a7f60ce8de000b6cd4e7e2aad22891b1077fce35"},"schema_version":"1.0","source":{"id":"2606.22827","kind":"arxiv","version":1}},"canonical_sha256":"e83e006ef66b0b3f5d24b700f69e2d695515938e2e003fca46c98b7f403135b2","receipt":{"algorithm":"ed25519","builder_version":"pith-number-builder-2026-05-17-v1","canonical_sha256":"e83e006ef66b0b3f5d24b700f69e2d695515938e2e003fca46c98b7f403135b2","first_computed_at":"2026-06-23T02:14:00.516578Z","key_id":"pith-v1-2026-05","kind":"pith_receipt","last_reissued_at":"2026-06-23T02:14:00.516578Z","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","receipt_version":"0.3","signature_b64":"rjkszzPGtmYMkdXbEZgDpphowIneJ9Wu0O99mDcvoUAOvz28LS8L0AVwqDUJI8IZ3IbArcMd/7h4Sa37DwT5Ag==","signature_status":"signed_v1","signed_at":"2026-06-23T02:14:00.517031Z","signed_message":"canonical_sha256_bytes"},"source_id":"2606.22827","source_kind":"arxiv","source_version":1}}},"equivocations":[],"invalid_events":[],"applied_event_ids":["sha256:edf20472fa221b46dbc5218c64f8a57d2e1155caabd279a5815aaae9d35d04c1","sha256:5df08e373e59a9f616b27e5f2de87611150178da61d30854f7d4a0c5682a9e09"],"state_sha256":"d419e04d37bf19f59c9b9f01eb63560ef9372ef62c8fc633a63ad6db45cb0ae8"},"bundle_signature":{"signature_status":"signed_v1","algorithm":"ed25519","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signature_b64":"PqLmQcYIij1Yjkuf8Y61t7CsDfSIH9AaDGmqLUABGv/ToUYeBr1d42JLZd+zTxxSZP6LFY+khF3BvwHpPjzgAA==","signed_message":"bundle_sha256_bytes","signed_at":"2026-07-02T22:50:41.933431Z","bundle_sha256":"56b7958be0a2c44a647b6cfd2c59c1e6c5794ef528815eb104f537d6b460c7ef"}}