{"bundle_type":"pith_open_graph_bundle","bundle_version":"1.0","pith_number":"pith:2026:CE3Q3D7V4TM5A4PZEU7XXAYSIA","short_pith_number":"pith:CE3Q3D7V","canonical_record":{"source":{"id":"2606.02442","kind":"arxiv","version":1},"metadata":{"license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","primary_cat":"cs.SE","submitted_at":"2026-06-01T16:12:26Z","cross_cats_sorted":["cs.CR"],"title_canon_sha256":"2cba15ef9bb4706746d88b70584d1bbafc2b1771cf1a2944f7fc416f55485953","abstract_canon_sha256":"655d8f155bfcd73fd33fca10570b28b806cff8331eb1ee9edce8aac3da81529f"},"schema_version":"1.0"},"canonical_sha256":"11370d8ff5e4d9d071f9253f7b83124032de99667de88d7c4c1c082970b5f3b9","source":{"kind":"arxiv","id":"2606.02442","version":1},"source_aliases":[{"alias_kind":"arxiv","alias_value":"2606.02442","created_at":"2026-06-02T03:05:06Z"},{"alias_kind":"arxiv_version","alias_value":"2606.02442v1","created_at":"2026-06-02T03:05:06Z"},{"alias_kind":"doi","alias_value":"10.48550/arxiv.2606.02442","created_at":"2026-06-02T03:05:06Z"},{"alias_kind":"pith_short_12","alias_value":"CE3Q3D7V4TM5","created_at":"2026-06-02T03:05:06Z"},{"alias_kind":"pith_short_16","alias_value":"CE3Q3D7V4TM5A4PZ","created_at":"2026-06-02T03:05:06Z"},{"alias_kind":"pith_short_8","alias_value":"CE3Q3D7V","created_at":"2026-06-02T03:05:06Z"}],"events":[{"event_type":"record_created","subject_pith_number":"pith:2026:CE3Q3D7V4TM5A4PZEU7XXAYSIA","target":"record","payload":{"canonical_record":{"source":{"id":"2606.02442","kind":"arxiv","version":1},"metadata":{"license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","primary_cat":"cs.SE","submitted_at":"2026-06-01T16:12:26Z","cross_cats_sorted":["cs.CR"],"title_canon_sha256":"2cba15ef9bb4706746d88b70584d1bbafc2b1771cf1a2944f7fc416f55485953","abstract_canon_sha256":"655d8f155bfcd73fd33fca10570b28b806cff8331eb1ee9edce8aac3da81529f"},"schema_version":"1.0"},"canonical_sha256":"11370d8ff5e4d9d071f9253f7b83124032de99667de88d7c4c1c082970b5f3b9","receipt":{"kind":"pith_receipt","key_id":"pith-v1-2026-05","algorithm":"ed25519","signed_at":"2026-06-02T03:05:06.330678Z","signature_b64":"6F/5oMxxtsZHmxPxKbhMC+IT2VsSJQ//25AFyNdr9RvoPSPcpPkVLUZ9lg4gn1ObeESWFj6R1wQP46jxFn55Dw==","signed_message":"canonical_sha256_bytes","builder_version":"pith-number-builder-2026-05-17-v1","receipt_version":"0.3","canonical_sha256":"11370d8ff5e4d9d071f9253f7b83124032de99667de88d7c4c1c082970b5f3b9","last_reissued_at":"2026-06-02T03:05:06.330129Z","signature_status":"signed_v1","first_computed_at":"2026-06-02T03:05:06.330129Z","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54"},"source_kind":"arxiv","source_id":"2606.02442","source_version":1,"attestation_state":"computed"},"signer":{"signer_id":"pith.science","signer_type":"pith_registry","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54"},"created_at":"2026-06-02T03:05:06Z","supersedes":[],"prev_event":null,"signature":{"signature_status":"signed_v1","algorithm":"ed25519","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signature_b64":"/by4rvFtPvjyDY0wbshwsh9aqYqToUCMP+OSCUNeLlIykkKJEB9yUA3Kj+wM5MjgqjI54F09+cL3O3xqZIHSAg==","signed_message":"open_graph_event_sha256_bytes","signed_at":"2026-06-11T02:03:09.660370Z"},"content_sha256":"6f9133aad97b11e8086fc9c7bee83acc020db4e338caa5eabbd5c17de6d5adec","schema_version":"1.0","event_id":"sha256:6f9133aad97b11e8086fc9c7bee83acc020db4e338caa5eabbd5c17de6d5adec"},{"event_type":"graph_snapshot","subject_pith_number":"pith:2026:CE3Q3D7V4TM5A4PZEU7XXAYSIA","target":"graph","payload":{"graph_snapshot":{"paper":{"title":"Poking Around in the Dark: Why a Shared Understanding of Components Matters","license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","headline":"","cross_cats":["cs.CR"],"primary_cat":"cs.SE","authors_text":"Alena Naiakshina, Felix Reichmann, Martin Johns, Simon Koch, Wolfgang Krane","submitted_at":"2026-06-01T16:12:26Z","abstract_excerpt":"By listing the components included in an application, Software Bills of Materials (SBOMs) are intended to support the timely identification of vulnerable components and ensure the security of the software supply chain. However, we question the underlying assumption that there is agreement on the components to be listed in an SBOM and that current technology is sufficient to secure the software supply chain.\n  First, we propose a ground-up analysis of Component Inclusion Mechanisms (CIM) in the software's development lifecycle. Then we systematically analyze the four popular SBOM generation too"},"claims":{"count":0,"items":[],"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"source":{"id":"2606.02442","kind":"arxiv","version":1},"verdict":{"id":null,"model_set":{},"created_at":null,"strongest_claim":"","one_line_summary":"","pipeline_version":null,"weakest_assumption":"","pith_extraction_headline":""},"integrity":{"clean":true,"summary":{"advisory":0,"critical":0,"by_detector":{},"informational":0},"endpoint":"/pith/2606.02442/integrity.json","findings":[],"available":true,"detectors_run":[],"snapshot_sha256":"c28c3603d3b5d939e8dc4c7e95fa8dfce3d595e45f758748cecf8e644a296938"},"references":{"count":0,"sample":[],"resolved_work":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57","internal_anchors":0},"formal_canon":{"evidence_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"author_claims":{"count":0,"strong_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"builder_version":"pith-number-builder-2026-05-17-v1"},"verdict_id":null},"signer":{"signer_id":"pith.science","signer_type":"pith_registry","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54"},"created_at":"2026-06-02T03:05:06Z","supersedes":[],"prev_event":null,"signature":{"signature_status":"signed_v1","algorithm":"ed25519","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signature_b64":"C+S09BokRXIx1qEvtb8khD+EojkKUrUqB7ERcbXu4PuoPtRes/3yoyX7HvLpsaYl3DX7dtJf75eboq+LbyU/DQ==","signed_message":"open_graph_event_sha256_bytes","signed_at":"2026-06-11T02:03:09.661516Z"},"content_sha256":"0ea83944489a8df1de94631f367ee1db0392d5f3e870736946cf82534200cef6","schema_version":"1.0","event_id":"sha256:0ea83944489a8df1de94631f367ee1db0392d5f3e870736946cf82534200cef6"}],"timestamp_proofs":[],"mirror_hints":[{"mirror_type":"https","name":"Pith Resolver","base_url":"https://pith.science","bundle_url":"https://pith.science/pith/CE3Q3D7V4TM5A4PZEU7XXAYSIA/bundle.json","state_url":"https://pith.science/pith/CE3Q3D7V4TM5A4PZEU7XXAYSIA/state.json","well_known_bundle_url":"https://pith.science/.well-known/pith/CE3Q3D7V4TM5A4PZEU7XXAYSIA/bundle.json","status":"primary"}],"public_keys":[{"key_id":"pith-v1-2026-05","algorithm":"ed25519","format":"raw","public_key_b64":"stVStoiQhXFxp4s2pdzPNoqVNBMojDU/fJ2db5S3CbM=","public_key_hex":"b2d552b68890857171a78b36a5dccf368a953413288c353f7c9d9d6f94b709b3","fingerprint_sha256_b32_first128bits":"RVFV5Z2OI2J3ZUO7ERDEBCYNKS","fingerprint_sha256_hex":"8d4b5ee74e4693bcd1df2446408b0d54","rotates_at":null,"url":"https://pith.science/pith-signing-key.json","notes":"Pith uses this Ed25519 key to sign canonical record SHA-256 digests. Verify with: ed25519_verify(public_key, message=canonical_sha256_bytes, signature=base64decode(signature_b64))."}],"merge_version":"pith-open-graph-merge-v1","built_at":"2026-06-11T02:03:09Z","links":{"resolver":"https://pith.science/pith/CE3Q3D7V4TM5A4PZEU7XXAYSIA","bundle":"https://pith.science/pith/CE3Q3D7V4TM5A4PZEU7XXAYSIA/bundle.json","state":"https://pith.science/pith/CE3Q3D7V4TM5A4PZEU7XXAYSIA/state.json","well_known_bundle":"https://pith.science/.well-known/pith/CE3Q3D7V4TM5A4PZEU7XXAYSIA/bundle.json"},"state":{"state_type":"pith_open_graph_state","state_version":"1.0","pith_number":"pith:2026:CE3Q3D7V4TM5A4PZEU7XXAYSIA","merge_version":"pith-open-graph-merge-v1","event_count":2,"valid_event_count":2,"invalid_event_count":0,"equivocation_count":0,"current":{"canonical_record":{"metadata":{"abstract_canon_sha256":"655d8f155bfcd73fd33fca10570b28b806cff8331eb1ee9edce8aac3da81529f","cross_cats_sorted":["cs.CR"],"license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","primary_cat":"cs.SE","submitted_at":"2026-06-01T16:12:26Z","title_canon_sha256":"2cba15ef9bb4706746d88b70584d1bbafc2b1771cf1a2944f7fc416f55485953"},"schema_version":"1.0","source":{"id":"2606.02442","kind":"arxiv","version":1}},"source_aliases":[{"alias_kind":"arxiv","alias_value":"2606.02442","created_at":"2026-06-02T03:05:06Z"},{"alias_kind":"arxiv_version","alias_value":"2606.02442v1","created_at":"2026-06-02T03:05:06Z"},{"alias_kind":"doi","alias_value":"10.48550/arxiv.2606.02442","created_at":"2026-06-02T03:05:06Z"},{"alias_kind":"pith_short_12","alias_value":"CE3Q3D7V4TM5","created_at":"2026-06-02T03:05:06Z"},{"alias_kind":"pith_short_16","alias_value":"CE3Q3D7V4TM5A4PZ","created_at":"2026-06-02T03:05:06Z"},{"alias_kind":"pith_short_8","alias_value":"CE3Q3D7V","created_at":"2026-06-02T03:05:06Z"}],"graph_snapshots":[{"event_id":"sha256:0ea83944489a8df1de94631f367ee1db0392d5f3e870736946cf82534200cef6","target":"graph","created_at":"2026-06-02T03:05:06Z","signer":{"key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signer_id":"pith.science","signer_type":"pith_registry"},"payload":{"graph_snapshot":{"author_claims":{"count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57","strong_count":0},"builder_version":"pith-number-builder-2026-05-17-v1","claims":{"count":0,"items":[],"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"formal_canon":{"evidence_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"integrity":{"available":true,"clean":true,"detectors_run":[],"endpoint":"/pith/2606.02442/integrity.json","findings":[],"snapshot_sha256":"c28c3603d3b5d939e8dc4c7e95fa8dfce3d595e45f758748cecf8e644a296938","summary":{"advisory":0,"by_detector":{},"critical":0,"informational":0}},"paper":{"abstract_excerpt":"By listing the components included in an application, Software Bills of Materials (SBOMs) are intended to support the timely identification of vulnerable components and ensure the security of the software supply chain. However, we question the underlying assumption that there is agreement on the components to be listed in an SBOM and that current technology is sufficient to secure the software supply chain.\n  First, we propose a ground-up analysis of Component Inclusion Mechanisms (CIM) in the software's development lifecycle. Then we systematically analyze the four popular SBOM generation too","authors_text":"Alena Naiakshina, Felix Reichmann, Martin Johns, Simon Koch, Wolfgang Krane","cross_cats":["cs.CR"],"headline":"","license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","primary_cat":"cs.SE","submitted_at":"2026-06-01T16:12:26Z","title":"Poking Around in the Dark: Why a Shared Understanding of Components Matters"},"references":{"count":0,"internal_anchors":0,"resolved_work":0,"sample":[],"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"source":{"id":"2606.02442","kind":"arxiv","version":1},"verdict":{"created_at":null,"id":null,"model_set":{},"one_line_summary":"","pipeline_version":null,"pith_extraction_headline":"","strongest_claim":"","weakest_assumption":""}},"verdict_id":null}}],"author_attestations":[],"timestamp_anchors":[],"storage_attestations":[],"citation_signatures":[],"replication_records":[],"corrections":[],"mirror_hints":[],"record_created":{"event_id":"sha256:6f9133aad97b11e8086fc9c7bee83acc020db4e338caa5eabbd5c17de6d5adec","target":"record","created_at":"2026-06-02T03:05:06Z","signer":{"key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signer_id":"pith.science","signer_type":"pith_registry"},"payload":{"attestation_state":"computed","canonical_record":{"metadata":{"abstract_canon_sha256":"655d8f155bfcd73fd33fca10570b28b806cff8331eb1ee9edce8aac3da81529f","cross_cats_sorted":["cs.CR"],"license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","primary_cat":"cs.SE","submitted_at":"2026-06-01T16:12:26Z","title_canon_sha256":"2cba15ef9bb4706746d88b70584d1bbafc2b1771cf1a2944f7fc416f55485953"},"schema_version":"1.0","source":{"id":"2606.02442","kind":"arxiv","version":1}},"canonical_sha256":"11370d8ff5e4d9d071f9253f7b83124032de99667de88d7c4c1c082970b5f3b9","receipt":{"algorithm":"ed25519","builder_version":"pith-number-builder-2026-05-17-v1","canonical_sha256":"11370d8ff5e4d9d071f9253f7b83124032de99667de88d7c4c1c082970b5f3b9","first_computed_at":"2026-06-02T03:05:06.330129Z","key_id":"pith-v1-2026-05","kind":"pith_receipt","last_reissued_at":"2026-06-02T03:05:06.330129Z","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","receipt_version":"0.3","signature_b64":"6F/5oMxxtsZHmxPxKbhMC+IT2VsSJQ//25AFyNdr9RvoPSPcpPkVLUZ9lg4gn1ObeESWFj6R1wQP46jxFn55Dw==","signature_status":"signed_v1","signed_at":"2026-06-02T03:05:06.330678Z","signed_message":"canonical_sha256_bytes"},"source_id":"2606.02442","source_kind":"arxiv","source_version":1}}},"equivocations":[],"invalid_events":[],"applied_event_ids":["sha256:6f9133aad97b11e8086fc9c7bee83acc020db4e338caa5eabbd5c17de6d5adec","sha256:0ea83944489a8df1de94631f367ee1db0392d5f3e870736946cf82534200cef6"],"state_sha256":"df18124d74d07a6e186a83b89f76f3ef1445fd32233b18c6e21e1ec610eac894"},"bundle_signature":{"signature_status":"signed_v1","algorithm":"ed25519","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signature_b64":"H+AcGXEVfHlaw2nj8iwTyMneB6LP0C8u4Nq1coPsPxJAf5AnszLpf6LoPsTa1Lw4Edi0C2ogEWvrZWq/7vh9Ag==","signed_message":"bundle_sha256_bytes","signed_at":"2026-06-11T02:03:09.665247Z","bundle_sha256":"857655c27b87c4634b12405c1a41613c7e307ae0fa109dcb94fe45b08651de0b"}}