Supply chain security

The software supply chain encompasses all components, tools, processes, and people involved in producing and delivering software: source code, build tooling, CI/CD pipelines, third-party libraries, container base images, and distribution mechanisms. An attacker who compromises any element can inject malicious code into every downstream consumer.

Supply chain attacks are effective because they subvert the trust model organisations rely on. The four primary attack surfaces are:

1. Source code: direct compromise of a source repository via a malicious maintainer or a compromised developer account.
2. Build environment: compromising the CI/CD pipeline or build server to modify artefacts during compilation. SolarWinds 2020 is the canonical example.
3. Dependencies: publishing a malicious package to a public registry (dependency confusion, typosquatting) or compromising an existing popular package.
4. Distribution: compromising the update server, package registry, or CDN used to deliver software to end users.

The NIST SP 800-161r1 C-SCRM (Cyber Supply Chain Risk Management) framework provides a risk management structure for organisations to identify, assess, and respond to supply chain risks across all attack surfaces listed above. The 2021 US Executive Order 14028 on Improving the Nation's Cybersecurity mandated SBOM production for all software sold to the US federal government, directly in response to the SolarWinds incident.

A Software Bill of Materials (SBOM) is a machine-readable inventory of all components in a software artefact, including their versions, licences, and relationships. Two formats dominate:

SPDX 2.3 (Software Package Data Exchange), standardised as ISO/IEC 5962:2021 by the Linux Foundation, is optimised for licence compliance tracking. It is the format mandated by US Executive Order 14028 for software sold to the US federal government. SPDX 2.3 supports package metadata, licence expressions in SPDX-Licence-Expression format, file-level checksums, and relationship types (CONTAINS, DEPENDS_ON, GENERATED_FROM).

CycloneDX 1.5, maintained by OWASP, is optimised for vulnerability management and supply chain security workflows. CycloneDX 1.5 adds native VEX (Vulnerability Exploitability eXchange) support for communicating whether a known CVE is actually exploitable in a given context, service dependency mapping, component provenance evidence, and the ability to embed SAST, DAST, and composition analysis results.

Most organisations generate both formats using the open-source tool Syft (Anchore): SPDX 2.3 for regulatory compliance submission and CycloneDX 1.5 for internal vulnerability management workflows. Generating both from the same build pipeline adds minimal overhead.

SLSA (Supply chain Levels for Software Artefacts, pronounced "salsa") is a security framework published by Google in 2023 providing incrementally stronger guarantees about the provenance of software build artefacts. It defines four levels based on provenance verifiability and tamper-resistance:

• Build L0: no provenance document; no guarantee about how the artefact was produced.
• Build L1: the build generates a provenance document attesting how the artefact was built; not signed, so tamper-evident but not tamper-proof.
• Build L2: provenance is signed by the build service and the build runs on a hosted platform (such as GitHub Actions). An artefact cannot be produced with a valid provenance signature outside the known build platform.
• Build L3: hardened build platform where the build instructions (the workflow script) cannot access the signing key. Even a compromised build script cannot produce valid L3 provenance for a tampered artefact. This is the level at which the SolarWinds attack would have been detectable: the compromised build step could not have produced a valid L3 provenance for the trojanised DLL.

Most open-source projects operate at SLSA L0 or L1. GitHub Actions supports native SLSA provenance generation; projects adopting SLSA L2 via GitHub Actions achieve signed provenance at near-zero additional overhead.

Sigstore provides keyless code signing infrastructure. Rather than long-lived signing keys (which become targets for compromise), Sigstore issues short-lived certificates bound to an OIDC identity such as a GitHub Actions workflow. The three Sigstore components are: cosign (signs and verifies container images and artefacts), Rekor (an immutable transparency log recording all signatures), and Fulcio (the CA that issues short-lived OIDC-bound certificates). The Kubernetes project adopted cosign-based signing from version 1.24 for all official release images and binaries.

A transitive dependency is a dependency of a dependency: if application A depends on library B, and B depends on library C, then C is a transitive dependency of A. A vulnerability in C affects A even if A has no direct reference to C in its own dependency manifest. A typical Node.js application may have hundreds of direct dependencies and thousands of transitive ones.

Log4Shell (CVE-2021-44228, CVSS 10.0) demonstrated transitive dependency risk at scale: many organisations had no idea Log4j was in their Java stack because it arrived via three or four levels of transitive dependency through other frameworks. The vulnerability affected essentially every Java application that logged user-supplied input, regardless of whether the development team had consciously included Log4j.

SCA (Software Composition Analysis) tooling must be configured to resolve the full dependency graph, not only direct dependencies. Snyk and OWASP Dependency-Check analyse the full transitive tree by default, but some teams configure them to scan only the top-level manifest, missing the majority of the attack surface. Dependency minimisation is an additional control: audit dependencies periodically for necessity, maintenance status, and community trust.