kth.sePublications KTH
EnglishSvenskaNorsk
Change search
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
Dirty-Waters: Detecting Software Supply Chain Smells
KTH.ORCID iD: 0009-0009-7681-3490
KTH, School of Electrical Engineering and Computer Science (EECS), Computer Science, Theoretical Computer Science, TCS.ORCID iD: 0000-0003-3116-3278
KTH, School of Electrical Engineering and Computer Science (EECS), Computer Science, Theoretical Computer Science, TCS.ORCID iD: 0000-0002-4015-4640
KTH, School of Electrical Engineering and Computer Science (EECS), Computer Science, Theoretical Computer Science, TCS.ORCID iD: 0000-0003-3505-3383
2025 (English)In: FSE Companion 2025 - Companion Proceedings of the 33rd ACM International Conference on the Foundations of Software Engineering, Association for Computing Machinery (ACM) , 2025, p. 1045-1049Conference paper, Published paper (Refereed)
Abstract [en]

Using open-source dependencies is essential in modern software development. However, this practice implies significant trust in third-party code, while there is little support for developers to assess this trust. As a consequence, attacks, called software supply chain attacks, have been increasingly occurring through third-party dependencies. In this paper, we target the problem of projects that use dependencies, where developers are unaware of the potential risks posed by their software supply chain. We define the novel concept of software supply chain smell and present Dirty-Waters, a novel tool for detecting software supply chain smells. We evaluate Dirty-Waters on three JavaScript projects and demonstrate the prevalence of all proposed software supply chain smells. Dirty-Waters reveals potential risks for previously invisible problems and provides clear indicators for developers to act on the security of their supply chain. A video demonstrating Dirty-Waters is available at: http://l.4open.science/dirty-waters-demo.
Place, publisher, year, edition, pages
Association for Computing Machinery (ACM) , 2025. p. 1045-1049
Keywords [en]
Open Source, Software Security, Software Supply Chain
National Category
Software Engineering
Identifiers
URN: urn:nbn:se:kth:diva-370310DOI: 10.1145/3696630.3728578Scopus ID: 2-s2.0-105013963801OAI: oai:DiVA.org:kth-370310DiVA, id: diva2:2000817
Conference
33rd ACM International Conference on the Foundations of Software Engineering, FSE Companion 2025, Trondheim, Norway, Jun 23 2025 - Jun 27 2025
Note

Part of ISBN 9798400712760

QC 20250925

Available from: 2025-09-25 Created: 2025-09-25 Last updated: 2025-09-25Bibliographically approved

Open Access in DiVA

No full text in DiVA

Other links

Publisher's full textScopus

Authority records

Bobadilla, SofiaBaudry, BenoitMonperrus, Martin

Search in DiVA

By author/editor
Liu, RaphinaBobadilla, SofiaBaudry, BenoitMonperrus, Martin
By organisation
KTHTheoretical Computer Science, TCS
Software Engineering

Search outside of DiVA

GoogleGoogle Scholar

doi
urn-nbn

Altmetric score

doi
urn-nbn
Total: 51 hits
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
v. 2.47.0
|
WCAG
|
KTH Library
|
DiVA support
|
Register in DiVA
|
Posting your thesis
|
SwePub
|
About Open Access