With the rapid rise in Software Supply Chain (SSC) attacks, organisations need thorough and trustworthy visibility over the entire SSC of their software inventory to detect risks early and identify compromised assets rapidly in the event of an SSC attack. One way to achieve such visibility is through SSC metadata, machine-readable and authenticated documents describing an artefact's lifecycle. Adopting SSC metadata requires organisations to procure or develop a Software Supply Chain Metadata Management system (SCM2), a suite of software tools for performing life cycle activities of SSC metadata documents such as creation, signing, distribution, and consumption. Selecting or developing an SCM2 is challenging due to the lack of a comprehensive domain model and architectural blueprint to aid practitioners in navigating the vast design space of SSC metadata terminologies, frameworks, and solutions. This paper addresses the above-mentioned challenge by presenting an empirically grounded Reference Architecture (RA) comprising of a domain model and an architectural blueprint for SCM2 systems. Our proposed RA is constructed systematically on an empirical foundation built with industry-driven and peer-reviewed SSC security frameworks. Our theoretical evaluation, which consists of an architectural mapping of five prominent SSC security tools on the RA, ensures its validity and applicability, thus affirming the proposed RA as an effective framework for analysing existing SCM2 solutions and guiding the engineering of new SCM2 systems.

翻译：随着软件供应链攻击的迅速增加，组织需要对其软件资产的整个软件供应链具备全面且可信的可见性，以便及早发现风险，并在发生软件供应链攻击时快速识别受损资产。实现这种可见性的一种途径是通过软件供应链元数据，即描述制品生命周期的、机器可读且经过认证的文档。采用软件供应链元数据要求组织采购或开发一个软件供应链元数据管理系统，这是一套用于执行软件供应链元数据文档生命周期活动的软件工具，包括创建、签名、分发和消费等。由于缺乏全面的领域模型和架构蓝图来帮助从业者在广阔的软件供应链元数据术语、框架和解决方案设计空间中导航，选择或开发一个软件供应链元数据管理系统具有挑战性。本文通过提出一个基于实证的参考架构来解决上述挑战，该架构包含一个领域模型和一个用于软件供应链元数据管理系统的架构蓝图。我们提出的参考架构是在一个由行业驱动且经过同行评审的软件供应链安全框架构建的实证基础上系统构建的。我们的理论评估包括将五个重要的软件供应链安全工具在参考架构上进行架构映射，确保了其有效性和适用性，从而证实了所提出的参考架构是分析现有软件供应链元数据管理解决方案和指导新软件供应链元数据管理系统工程化的有效框架。