The use of free and open source software (FOSS) components in all software systems is estimated to be above 90%. With such high usage and because of the heterogeneity of FOSS tools, repositories, developers and ecosystem, the level of complexity of managing software development has also increased. This has amplified both the attack surface for malicious actors and the difficulty of making sure that the software products are free from threats. The rise of security incidents involving high profile attacks is evidence that there is still much to be done to safeguard software products and the FOSS supply chain. Software Composition Analysis (SCA) tools and the study of attack trees help with improving security. However, they still lack the ability to comprehensively address how interactions within the software supply chain may impact security. This work presents a novel approach of assessing threat levels in FOSS supply chains with the log model. This model provides information capture and threat propagation analysis that not only account for security risks that may be caused by attacks and the usage of vulnerable software, but also how they interact with the other elements to affect the threat level for any element in the model.

翻译：在所有软件系统中，自由及开源软件（FOSS）组件的使用率估计超过90%。如此高的使用率，加之FOSS工具、代码仓库、开发者及生态系统的异构性，导致软件开发管理的复杂性也随之增加。这既放大了恶意行为者的攻击面，也增加了确保软件产品无威胁的难度。涉及重大攻击的安全事件频发，表明在保护软件产品及FOSS供应链方面仍有大量工作要做。软件成分分析（SCA）工具与攻击树研究有助于提升安全性，但仍缺乏全面解决软件供应链内部交互如何影响安全问题的能力。本文提出一种利用日志模型评估FOSS供应链威胁等级的新方法。该模型通过信息捕获与威胁传播分析，不仅涵盖因攻击及使用易受攻击软件所导致的安全风险，还揭示了这些风险如何与其他要素相互作用，从而影响模型中任意元素的威胁等级。