Toward a Reference Architecture for Software Supply Chain Metadata Management

An Software Supply Chain (SSC) attack combines an upstream attack, where malicious codes are injected into a software artefact via a compromised life cycle activity, and a downstream attack on the consumers who use the compromised artefact. Organisations need thorough and trustworthy visibility over the entire SSC of their software inventory to detect risks early and rapidly identify compromised assets in the event of an SSC attack. One way to achieve such visibility is through SSC metadata, machine-readable and authenticated documents describing an artefact's lifecycle, such as how it was constructed and the utilised ``ingredients''. Adopting SSC metadata requires organisations to procure or develop a Software Supply Chain Metadata Management system (SCM2), a suite of software tools for performing life cycle activities of SSC metadata documents such as creation, signing, distribution, and consumption. Selecting or developing an SCM2 is challenging due to the lack of a comprehensive domain model and architectural blueprint to aid practitioners in navigating the vast design space of SSC metadata terminologies, frameworks, and solutions. This paper addresses the above-mentioned challenge with a Systematisation of Knowledge about SSC metadata and SCM2, presented as a Reference Architecture (RA). The RA comprises a domain model and an architectural blueprint for SCM2 systems, constructed from the concepts and building blocks scattered across existing SSC security frameworks and standards. Our evaluation shows that the RA framework is effective for analysing existing SCM2 solutions and guiding the engineering of new SCM2.