This chapter explores integrating software bills of materials (SBoMs) with distributed ledger technologies (DLTs) for forensic investigation, traceability, and securing the software development lifecycle. We explain how SBoMs improve transparency into software composition and how distributed ledgers immutably record provenance. Our forensics framework leverages smart contracts to log commit metadata, component updates, and SBoM differences over time. This enables investigators to detect unauthorized changes, reconstruct modification histories, and verify integrity with chain-of-custody guarantees. Through a case study using Conan packages, Git, and Hyperledger Fabric, we demonstrate how to trace dependency changes and detect edits. Finally, we discuss how our framework remains effective even in AI-assisted development environments, helping analysts trace AI-generated code and investigate emerging supply chain threats such as vibe coding and automated injection attacks.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

Supply Chain Forensic with Distributed Ledger Technologies and Software Bill of Materials

  • Iwinosa Aideyan,
  • Mert D. Pesé,
  • Richard Brooks

摘要

This chapter explores integrating software bills of materials (SBoMs) with distributed ledger technologies (DLTs) for forensic investigation, traceability, and securing the software development lifecycle. We explain how SBoMs improve transparency into software composition and how distributed ledgers immutably record provenance. Our forensics framework leverages smart contracts to log commit metadata, component updates, and SBoM differences over time. This enables investigators to detect unauthorized changes, reconstruct modification histories, and verify integrity with chain-of-custody guarantees. Through a case study using Conan packages, Git, and Hyperledger Fabric, we demonstrate how to trace dependency changes and detect edits. Finally, we discuss how our framework remains effective even in AI-assisted development environments, helping analysts trace AI-generated code and investigate emerging supply chain threats such as vibe coding and automated injection attacks.