Analyzing Challenges in Deployment of the SLSA Framework for Software Supply Chain Security

Mahzabin Tamanna,Sivana Hamer,Mindy Tran,Sascha Fahl,Yasemin Acar,Laurie Williams
2024-12-05
Abstract:In 2023, Sonatype reported a 200\% increase in software supply chain attacks, including major build infrastructure attacks. To secure the software supply chain, practitioners can follow security framework guidance like the Supply-chain Levels for Software Artifacts (SLSA). However, recent surveys and industry summits have shown that despite growing interest, the adoption of SLSA is not widespread. To understand adoption challenges, \textit{the goal of this study is to aid framework authors and practitioners in improving the adoption and development of Supply-Chain Levels for Software Artifacts (SLSA) through a qualitative study of SLSA-related issues on GitHub}. We analyzed 1,523 SLSA-related issues extracted from 233 GitHub repositories. We conducted a topic-guided thematic analysis, leveraging the Latent Dirichlet Allocation (LDA) unsupervised machine learning algorithm, to explore the challenges of adopting SLSA and the strategies for overcoming these challenges. We identified four significant challenges and five suggested adoption strategies. The two main challenges reported are complex implementation and unclear communication, highlighting the difficulties in implementing and understanding the SLSA process across diverse ecosystems. The suggested strategies include streamlining provenance generation processes, improving the SLSA verification process, and providing specific and detailed documentation. Our findings indicate that some strategies can help mitigate multiple challenges, and some challenges need future research and tool enhancement.
Computational Engineering, Finance, and Science,Software Engineering
What problem does this paper attempt to address?
### What problems does this paper attempt to solve? This paper aims to help framework authors and practitioners improve the adoption and development of the SLSA (Supply - chain Levels for Software Artifacts) framework by analyzing issues related to the SLSA framework on GitHub. Specifically, the paper focuses on the following two research questions: 1. **RQ1: What challenges do practitioners encounter when deploying SLSA?** 2. **RQ2: What strategies do software practitioners recommend to increase the adoption of SLSA?** #### Background Information With the increase in software supply - chain attacks, ensuring the security of the software supply chain has become crucial. The SLSA framework aims to improve the integrity and security of software artifacts throughout the software supply chain. However, despite the growing interest in SLSA, its actual adoption rate is not high. To understand this phenomenon and promote the widespread application of SLSA, the authors conducted this study. #### Main Challenges Through the analysis of 1,523 SLSA - related issues, the authors identified four main challenges: 1. **Complex Implementation (CI)**: - **Complicated Provenance Generation**: Practitioners have difficulty generating provenance for higher - level SLSA compliance. For example, the blocking nature and inefficiency of the check - validator pre - commit task can affect the speed and flexibility of the CI/CD pipeline. - **Intricate Maintenance**: The specifications of the tools required to maintain SLSA are very complex. Running the `slsa - github - generator` and `slsa - github - verifier` tools can lead to various obstacles, such as incompatibility, silent messages, runtime errors, etc. 2. **Unclear Communication (UC)**: - **Unclear Definitions**: Many practitioners are concerned about the lack of clear definitions of SLSA - related terms, such as "provenance" and "attestation", which lead to ambiguity and inaccuracy in the documentation. - **Unclear Documentation**: Practitioners encounter a lack of explanations and guidelines when understanding and applying SLSA to their own ecosystems. There are problems of inconsistency and disorganization in the documentation. 3. **Limited Feasibility (LF)**: - **Limited Attestation Verification**: Although provenance is the core of SLSA, during the verification process, practitioners are confused about how to automate verification and communicate verification data. - **Two - party Review Requirements**: Some projects have difficulty meeting SLSA's two - party review requirements. 4. **Unclear Relevance (UR)**: - Practitioners are uncertain about the relevance of SLSA in specific projects or environments, especially in the case of multi - track integration. #### Solution Strategies In response to the above challenges, practitioners proposed five strategies: 1. **Streamline Provenance Generation Processes**: Reduce confusion by standardizing the generation process to ensure data integrity and reliability. 2. **Improve the SLSA Verification Process**: Provide clearer guidance and simplify the use of verification tools. 3. **Provide Specific and Detailed Documentation**: Include examples, FAQs, and best practices. 4. **Strengthen Training**