⚡ Lightning Talk: Software Dark Matter is the Enemy of Software Transparency - Santiago Torres

Software dark matter is a hindrance to achieving software transparency and creating accurate and complete software bills of materials (SBOMs).

• SBOMs provide the data layer that will allow software producers and consumers to achieve software transparency.
• Software dark matter are files that are unregistered by a package manager, effectively invisible to many software composition analysis tools and vulnerability scanners.
• The typical container is 60 percent dark matter.
• The goal is to understand how dark files appear and what are the consequences for software supply chain security and transparency.
• We must measure and reduce the dark files by taking steps to better communicate software's blockchain information.

The speaker used the metaphor of dark matter in the universe to explain the concept of dark files in software. Just as dark matter exists in the universe but cannot be seen, dark files exist in software but are not tracked by package managers and do not carry provenance information. This lack of information makes it difficult to produce accurate and complete SBOMs, which are essential for achieving software transparency and ensuring software supply chain security.

Software transparency has become the north star for many interested in software supply chain security. For instance, advocates of software bills of materials (SBOMs) believe that SBOMs provide the data layer that will allow software producers and consumers to achieve software transparency.  But there's an unrecognized impediment to achieving software transparency and to creating accurate and complete SBOMs: software dark matter. Software dark matter are files that are unregistered by a package manager, effectively invisible to many software composition analysis tools and vulnerability scanners. This software dark matter reduces the utility of security tools and complicates the quest for software transparency.  To understand the magnitude of the software dark matter problem, this project analyzed 350 popular Docker Hub images, quantifying the software dark matter percentage. The average popular container is approximately 30 percent dark matter. Using an average weighted by the number of files, the typical container is 60 percent dark matter.  The talk finishes with a call to avoid software dark matter in container images.