🤖 AI Summary
This study addresses a critical gap in software supply chain security by introducing the concept of Software Dark Matter (SDM)—security-critical artifacts present in file systems but omitted from Software Bill of Materials (SBOMs) due to their reliance on incomplete metadata. The authors define a quantitative metric, artifact fidelity, to characterize SDM and develop DARKFILES, a tool that combines static file system analysis, metadata reconciliation, and CVE cross-validation. Through large-scale empirical analysis across ecosystems including DockerHub and Maven Central, the work reveals the previously undocumented phenomenon of “packaging lag,” identifies multiple high-severity vulnerabilities absent from SBOMs (including three critical CVEs), and demonstrates that SDM is both pervasive and strongly correlated with sensitive information. These findings fundamentally challenge the prevailing assumption of SBOM completeness.
📝 Abstract
Modern software supply chains have evolved into vast, heterogeneous networks where transparency - the granular understanding of all software components - is now a critical security requirement. While Software Bills of Materials (SBOMs) have emerged as the primary mechanism for this transparency, current industry practices rely on a metadata-centric paradigm that assumes an artifact is defined solely by its package manager declarations. We posit that this assumption is fundamentally flawed, creating a systemic visibility gap we define as Software Dark Matter (SDM). SDM represents the set of security-critical files present in an artifact's filesystem that are unaccounted for by its associated metadata. We implement a reference tool, DARKFILES, and use it to analyze four ecosystems of disjoint nature: DockerHub, Maven Central, plugin/extension marketplaces (Jenkins plugins and OpenVSX), and a real-world enterprise environment.
Our research makes the following contributions: we introduce a general-purpose metric for artifact fidelity calculating SDM as the ratio of untracked files per total file count. We introduce Packaging Lag, a phenomenon where official metadata remains out-of-date across multiple versions before catching up to an artifact's actual content. We demonstrate that SDM exposes vulnerable software invisible to SBOM-driven pipelines both by cross-referencing untracked packages against known CVE databases and through the direct discovery of three confirmed high-severity CVEs, showing that SDM is highly correlated with sensitive information including secrets and cryptographic keys.