A Semantic Framework for Modeling and Analysing Software Supply Chains through Software Bill of Materials

This thesis offers a multi-layered semantic structure for modeling and examining software supply chains using Software Bills of Materials (SBOMs). Contemporary software ecosystems depend significantly on open-source components, but SBOMs only offer standalone snapshots of elements, missing integrated perspectives on organisational context, vulnerability propagation, and internal software behaviour. This study integrates Semantic Web technologies, graph-based dependency modeling, and function-level structural analysis to overcome these limitations. At the organisational level, diverse SBOMs, survey data, licensing details, and vulnerability records are integrated into an ontology-based knowledge graph, facilitating expressive queries and automated reasoning throughout varied software landscapes. At the project level, the Vulnerability-Dependency Graph (VDGraph) model integrates SBOM dependency details with vulnerability information from Software Composition Analysis (SCA) tools, aiding the analysis of how vulnerabilities spread through dependency chains. Ultimately, at the code level, function-call graphs described by node centrality metrics and Graph Attention Network (GAT) embeddings reflect the structural significance of functions within an application, providing insights on how updates in dependencies might influence internal behavior. Created during an internship at CERN’s Open Source Program Office, this framework offers a complete, scalable method for understanding, managing, and safeguarding intricate software supply chains within large and heterogeneous organisations.