Our update posting has lapsed over the course of 2022, but that doesn’t mean we’ve been idle! As we close out the year and look ahead to 2023, we have a couple things to share, including a new development that will play out over the next few months. I’ll start by looking back at the work we started in April and give an overview and an update.

As I mentioned in April, we had onboarded someone to do a trial engagement to review our existing work and help chart a path forward. We spent some time in Q2 working with Reshama Shaikh on a data-focused exploration of the OSPO Classification work to date, casting this work against some publicly available data. I had imagined that we would come out of this trial engagement with a new or more refined methodology for performing the OSPO classification, but the exploration took me in an unexpected direction. After completing the trial engagement, we decided not to continue researching together, and Reshama exited the project. She did great work for FOCUSED, and it enabled us to move forward.

I’m still thinking through how to frame and write up my overall observations based on Reshama’s work, but I’ve made some progress this month. I have two TODO items coming out of this engagement:

This overall exploration uncovered a new potential path of exploration, and I decided to engage with another researcher to investigate. Specifically, I had originally framed the FOCUSED Project through the need to recruit active corporate participants who would be willing to opt-in to sharing dependency data and some GitHub information, so that we could measure collaboration activities after making interventions. But after reviewing Reshama’s analysis, I wondered if it was possible to collect dependency data passively rather than actively. For this approach to work, we would need to understand how many companies published public 3rd Party Software reports like this one from Slack. If this practice turned out to be pervasive, we could potentially identify opportunities for collaboration without directly engaging with companies and asking them to share data.

To investigate further, I engaged with Christopher Salcedo to perform some first-round investigation. I needed to get a sense for how many organizations participated in this practice. Christopher’s initial investigation indicated that the practice was common enough that it was worth digging in deeper. I have one outstanding TODO item from this investigation:

Having decided to continue down this new path of exploration, I have engaged with a third party to produce some code deliverables to support this new approach. The goal is to release code that will find, ingest, and analyze at least two different common 3rd Party Software Report formats. One format is produced as output from a Software Composition Analysis tool. The other format is the CycloneDX SBOM standard. We expect this code to be delivered sometime in Q2 2023.

While this code is being developed, I will be spending Q1 finalizing the three TODO items mentioned in this update and drafting a potential new approach for passively collecting the GitHub information needed to continue the investigation. Look for additional updates in January.

-Duane