CloudNativeSecurityCon North America 2023

Software transparency has become the north star for many interested in software supply chain security. For instance, advocates of software bills of materials (SBOMs) believe that SBOMs provide the data layer that will allow software producers and consumers to achieve software transparency.  But there's an unrecognized impediment to achieving software transparency and to creating accurate and complete SBOMs: software dark matter. Software dark matter are files that are unregistered by a package manager, effectively invisible to many software composition analysis tools and vulnerability scanners. This software dark matter reduces the utility of security tools and complicates the quest for software transparency.  To understand the magnitude of the software dark matter problem, this project analyzed 350 popular Docker Hub images, quantifying the software dark matter percentage. The average popular container is approximately 30 percent dark matter. Using an average weighted by the number of files, the typical container is 60 percent dark matter.  The talk finishes with a call to avoid software dark matter in container images.