Securing the Supply Chain for OSS

🌟 CF Hackathon 2025 Project Results 🌟

The Securing the Supply Chain for OSS team addressed the critical challenge of software supply chain security in open source ecosystems, particularly in light of new regulatory requirements like the EU Cyber Resilience Act. The team recognized that many open-source projects, especially in the CMS ecosystem, lack the tools and workflows to meet these requirements effectively.

After collaborative brainstorming, the team focused on creating a CMS-agnostic approach for implementing the Software Bill of Materials (SBOM), which provides transparency about the dependencies used in applications. They developed a lightweight PHP library called SBOMinator3000 that generates SBOMs through two approaches: collecting infrastructure-based dependencies information and performing static code analysis to identify library inclusions in code without package manager files.

The project delivered impressive results with nine repositories grouped in a GitHub organization, comprising over 150 files and 16,000 lines of code. They created integrations for WordPress (via Site Health module and WP-CLI), TYPO3 (admin extension), and Laravel (Artisan command), demonstrating the solution’s versatility across CMS platforms. Their compelling presentation earned them the Pitch Perfect Award alongside the CMS Freedom project.

The impact of this tool extends to multiple stakeholders, including site owners, compliance officers, web hosts, agencies, and software maintainers, providing a solid foundation for a more secure software supply chain.

Pitch Video Interview

Project Description

Software supply chain security has become a critical concern for open source ecosystems, particularly in light of new regulatory requirements and increasing security threats. The EU Cyber Resilience Act, which enters into force in December 2024, mandates that manufacturers, software developers, importers, distributors, and resellers ensure their products with digital components remain secure throughout their lifecycle. This is just one example of the growing regulatory landscape that open source projects must navigate.

Current challenges include ensuring continuous access to security updates, maintaining separate security and feature update channels, implementing vulnerability disclosure programs, and providing transparency through Software Bill of Materials (SBOM) and Supply-chain Levels for Software Artifacts (SLSA). Many open source projects, especially in the CMS ecosystem, lack the tools and workflows to meet these requirements effectively.

This project aims to develop solutions that address these challenges through modular, reusable components. Using WordPress plugin development as our initial implementation use case, we’ll create tools and workflows that can benefit the broader open source community. The goal is to enable projects of all sizes to implement robust supply chain security measures without reinventing the wheel.

Target Audience

• Open source software vendors and maintainers
• CMS platform developers and contributors
• Security professionals and researchers
• Organizations deploying CMS solutions at scale

Hackathon Goals

The project scope is flexible and will be refined based on team composition and expertise. Potential deliverables may include:

• Security update channel implementations
• Cryptographic code signing solutions
• SBOM generation and verification tools
• Vulnerability disclosure program tooling
• Documentation and implementation guides
• Cross-CMS security standards

Teams can focus on one or more of these areas, or propose additional solutions that address supply chain security challenges in open source ecosystems.