{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,18]],"date-time":"2026-03-18T13:34:58Z","timestamp":1773840898738,"version":"3.50.1"},"publisher-location":"New York, NY, USA","reference-count":36,"publisher":"ACM","license":[{"start":{"date-parts":[[2024,6,18]],"date-time":"2024-06-18T00:00:00Z","timestamp":1718668800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by-nc-sa\/4.0\/"}],"funder":[{"name":"Cyber Security Cooperative Research Centre"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2024,6,18]]},"DOI":"10.1145\/3661167.3661212","type":"proceedings-article","created":{"date-parts":[[2024,6,14]],"date-time":"2024-06-14T12:24:25Z","timestamp":1718367865000},"page":"38-47","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":5,"title":["An Empirically Grounded Reference Architecture for Software Supply Chain Metadata Management"],"prefix":"10.1145","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-9538-7476","authenticated-orcid":false,"given":"Nguyen Khoi","family":"Tran","sequence":"first","affiliation":[{"name":"CREST, The University of Adelaide, Australia"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-5342-9551","authenticated-orcid":false,"given":"Samodha","family":"Pallewatta","sequence":"additional","affiliation":[{"name":"CREST, The University of Adelaide, Australia"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-9696-3626","authenticated-orcid":false,"given":"Muhammad Ali","family":"Babar","sequence":"additional","affiliation":[{"name":"CREST, The University of Adelaide, Australia and Cyber Security Cooperative Research Centre, Australia"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"320","published-online":{"date-parts":[[2024,6,18]]},"reference":[{"key":"e_1_3_2_1_1_1","doi-asserted-by":"publisher","DOI":"10.1109\/HICSS.2011.36"},{"key":"e_1_3_2_1_2_1","doi-asserted-by":"publisher","DOI":"10.1109\/WICSA.2009.5290800"},{"key":"e_1_3_2_1_3_1","doi-asserted-by":"publisher","DOI":"10.1109\/mitp.2007.53"},{"key":"e_1_3_2_1_4_1","volume-title":"Document analysis as a qualitative research method. Qualitative research journal 9, 2","author":"Bowen A","year":"2009","unstructured":"Glenn\u00a0A Bowen. 2009. Document analysis as a qualitative research method. Qualitative research journal 9, 2 (2009), 27\u201340."},{"key":"e_1_3_2_1_5_1","volume-title":"Containers, Components, and Code. URl: https:\/\/c4model. com\/.(accessed: 09.12. 2022)","author":"Brown Simon","year":"2018","unstructured":"Simon Brown. 2018. The C4 model for visualising software architecture. Context, Containers, Components, and Code. URl: https:\/\/c4model. com\/.(accessed: 09.12. 2022) (2018)."},{"key":"e_1_3_2_1_6_1","unstructured":"CNCF. 2022. The Secure Software Factory: A reference architecture to securing the software supply chain. Technical Report."},{"key":"e_1_3_2_1_7_1","unstructured":"Henk Birkholz; Antoine Delignat-Lavaud; Cedric Fournet;\u00a0Yogesh Deshpande. 2023. An Architecture for Trustworthy and Transparent Digital Supply Chains. Technical Report."},{"key":"e_1_3_2_1_8_1","doi-asserted-by":"publisher","unstructured":"Matthias Galster and Paris Avgeriou. 2011. Empirically-grounded reference architectures. In Proceedings of the joint ACM SIGSOFT conference \u2013 QoSA and ACM SIGSOFT symposium \u2013 ISARCS on Quality of software architectures \u2013 QoSA and architecting critical systems \u2013 ISARCS. ACM. https:\/\/doi.org\/10.1145\/2000259.2000285","DOI":"10.1145\/2000259.2000285"},{"key":"e_1_3_2_1_9_1","doi-asserted-by":"publisher","DOI":"10.1109\/TSMCC.2011.2145370"},{"key":"e_1_3_2_1_10_1","unstructured":"in toto. 2017. in-toto Specification v0.9. Technical Report."},{"key":"e_1_3_2_1_11_1","volume-title":"NIST cloud computing reference architecture. NIST special publication 500","author":"Liu Fang","year":"2011","unstructured":"Fang Liu, Jin Tong, Jian Mao, Robert Bohn, John Messina, Lee Badger, Dawn Leaf, 2011. NIST cloud computing reference architecture. NIST special publication 500, 2011 (2011), 1\u201328."},{"key":"e_1_3_2_1_12_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICSA56044.2023.00011"},{"key":"e_1_3_2_1_13_1","volume-title":"Eindhoven, White paper","author":"Muller Gerrit","year":"2008","unstructured":"Gerrit Muller. 2008. A reference architecture primer. Eindhoven Univ. of Techn., Eindhoven, White paper (2008)."},{"key":"e_1_3_2_1_14_1","unstructured":"Frank; Jessica Wilkerson; James\u00a0Dana; Nagle and Jennifer\u00a0L. Hoffman. 2020. Vulnerabilities in the Core: Preliminary Report and Census II of Open Source Software. Technical Report."},{"key":"e_1_3_2_1_15_1","unstructured":"NTIA. 2021. Framing Software ComponentTransparency: Establishing a CommonSoftware Bill of Materials (SBOM). Technical Report."},{"key":"e_1_3_2_1_16_1","unstructured":"NTIA. 2021. How-To Guide for SBOM Generation. Technical Report."},{"key":"e_1_3_2_1_17_1","unstructured":"NTIA. 2021. Roles and Benefits for SBOM Across the Supply Chain. Technical Report."},{"key":"e_1_3_2_1_18_1","unstructured":"NTIA. 2021. SBOM Tool Classification Taxonomy. Technical Report."},{"key":"e_1_3_2_1_19_1","unstructured":"NTIA. 2021. Sharing and Exchanging SBOMs. Technical Report."},{"key":"e_1_3_2_1_20_1","unstructured":"NTIA. 2021. Software Consumers Playbook: SBOM Acquisition Management and Use. Technical Report."},{"key":"e_1_3_2_1_21_1","unstructured":"NTIA. 2021. Software Suppliers Playbook: SBOM Production and Provision. Technical Report."},{"key":"e_1_3_2_1_22_1","unstructured":"NTIA. 2021. Survey of Existing SBOM Formats and Standards. Technical Report."},{"key":"e_1_3_2_1_23_1","volume-title":"Detection of Intrusions and Malware, and Vulnerability Assessment, Cl\u00e9mentine Maurice","author":"Ohm Marc","unstructured":"Marc Ohm, Henrik Plate, Arnold Sykosch, and Michael Meier. 2020. Backstabber\u2019s Knife Collection: A Review of Open Source Software Supply Chain Attacks. In Detection of Intrusions and Malware, and Vulnerability Assessment, Cl\u00e9mentine Maurice, Leyla Bilge, Gianluca Stringhini, and Nuno Neves (Eds.). Springer International Publishing, Cham, 23\u201343."},{"key":"e_1_3_2_1_24_1","doi-asserted-by":"publisher","DOI":"10.1145\/3560835.3564556"},{"key":"e_1_3_2_1_25_1","unstructured":"OWASP. 2020. OWASP Software Component Verification Standard Version 1.0. https:\/\/owasp.org\/www-project-software-component-verification-standard\/."},{"key":"e_1_3_2_1_26_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.bdr.2015.01.001"},{"key":"e_1_3_2_1_27_1","unstructured":"SEI. 2010. Evaluating and Mitigating Software Supply Chain Security Risks. Technical Report."},{"key":"e_1_3_2_1_28_1","unstructured":"SEI. 2010. Software Supply Chain Risk Management: From Products to Systems of Systems. Technical Report."},{"key":"e_1_3_2_1_29_1","doi-asserted-by":"publisher","DOI":"10.1109\/ase.2019.00141"},{"key":"e_1_3_2_1_30_1","unstructured":"SLSA. 2021. SLSA Specificaion Version 0.1. https:\/\/slsa.dev\/spec\/v0.1\/onepage."},{"key":"e_1_3_2_1_31_1","unstructured":"SLSA. 2023. SLSA Specification Version 1.0 RC. https:\/\/slsa.dev\/spec\/v1.0-rc1\/onepage."},{"key":"e_1_3_2_1_32_1","unstructured":"Sonatype. 2023. The 8th Annual State of the SoftwareSupply Chain Report. Technical Report."},{"key":"e_1_3_2_1_33_1","doi-asserted-by":"crossref","unstructured":"Jeremiah\u00a0Trent Stoddard Michael\u00a0Adam Cutshaw Tyler Williams Allan Friedman and Justin Murphy. 2023. Software Bill of Materials (SBOM) Sharing Lifecycle Report. Technical Report.","DOI":"10.2172\/1969133"},{"key":"e_1_3_2_1_34_1","doi-asserted-by":"publisher","DOI":"10.1109\/ms.2016.20"},{"key":"e_1_3_2_1_35_1","doi-asserted-by":"publisher","DOI":"10.1145\/2601248.2601268"},{"key":"e_1_3_2_1_36_1","doi-asserted-by":"publisher","unstructured":"Boming Xia Tingting Bi Zhenchang Xing Qinghua Lu and Liming Zhu. 2023. An Empirical Study on Software Bill of Materials: Where We Stand and the Road Ahead. (2023). https:\/\/doi.org\/10.48550\/ARXIV.2301.05362","DOI":"10.48550\/ARXIV.2301.05362"}],"event":{"name":"EASE 2024: 28th International Conference on Evaluation and Assessment in Software Engineering","location":"Salerno Italy","acronym":"EASE 2024"},"container-title":["Proceedings of the 28th International Conference on Evaluation and Assessment in Software Engineering"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3661167.3661212","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3661167.3661212","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,8,22]],"date-time":"2025-08-22T11:14:11Z","timestamp":1755861251000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3661167.3661212"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2024,6,18]]},"references-count":36,"alternative-id":["10.1145\/3661167.3661212","10.1145\/3661167"],"URL":"https:\/\/doi.org\/10.1145\/3661167.3661212","relation":{},"subject":[],"published":{"date-parts":[[2024,6,18]]},"assertion":[{"value":"2024-06-18","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}