{"id":15023957,"url":"https://github.com/sap/risk-explorer-for-software-supply-chains","last_synced_at":"2025-04-06T22:06:49.758Z","repository":{"id":38536155,"uuid":"470753808","full_name":"SAP/risk-explorer-for-software-supply-chains","owner":"SAP","description":"A taxonomy of attacks on software supply chains in the form of an attack tree, based on and linked to numerous real-world incidents and other resources. The taxonomy as well as related safeguards can be explored using an interactive visualization tool.","archived":false,"fork":false,"pushed_at":"2025-03-24T17:44:19.000Z","size":17662,"stargazers_count":75,"open_issues_count":12,"forks_count":15,"subscribers_count":6,"default_branch":"main","last_synced_at":"2025-04-05T13:13:37.106Z","etag":null,"topics":["open-source","security"],"latest_commit_sha":null,"homepage":"https://sap.github.io/risk-explorer-for-software-supply-chains/","language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/SAP.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-03-16T21:15:22.000Z","updated_at":"2025-04-04T03:38:45.000Z","dependencies_parsed_at":"2024-05-02T02:39:01.730Z","dependency_job_id":"7a608155-cf1d-433f-886b-71303ea94111","html_url":"https://github.com/SAP/risk-explorer-for-software-supply-chains","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":"SAP/repository-template","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SAP%2Frisk-explorer-for-software-supply-chains","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SAP%2Frisk-explorer-for-software-supply-chains/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SAP%2Frisk-explorer-for-software-supply-chains/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SAP%2Frisk-explorer-for-software-supply-chains/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/SAP","download_url":"https://codeload.github.com/SAP/risk-explorer-for-software-supply-chains/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247557767,"owners_count":20958047,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["open-source","security"],"created_at":"2024-09-24T19:59:38.999Z","updated_at":"2025-04-06T22:06:49.735Z","avatar_url":"https://github.com/SAP.png","language":"JavaScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Risk Explorer for Software Supply Chains\n[![License](https://img.shields.io/badge/license-Apache%202.0-blue.svg)](LICENSE.txt)\n[![REUSE status](https://api.reuse.software/badge/github.com/sap/risk-explorer-for-software-supply-chains)](https://api.reuse.software/info/github.com/sap/risk-explorer-for-software-supply-chains)\n\n## About this project\n\nThis project offers a tool to explore a taxonomy of attack vectors targeting open-source software supply chains. This information has been compiled on the basis of numerous real-world incidents, i.e. actual attacks and vulnerabilities, as well as plausible proof-of-concepts and scientific literature.\nYou can find more about this work in our [paper](https://arxiv.org/abs/2204.04008).\n\nThe project can be used as learning material for awareness campaigns or trainings, but also for purposes such as threat modeling, risk-assessments or pentest scoping.\n\nIn more detail, project and tool provide the following information:\n* **Attack Tree**: a hierarchical organization of 100+ attack vectors and techniques comprised in the taxonomy, starting from the abstract, top-level goal down to alternative and more concrete attack techniques\n* **Attack Vectors**: a tabular view of all the attack vectors, along with the description, references, real-world examples and mapped safeguards\n* **Safeguards**: a tabular view of countermeasures that fully or partially mitigate the above-mentioned attacks\n* **References**: 300+ resources in some or another way related to supply chain security, both scientific and gray literature, all tagged and linked to attack vectors/safeguards \n\n## Requirements and Setup\n\nSimply [access the tool online](https://sap.github.io/risk-explorer-for-software-supply-chains/) using your favorite browser. Make sure to enable JavaScript and use a desktop environment for a better experience.\n\nIf you want to run a local version of the code you need to install [Node.js](https://nodejs.dev/learn/how-to-install-nodejs), then from inside the project directory (where `package.json` is located):\n1. Install the required dependencies via `npm install`\n2. Run the project via `npm start`\n   \n## Support, Feedback, Contributing\n\nThis project is open to feature requests/suggestions, bug reports etc. via [GitHub issues](https://github.com/SAP/risk-explorer-for-software-supply-chains/issues). Contribution and feedback are encouraged and always welcome. For more information about how to contribute, the project structure, as well as additional contribution information, see our [Contribution Guidelines](CONTRIBUTING.md).\n\n## Code of Conduct\n\nWe as members, contributors, and leaders pledge to make participation in our community a harassment-free experience for everyone. By participating in this project, you agree to abide by its [Code of Conduct](CODE_OF_CONDUCT.md) at all times.\n\n## Licensing\n\nCopyright 2022 SAP SE or an SAP affiliate company and Risk Explorer for Software Supply Chains contributors. Please see our [LICENSE](LICENSE) for copyright and license information. Detailed information including third-party components and their licensing/copyright information is available [via the REUSE tool](https://api.reuse.software/info/github.com/SAP/risk-explorer-for-software-supply-chains/).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsap%2Frisk-explorer-for-software-supply-chains","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsap%2Frisk-explorer-for-software-supply-chains","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsap%2Frisk-explorer-for-software-supply-chains/lists"}