Basic Supply-chain Components in Software Artifacts

  1. Introduction to Supply-chain Levels for Software Artifacts
  2. Basic Supply-chain Components in Software Artifacts
  3. Intermediate Levels of Supply-chain for Software Artifacts
  4. Advanced Supply-chain Strategies for Software Artifacts
  5. Supply-chain Levels for Software Artifacts: Threats and Mitigations
  6. Best Practices and Optimization in Supply-chain Levels for Software Artifacts


As we continue our exploration into the multifaceted world of software supply-chain, this second installment in our six-article series focuses on the foundational components that constitute the backbone of a robust software supply-chain. Drawing upon five years of hands-on experience, this article delves into the intricacies of source code management, version control strategies, build processes, artifact repositories, and dependency management. These components not only facilitate seamless development workflows but also underpin the efficacy, security, and scalability of software delivery pipelines.

Source Code Management Systems

Source Code Management (SCM) systems form the cornerstone of collaborative software development. Tools like Git, SVN have revolutionized version control, offering features such as:

– Version Tracking: Capturing incremental changes, facilitating rollback, and audit capabilities.
– Collaboration: Enabling concurrent development, code reviews, and merging capabilities.
– Branching: Supporting parallel development streams, experimentation, and feature isolation.

Role in Managing Code Versions:

– Git: Leveraging distributed version control, branching models (e.g., Git Flow), and fostering a collaborative development ethos.
– SVN: Centralized version control, linear history, and well-suited for specific use-cases and legacy systems.

Version Control and Branching Strategies

Version control transcends mere file tracking, embodying a philosophy of iterative development, collaboration, and traceability. Branching strategies like Git Flow, Trunk-Based Development offer distinct paradigms:

– Git Flow: Encompassing feature, release, hotfix, and master branches, providing a structured yet flexible approach.
– Trunk-Based Development: Advocating a singular trunk branch, fostering continuous integration, and streamlined deployments.


– Git Flow: Structured release cycles, feature isolation, and enhanced stability.
– Trunk-Based Development: Promoting agility, reducing integration complexities, and fostering a “release early, release often” ethos.

Build and Compilation Processes

Build processes epitomize the transformation of source code into deployable artifacts. Embracing build tools like Maven, Gradle, these processes encompass:

– Compilation: Translating source code into machine-readable binaries.
– Packaging: Incorporating dependencies, configurations, and resources into deployable artifacts.
– Validation: Executing unit tests, static code analysis, and ensuring artifact integrity.


– Maven: Emphasizing convention over configuration, lifecycle management, and dependency resolution.
– Gradle: Leveraging a flexible DSL, incremental builds, and supporting diverse integration scenarios.

Artifact Repositories and Binaries

Artifact repositories serve as the sanctuaries for storing, managing, and distributing software artifacts. Platforms like JFrog Artifactory, Nexus play pivotal roles:

– Artifact Storage: Ensuring artifact provenance, versioning, and accessibility.
– Metadata Management: Facilitating artifact discovery, lineage, and metadata enrichment.
– Distribution: Supporting artifact replication, caching, and efficient retrieval mechanisms.

Artifacts lifecycle:

1. Creation: Compilation and packaging of source code.
2. Storage: Uploading to repositories like JFrog Artifactory.
3. Distribution: Replicating across global networks.
4. Deployment: Installing and executing on target environments.


– JFrog Artifactory: Offering robust security, metadata management, and supporting diverse package formats.
– Nexus: Focusing on artifact governance, repository management, and fostering a curated artifact ecosystem.

Dependency Management

Dependencies encapsulate the libraries, frameworks, and modules upon which software artifacts rely. Managing dependencies is pivotal for:

– Consistency: Ensuring consistent build environments, reproducibility, and minimizing “works on my machine” discrepancies.
– Security: Identifying vulnerabilities, enforcing version constraints, and fostering a proactive security posture.


– Package Managers: Tools like npm, pip, facilitating dependency resolution, version management, and ecosystem integration.
– Dependency Analysis: Leveraging tools like OWASP Dependency-Check, Snyk for vulnerability assessment, and proactive risk mitigation.


SLSA can help reduce supply chain threats in a software artifact, but there are limitations.

  • There are a significant number of dependencies in the supply chain for many artifacts. The full graph of dependencies could be intractably large.
  • In practice, a team working on security will need to identify and focus on the important components in a supply chain. This can be performed manually, but the effort could be significant.
  • An artifact’s SLSA level is not transitive and dependencies have their own SLSA ratings. This means that it is possible for a SLSA 4 artifact to be built from SLSA 0 dependencies. So, while the main artifact has strong security, risks may still exist elsewhere. The aggregate of these risks will help software consumers understand how and where to use the SLSA 4 artifact.
  • While automation of these tasks will help, it isn’t practical for every software consumer to fully vet the entire graph of every artifact. To close this gap, auditors and accreditation bodies could verify and assert that something meets the SLSA requirements. This could be particularly valuable for closed source software.


Navigating the software supply-chain landscape necessitates a profound understanding of its foundational components. Source code management systems, version control strategies, build processes, artifact repositories, and dependency management collectively orchestrate the development lifecycle, ensuring agility, quality, and reliability. As we progress through our series on Supply-chain Levels for Software Artifacts, grounding our exploration within these foundational pillars sets the stage for a holistic understanding, empowering organizations to architect resilient, scalable, and efficient software supply-chains.

Note: This article synthesizes personal experience, industry insights, and best practices to provide an in-depth exploration of basic supply-chain components in software artifacts. It serves as a foundational resource, inviting further exploration and contextual adaptation based on organizational nuances and evolving industry dynamics.