Update master-thesis.md

larissaschmid · web-flow · commit 2bb7457d7af8 · 2025-10-07T17:36:46.000+02:00
diff --git a/master-thesis.md b/master-thesis.md
@@ -12,6 +12,7 @@ Contact: Larissa Schmid
 Open-source projects rely on a community of maintainers and contributors, which is a strength but also introduces potential security risks. New contributors, in particular, can represent a vector for vulnerabilities, as demonstrated by incidents such as the compromise of the event-stream package. For projects that depend on such packages, it is critical to monitor changes in maintainers and contributors to make informed decisions about whether to continue trusting a dependency. Audit trails provide verifiable records of who made changes, when they were made, and how they were reviewed and integrated. Maintaining such records helps verify the trustworthiness of new contributors and allows reconstruction of events if a package is compromised. In this master's thesis, you will design and implement a tool that automatically generates audit trails for new contributors in the dependencies of a project. The tool will track commit history, ownership changes of packages, the introduction of new dependencies, and the presence of release signatures along with their traceability to known maintainers. 
 
 Related Work:
+
 [1] [OpenSSF Scorecard: On the Path Toward Ecosystem-Wide Automated Security Metrics](ieeexplore.ieee.org/abstract/document/10163720)
 
 [2] [Decomposing and Measuring Trust in Open-Source Software Supply Chains](dl.acm.org/doi/abs/10.1145/3639476.3639775)
@@ -22,8 +23,11 @@ Contact: Larissa Schmid
 Software Composition Analysis (SCA) tools scan a project's dependencies to identify known security vulnerabilities, thereby supporting software supply chain security. Although numerous SCA tools have been developed, they differ significantly in functionality, capabilities, and the ecosystems they support. To date, there is no comprehensive evaluation that systematically compares these tools. This Master’s thesis aims to collect a representative set of SCA tools, analyze and compare their features, and evaluate them on a shared dataset. The study will provide practical insights into how SCA tools perform across different ecosystems and their relative strengths and limitations. 
 
 Related Work: 
+
 [1] [Software composition analysis for vulnerability detection: An empirical study on Java projects](dl.acm.org/doi/abs/10.1145/3611643.3616299)
+
 [2] [Understanding Similarities and Differences Between Software Composition Analysis Tools](ieeexplore.ieee.org/abstract/document/10645968)
+
 [3] [Adversarial Analysis of Software Composition Analysis Tools](https://link.springer.com/chapter/10.1007/978-3-031-75764-8_9)
 
 ### Empirical Study of API Difference Tools for Java Dependencies
