Abstract
Open source software has been a key infrastructure of modern society, supporting software development in almost every area. Through various kinds of code reuse such as install dependency, API call, project fork, file copy, and code clone, open source software forms an intricate supply (i.e., dependency) network, which is referred as open source software supply chain. On the one hand, software supply chains facilitate software development and have become the foundation of software industry. On the other hand, risks from upstream software can affect numerous downstream software depending on it along the chain, leading to the ripple effect in open source software chains. Open source software supply chains have attracted more and more attention from both the academia and the industry. To help advance researchers’ knowledge on open source software supply chain, this paper provides a definition and research framework of open source software supply chain from a holistic perspective. Then, it conducts systematic literature review on worldwide research and summarizes the status quo of research from three aspects: structure and evolution, risk propagation and management, and dependency management. Finally, the paper summarizes challenges and opportunities of future research on open source software supply chain.
