Create a table on database used

[SahithiKasim]

A literature review of empirical papers studying OSS supply chains explaining what data used, i.e., what are elements of the supply chain are used.

[SahithiKasim]

Elements of the Supply Chain

Paper Title	Research Question or Goal	Sample or Dataset Used	Coverage of Supply Chain Elements
Practical Automated Detection of Malicious npm Packages	- Does Amalfi find malicious packages in practice? - Is it accurate enough to be useful? - Is training and classification fast enough to be useable?	1.7 million packages from npm public registry	Publish, Identify Bugs
Structure and evolution of package dependency networks	- What are the static characteristics of package dependency networks? - How do package dependency networks evolve? - How vulnerable are package dependency networks to a removal of a random project?	Package repositories and GitHub dependencies of npm, RubyGems, and Crates that are published in central repository and applications	Publish, Identify Bugs
On the impact of security vulnerabilities in the npm and RubyGems dependency networks	- How prevalent are disclosed vulnerabilities in npm and RubyGems packages? - How much time elapses until a vulnerability is disclosed? - For how long do packages remain affected by disclosed vulnerabilities? - To what extent are dependents exposed to their vulnerable dependencies? - How are vulnerabilities spread in the dependency tree? - Do exposed dependents upgrade their vulnerable dependencies when a vulnerability fix is released? - To what extent are dependents exposed to their vulnerable dependencies at their release time?	npm and RubyGems packages from libraries.io and external GitHub projects with run-time dependencies present in Snyk.io security reports	Publish, Issue Tracker
On the impact of security vulnerabilities in the npm package dependency network	- How many packages are known to be affected by vulnerabilities? - How long do packages remain vulnerable? - When are vulnerabilities discovered? - When are vulnerabilities fixed?	610k JavaScript packages present in Snyk.io security reports	Publish, Issue Tracker
Small World with High Risks: A Study of Security Threats in the npm Ecosystem	The goal is to study the security risks for users of npm by systematically analyzing dependencies between packages, the maintainers responsible for these packages, and publicly reported security issues.	package dependencies, maintainers, and vulnerabilities of npm	Publish, Issue Tracker
The Debsources Dataset: two decades of free and open source software	- How does the size of Debian evolve over time? - How much Debian changes between releases? - How has the popularity of programming languages changed over the last 20 years? - Which licenses apply to Debian source code files? - Which licenses can be found in Debian source packages? - How has license use evolved in Debian over time?	source code and metadata of 10 Debian stable releases published over the past two decades (corresponding to 82 thousand packages) and	Upstream code, Publish
Detection, assessment and mitigation of vulnerabilities in open source dependencies	- To determine the differences in the findings reported by the tools - Steady and OWASP DC. - To evaluate the coverage of Steady’s vulnerability database. - To identify strengths and weaknesses of the two approaches.	300 large enterprise projects under active development which have an average of 260 dependencies	Publish, Identify Bugs
Dependency Smells in JavaScript Projects	- How prevalent are JavaScript dependency smells? - How do Developers Perceive Dependency Smells and Their Negative Impact? - Why are These Smells Introduced in JavaScript Projects?	open-source JavaScript projects from GitHub with at least 10 commits since January 2019 and 10 contributing authors	Publish, Identify Bugs