English

Operationalizing Research Software for Supply Chain Security

Software Engineering 2026-04-15 v1 Cryptography and Security

Abstract

Empirical studies of research software are hard to compare because the literature operationalizes ``research software'' inconsistently. Motivated by the research software supply chain (RSSC) and its security risks, we introduce an RSSC-oriented taxonomy that makes scope and operational boundaries explicit for empirical research software security studies. We conduct a targeted scoping review of recent repository mining and dataset construction studies, extracting each work's definition, inclusion criteria, unit of analysis, and identification heuristics. We synthesize these into a harmonized taxonomy and a mapping that translates prior approaches into shared taxonomy dimensions. We operationalize the taxonomy on a large community-curated corpus from the Research Software Encyclopedia (RSE), producing an annotated dataset, a labeling codebook, and a reproducible labeling pipeline. Finally, we apply OpenSSF Scorecard as a preliminary security analysis to show how repository-centric security signals differ across taxonomy-defined clusters and why taxonomy-aware stratification is necessary for interpreting RSSC security measurements.

Keywords

Cite

@article{arxiv.2601.20980,
  title  = {Operationalizing Research Software for Supply Chain Security},
  author = {Kelechi G. Kalu and Soham Rattan and Taylor R. Schorlemmer and George K. Thiruvathukal and Jeffrey C. Carver and James C. Davis},
  journal= {arXiv preprint arXiv:2601.20980},
  year   = {2026}
}
R2 v1 2026-07-01T09:24:33.453Z