eBPF-Based Build Provenance for Software Dependency Analysis


  • Duration: September 2023 to March 2024
  • Location: Oracle Labs Zurich


We provide a blackbox approach to reverse enginner the software dependencies by monitoring syscalls during the build process. This generic approach benefits from the low cost of framework customization and adaption. To improve high correctness, we allow user-level function instrumentation (e. g. JVM class loaders).


End users: provide build container + configuration -> execute the build container -> software dependencies

Framework developers: provide example build containers of the framework -> the system finds interesting tracepoints -> add tracepoints to support fine-grained analysis of the framework.

Supported frameworks until Jan 2024:

  • Maven (Java)
  • Gradle (Java)
  • Cargo (Rust)
  • Go
  • Conan (C/C++)

Related Techniques

  • Online tracing with eBPF:
    • eBPF
    • Python BCC Framework
    • Python Multiprocessing
  • Customization:
    • JVM Internal (Class Loading: differentiates buildtime and compiled dependencies).
  • Bash Scripts


Completed in March 2024. Patents submitted.