eBPF-Based Build Provenance for Software Dependency Analysis


  • Duration: September 2023 to March 2024
  • Location: Oracle Labs Zurich


Compared to framework-specific software dependency analysis, we try to figure out a generic approach to analyze software dependencies through monitoring provenance during the build process. We differentiate buildtime (the build system), compiled and test dependencies.


End users: provide build container + configuration -> execute the build container -> software dependencies

Framework developers: provide example build containers of the framework -> the system finds interesting tracepoints -> add tracepoints to support fine-grained analysis of the framework.

Supported frameworks until Jan 2024:

  • Maven (Java)
  • Gradle (Java)
  • Cargo (Rust)
  • Go
  • Conan (C/C++)

Related Techniques

  • Online tracing with eBPF:
    • eBPF
    • Python BCC Framework
    • Python Multiprocessing
  • Customization:
    • JVM Internal (Class Loading: differentiates buildtime and compiled dependencies).
  • Bash Scripts


Ongoing. Master thesis submission: March 1 2024. Oral defense: Late March 2024.