From dee410c4b95c595a5d8c0b4cde4c47c435174514 Mon Sep 17 00:00:00 2001 From: Aman Sharma Date: Wed, 8 Apr 2026 16:13:15 +0200 Subject: [PATCH] Add thesis topic: Dependency Fingerprinting from Partial Observations Co-Authored-By: Claude Sonnet 4.6 --- master-thesis.md | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/master-thesis.md b/master-thesis.md index 78e188b..186bccc 100644 --- a/master-thesis.md +++ b/master-thesis.md @@ -127,6 +127,16 @@ trustworthy software systems.

  • https://github.com/rschwietzke/jmh-C2-compile
      • +### Dependency Fingerprinting: Reconstructing Full Dependency Trees from Partial Observations +Contact: Aman Sharma, Eric Cornelissen + +Package registries expose rich dependency metadata, but in some settings (e.g., private registries, zero-knowledge SBOMs, or obfuscated build manifests) only a subset of a package's dependencies is known. +This thesis investigates how much of a package's full dependency tree can be inferred from a partial observation of its dependencies. +Given a set of seed dependencies — a few known direct or transitive packages — the goal is to reconstruct the remaining dependency graph using statistical co-occurrence patterns mined from public registries. +The study will evaluate inference accuracy as a function of the number and "uniqueness" of seed packages, and compare reconstruction fidelity across ecosystems (Maven, NPM, Go, Rust). +The results have direct implications for the privacy guarantees of partial SBOM disclosures and zero-knowledge proofs over dependency sets. + +