evaluating and mitigating software supply chain security risks