An Empirical Study on Software Bill of Materials: Where We Stand and the Road Ahead

TL;DR

This paper presents an empirical study on the current state, perceptions, and challenges of adopting software bill of materials (SBOM) in practice, based on interviews and surveys with practitioners worldwide.

Contribution

It is the first empirical investigation into practitioners' views on SBOM, providing insights and a goal model to guide future efforts in the field.

Findings

Practitioners see SBOM as crucial for supply chain transparency.

Challenges include lack of standardization and integration issues.

Practitioners suggest future research directions.

Abstract

The rapid growth of software supply chain attacks has attracted considerable attention to software bill of materials (SBOM). SBOMs are a crucial building block to ensure the transparency of software supply chains that helps improve software supply chain security. Although there are significant efforts from academia and industry to facilitate SBOM development, it is still unclear how practitioners perceive SBOMs and what are the challenges of adopting SBOMs in practice. Furthermore, existing SBOM-related studies tend to be ad-hoc and lack software engineering focuses. To bridge this gap, we conducted the first empirical study to interview and survey SBOM practitioners. We applied a mixed qualitative and quantitative method for gathering data from 17 interviewees and 65 survey respondents from 15 countries across five continents to understand how practitioners perceive the SBOM field. We summarized 26 statements and grouped them into three topics on SBOM's states of practice. Based on the study results, we derived a goal model and highlighted future directions where practitioners can put in their effort.