BOMs Away! Inside the Minds of Stakeholders: A Comprehensive Study of Bills of Materials for Software Systems

TL;DR

This comprehensive study explores the challenges faced by stakeholders in creating and using Software Bills of Materials (SBOMs), highlighting key issues and proposing actionable solutions to improve adoption and effectiveness.

Contribution

It provides the first large-scale survey and interviews revealing practical challenges and offers targeted solutions for SBOM adoption in diverse domains.

Findings

Identified 12 major challenges in SBOM creation and use

Proposed 4 actionable solutions to address these challenges

Highlighted domain-specific issues affecting SBOM effectiveness

Abstract

Software Bills of Materials (SBOMs) have emerged as tools to facilitate the management of software dependencies, vulnerabilities, licenses, and the supply chain. While significant effort has been devoted to increasing SBOM awareness and developing SBOM formats and tools, recent studies have shown that SBOMs are still an early technology not yet adequately adopted in practice. Expanding on previous research, this paper reports a comprehensive study that investigates the current challenges stakeholders encounter when creating and using SBOMs. The study surveyed 138 practitioners belonging to five stakeholder groups (practitioners familiar with SBOMs, members of critical open source projects, AI/ML, cyber-physical systems, and legal practitioners) using differentiated questionnaires, and interviewed 8 survey respondents to gather further insights about their experience. We identified 12 major challenges facing the creation and use of SBOMs, including those related to the SBOM content, deficiencies in SBOM tools, SBOM maintenance and verification, and domain-specific challenges. We propose and discuss 4 actionable solutions to the identified challenges and present the major avenues for future research and development.