A Landscape Study of Open Source and Proprietary Tools for Software Bill of Materials (SBOM)

TL;DR

This paper provides an extensive empirical analysis of 84 open-source and proprietary SBOM tools, highlighting current market trends, use cases, and gaps to improve software supply chain security.

Contribution

It offers a comprehensive landscape study of SBOM tools, identifying key features, gaps, and emerging use cases in software supply chain security.

Findings

Analysis of 84 SBOM tools reveals market trends.

Identification of gaps in SBOM technology and use cases.

Highlighting the importance of SBOMs in security enhancement.

Abstract

Modern software applications heavily rely on diverse third-party components, libraries, and frameworks sourced from various vendors and open source repositories, presenting a complex challenge for securing the software supply chain. To address this complexity, the adoption of a Software Bill of Materials (SBOM) has emerged as a promising solution, offering a centralized repository that inventories all third-party components and dependencies used in an application. Recent supply chain breaches, exemplified by the SolarWinds attack, underscore the urgent need to enhance software security and mitigate vulnerability risks, with SBOMs playing a pivotal role in this endeavor by revealing potential vulnerabilities, outdated components, and unsupported elements. This research paper conducts an extensive empirical analysis to assess the current landscape of open-source and proprietary tools related to SBOM. We investigate emerging use cases in software supply chain security and identify gaps in SBOM technologies. Our analysis encompasses 84 tools, providing a snapshot of the current market and highlighting areas for improvement.