Software Bills of Materials in Maven Central

TL;DR

This study analyzes how often developers publish SBOMs with Java packages in Maven Central, providing the first dataset of SBOMs from a package registry to support future research.

Contribution

It introduces a methodology to mine SBOMs from Maven Central and presents the first dataset of SBOMs collected from a package registry.

Findings

Collected 14,071 SBOMs from 7,290 package releases

Developers publish SBOMs with a significant portion of packages

Provides a new dataset for SBOM research

Abstract

Software Bills of Materials (SBOMs) are essential to ensure the transparency and integrity of the software supply chain. There is a growing body of work that investigates the accuracy of SBOM generation tools and the challenges for producing complete SBOMs. Yet, there is little knowledge about how developers distribute SBOMs. In this work, we mine SBOMs from Maven Central to assess the extent to which developers publish SBOMs along with the artifacts. We develop our work on top of the Goblin framework, which consists of a Maven Central dependency graph and a Weaver that allows augmenting the dependency graph with additional data. For this study, we select a sample of 10% of release nodes from the Maven Central dependency graph and collected 14,071 SBOMs from 7,290 package releases. We then augment the Maven Central dependency graph with the collected SBOMs. We present our methodology to mine SBOMs, as well as novel insights about SBOM publication. Our dataset is the first set of SBOMs collected from a package registry. We make it available as a standalone dataset, which can be used for future research about SBOMs and package distribution.