A Large Scale Empirical Analysis on the Adherence Gap between Standards and Tools in SBOM

TL;DR

This paper conducts a large-scale empirical study on how well SBOM tools adhere to standards, revealing significant gaps in compliance, consistency, and accuracy that could impact supply chain security.

Contribution

It introduces SAP, an automated framework for evaluating SBOM tool adherence, and provides the first comprehensive large-scale analysis of these adherence gaps.

Findings

Low inter-tool consistency in package detection (7.84%-12.77%)

Poor longitudinal consistency over time

Inadequate accuracy in detailed software information, e.g., license detection below 20%

Abstract

A Software Bill of Materials (SBOM) is a machine-readable artifact that systematically organizes software information, enhancing supply chain transparency and security. To facilitate the exchange and utilization of SBOMs, organizations such as the Linux Foundation and OWASP have proposed SBOM standards. Following standards, organizations have developed tools for generating and utilizing SBOMs. However, limited research has examined the adherence of these SBOM tools to standard specifications, a gap that could lead to compliance failures and disruptions in SBOM utilization. This paper presents the first large-scale, two-stage empirical analysis of the adherence gap, using our automated evaluation framework, SAP. The evaluation, comprising a baseline evaluation and a one-year longitudinal follow-up, covers 55,444 SBOMs generated by six SBOM tools from 3,287 real-world repositories. Our analysis reveals persistent, fundamental limitations in current SBOM tools: (1) inadequate compliance support with policy requirements; (2) poor tool consistencies, including inter-tool consistency rates as low as 7.84% to 12.77% for package detection across languages, and significant longitudinal inconsistency, where tools show low consistency with their own prior versions; and (3) mediocre to poor accuracy for detailed software information, e.g., accuracy of package licenses below 20%. We analyze the root causes of these gaps and provide practical solutions. All the code, replication docker image, evaluation results are open sourced at [GitHub](https://github.com/dw763j/SAP) and [Zenodo](https://doi.org/10.5281/zenodo.14998624) for further researches.