Software Bills of Materials in Maven Central
Yogya Gamage, Nadia Gonzalez Fernandez, Martin Monperrus, Benoit Baudry
TL;DR
This paper addresses the emergence and publication of Software Bills of Materials (SBOMs) in a package registry by mining SBOMs from Maven Central and integrating them into the existing dependency graph via an extended Goblin Weaver pipeline. It samples 10% of Maven Central releases, collecting 14,071 SBOMs across 7,290 releases and releases a dataset and an augmented graph to support future research. Key findings show a substantial post-2021 surge in SBOM publication driven by policy and tooling adoption, with CycloneDX dominating over SPDX and most SBOMs aligning with direct dependency relations, though some mismatches arise from submodules and publication practices. The contributions include methodological extensions, a new SBOM-augmented graph, and a publicly available SBOM dataset that enables deeper analysis of SBOM content, provenance, and distribution in package registries. Overall, the work advances understanding of SBOM publication in registries and provides resources for studying SBOM quality, provenance, and registry-wide effects.
Abstract
Software Bills of Materials (SBOMs) are essential to ensure the transparency and integrity of the software supply chain. There is a growing body of work that investigates the accuracy of SBOM generation tools and the challenges for producing complete SBOMs. Yet, there is little knowledge about how developers distribute SBOMs. In this work, we mine SBOMs from Maven Central to assess the extent to which developers publish SBOMs along with the artifacts. We develop our work on top of the Goblin framework, which consists of a Maven Central dependency graph and a Weaver that allows augmenting the dependency graph with additional data. For this study, we select a sample of 10% of release nodes from the Maven Central dependency graph and collected 14,071 SBOMs from 7,290 package releases. We then augment the Maven Central dependency graph with the collected SBOMs. We present our methodology to mine SBOMs, as well as novel insights about SBOM publication. Our dataset is the first set of SBOMs collected from a package registry. We make it available as a standalone dataset, which can be used for future research about SBOMs and package distribution.
