SBOM Challenges for Developers: From Analysis of Stack Overflow Questions
Wataru Otoda, Tetsuya Kanda, Yuki Manabe, Katsuro Inoue, Yoshiki Higo
TL;DR
This paper investigates why developers struggle with SBOM adoption by mining Stack Overflow questions. It uses keyword-driven collection and manual filtering to analyze answerability, temporal trends, and common challenges around CycloneDX and SPDX. Key findings include a low SBOM question resolution rate around 15%, a rising volume of SBOM questions from 2020 to 2023 with acceleration after 2021, and three main challenges: insufficient tool coverage, unmet regulatory/format requirements, and tool immaturity/unclear usage. The results underscore a gap between SBOM tooling and developer practice, indicating a need for broader tool support, better coverage of use cases, and cross-platform study.
Abstract
Current software development takes advantage of many external libraries, but it entails security and copyright risks. While the use of the Software Bill of Materials (SBOM) has been encouraged to cope with this problem, its adoption is still insufficient. In this research, we analyzed the challenges that developers faced in practicing SBOM use by examining questions about SBOM utilization on Stack Overflow, a Q&A site for developers. As a result, we found that (1) the proportion of resolved questions about SBOM use is 15.0% which is extremely low, (2) the number of new questions has increased steadily from 2020 to 2023, and (3) SBOM users have three major challenges on SBOM tools.