Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Augmenting Software Bills of Materials with Software Vulnerability Description: A Preliminary Study on GitHub

Davide Fucci, Massimiliano Di Penta, Simone Romano, Giuseppe Scanniello

TL;DR

This study investigates augmenting Software Bills of Materials (SBOMs) with vulnerability information by attaching CVE-related data in the VEX format to SBOMs. Focusing on 40 open-source GitHub projects with CycloneDX SBOMs, the authors identify CVEs via osv-scanner, generate VEX documents with vexctl, and submit PRs while inviting maintainers to complete a brief survey. Results show limited adoption (2 merges, 10 rejections, 28 open) and mixed opinions from maintainers; common concerns include the need for continuous, automated updates and integration into CI pipelines, as well as standardization challenges across SBOM formats. The study suggests that automated, lifecycle-aware augmentation of SBOMs is feasible and potentially useful, but its practical impact hinges on automation, ongoing updates, broader project coverage, and alignment with evolving regulations and standards. Future work should address continuous maintenance, monitoring of dependency changes, and broader validation across diverse ecosystems to advance supply-chain security practices.

Abstract

Software Bills of Material (SBOMs) are becoming a consolidated, often enforced by governmental regulations, way to describe software composition. However, based on recent studies, SBOMs suffer from limited support for their consumption and lack information beyond simple dependencies, especially regarding software vulnerabilities. This paper reports the results of a preliminary study in which we augmented SBOMs of 40 open-source projects with information about Common Vulnerabilities and Exposures (CVE) exposed by project dependencies. Our augmented SBOMs have been evaluated by submitting pull requests and by asking project owners to answer a survey. Although, in most cases, augmented SBOMs were not directly accepted because owners required a continuous SBOM update, the received feedback shows the usefulness of the suggested SBOM augmentation.

Augmenting Software Bills of Materials with Software Vulnerability Description: A Preliminary Study on GitHub

TL;DR

This study investigates augmenting Software Bills of Materials (SBOMs) with vulnerability information by attaching CVE-related data in the VEX format to SBOMs. Focusing on 40 open-source GitHub projects with CycloneDX SBOMs, the authors identify CVEs via osv-scanner, generate VEX documents with vexctl, and submit PRs while inviting maintainers to complete a brief survey. Results show limited adoption (2 merges, 10 rejections, 28 open) and mixed opinions from maintainers; common concerns include the need for continuous, automated updates and integration into CI pipelines, as well as standardization challenges across SBOM formats. The study suggests that automated, lifecycle-aware augmentation of SBOMs is feasible and potentially useful, but its practical impact hinges on automation, ongoing updates, broader project coverage, and alignment with evolving regulations and standards. Future work should address continuous maintenance, monitoring of dependency changes, and broader validation across diverse ecosystems to advance supply-chain security practices.

Abstract

Software Bills of Material (SBOMs) are becoming a consolidated, often enforced by governmental regulations, way to describe software composition. However, based on recent studies, SBOMs suffer from limited support for their consumption and lack information beyond simple dependencies, especially regarding software vulnerabilities. This paper reports the results of a preliminary study in which we augmented SBOMs of 40 open-source projects with information about Common Vulnerabilities and Exposures (CVE) exposed by project dependencies. Our augmented SBOMs have been evaluated by submitting pull requests and by asking project owners to answer a survey. Although, in most cases, augmented SBOMs were not directly accepted because owners required a continuous SBOM update, the received feedback shows the usefulness of the suggested SBOM augmentation.

Paper Structure

This paper contains 9 sections, 1 figure.

Table of Contents

  1. Introduction
  2. Background and Related Work
  3. Study Methodology
  4. Study Results
  5. Analysis of Pull Request Comments
  6. Analysis of Survey Results
  7. Discussion
  8. Threats to Validity
  9. Conclusion and Future work

Figures (1)

  • Figure 1: Methodology overview.