Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

A Reality Check on SBOM-based Vulnerability Management: An Empirical Study and A Path Forward

Li Zhou, Marc Dacier, Charalambos Konstantinou

TL;DR

This work investigates SBOM-based vulnerability management and finds that, while using lock-file inputs from strong package managers yields accurate, reproducible SBOMs, downstream vulnerability scanners still generate excessive false positives (≈97.5%). The authors demonstrate that a two-stage pipeline—first generating a ground-truth SBOM from lock files, then applying function-call reachability analysis—significantly reduces false alarms (≈63.3% pruning) and yields actionable security reports. They validate the approach across 2,414 repositories with four languages and show a practical case where transitioning from a weak PM to a strong PM eliminates false positives and vulnerabilities. The study advocates the widespread adoption of lock-file-based SBOM generation and reachability-aware vulnerability analysis to improve SSC security and mitigate alert fatigue.

Abstract

The Software Bill of Materials (SBOM) is a critical tool for securing the software supply chain (SSC), but its practical utility is undermined by inaccuracies in both its generation and its application in vulnerability scanning. This paper presents a large-scale empirical study on 2,414 open-source repositories to address these issues from a practical standpoint. First, we demonstrate that using lock files with strong package managers enables the generation of accurate and consistent SBOMs, establishing a reliable foundation for security analysis. Using this high-fidelity foundation, however, we expose a more fundamental flaw in practice: downstream vulnerability scanners produce a staggering 97.5\% false positive rate. We pinpoint the primary cause as the flagging of vulnerabilities within unreachable code. We then demonstrate that function call analysis can effectively prune 63.3\% of these false alarms. Our work validates a practical, two-stage approach for SSC security: first, generate an accurate SBOM using lock files and strong package managers, and second, enrich it with function call analysis to produce actionable, low-noise vulnerability reports that alleviate developers' alert fatigue.

A Reality Check on SBOM-based Vulnerability Management: An Empirical Study and A Path Forward

TL;DR

This work investigates SBOM-based vulnerability management and finds that, while using lock-file inputs from strong package managers yields accurate, reproducible SBOMs, downstream vulnerability scanners still generate excessive false positives (≈97.5%). The authors demonstrate that a two-stage pipeline—first generating a ground-truth SBOM from lock files, then applying function-call reachability analysis—significantly reduces false alarms (≈63.3% pruning) and yields actionable security reports. They validate the approach across 2,414 repositories with four languages and show a practical case where transitioning from a weak PM to a strong PM eliminates false positives and vulnerabilities. The study advocates the widespread adoption of lock-file-based SBOM generation and reachability-aware vulnerability analysis to improve SSC security and mitigate alert fatigue.

Abstract

The Software Bill of Materials (SBOM) is a critical tool for securing the software supply chain (SSC), but its practical utility is undermined by inaccuracies in both its generation and its application in vulnerability scanning. This paper presents a large-scale empirical study on 2,414 open-source repositories to address these issues from a practical standpoint. First, we demonstrate that using lock files with strong package managers enables the generation of accurate and consistent SBOMs, establishing a reliable foundation for security analysis. Using this high-fidelity foundation, however, we expose a more fundamental flaw in practice: downstream vulnerability scanners produce a staggering 97.5\% false positive rate. We pinpoint the primary cause as the flagging of vulnerabilities within unreachable code. We then demonstrate that function call analysis can effectively prune 63.3\% of these false alarms. Our work validates a practical, two-stage approach for SSC security: first, generate an accurate SBOM using lock files and strong package managers, and second, enrich it with function call analysis to produce actionable, low-noise vulnerability reports that alleviate developers' alert fatigue.

Paper Structure

This paper contains 35 sections, 3 equations, 2 figures, 8 tables.

Table of Contents

  1. Introduction
  2. Background
  3. Software Bill of Materials (SBOM)
  4. SBOM Definition
  5. SBOM Applications
  6. Package Managers (PMs)
  7. SBOM-based Vulnerability Scanners
  8. Motivation
  9. Methodology
  10. Overview
  11. SBOM Generators and PMs
  12. Vulnerability Scan and Verification
  13. Data Collection
  14. SBOM Ground Truth
  15. Comparison Metrics
  16. ...and 20 more sections

Figures (2)

  • Figure 1: An overview of SBOM verification methodology.
  • Figure 2: An overview of vulnerability verification methodology.