Table of Contents
Fetching ...

A Large Scale Empirical Analysis on the Adherence Gap between Standards and Tools in SBOM

Chengjie Wang, Jingzheng Wu, Hao Lyu, Xiang Ling, Tianyue Luo, Yanjun Wu, Chen Zhao

TL;DR

The paper tackles the problem of ensuring SBOMs reliably reflect standard specifications by introducing SAP, a three-stage framework that generates, extracts, and evaluates SBOMs from a large real-world corpus. Through a two-stage study (baseline and one-year follow-up) across $55,444$ SBOMs and $3,287$ repositories using $6$ tools, it finds persistent gaps in compliance, inter-tool consistency, and field-level accuracy, with policy fields like NTIA+ often missing and inter-tool agreement averaging as low as $7.84 ext{–}12.77 ext%$. The authors attribute these gaps to unclear standard constraints and divergent tool evolutions, and demonstrate SAP's utility via ground-truth construction, reproducible experiments, and open-source artifacts. The results have practical implications for SBOM interoperability, risk management in software supply chains, and guide improvements in standard conformance and tool verification processes. Overall, the work reveals systemic, volatile challenges in current SBOM ecosystems and provides a concrete framework and data to drive improvements.

Abstract

A Software Bill of Materials (SBOM) is a machine-readable artifact that systematically organizes software information, enhancing supply chain transparency and security. To facilitate the exchange and utilization of SBOMs, organizations such as the Linux Foundation and OWASP have proposed SBOM standards. Following standards, organizations have developed tools for generating and utilizing SBOMs. However, limited research has examined the adherence of these SBOM tools to standard specifications, a gap that could lead to compliance failures and disruptions in SBOM utilization. This paper presents the first large-scale, two-stage empirical analysis of the adherence gap, using our automated evaluation framework, SAP. The evaluation, comprising a baseline evaluation and a one-year longitudinal follow-up, covers 55,444 SBOMs generated by six SBOM tools from 3,287 real-world repositories. Our analysis reveals persistent, fundamental limitations in current SBOM tools: (1) inadequate compliance support with policy requirements; (2) poor tool consistencies, including inter-tool consistency rates as low as 7.84% to 12.77% for package detection across languages, and significant longitudinal inconsistency, where tools show low consistency with their own prior versions; and (3) mediocre to poor accuracy for detailed software information, e.g., accuracy of package licenses below 20%. We analyze the root causes of these gaps and provide practical solutions. All the code, replication docker image, evaluation results are open sourced at [GitHub](https://github.com/dw763j/SAP) and [Zenodo](https://doi.org/10.5281/zenodo.14998624) for further researches.

A Large Scale Empirical Analysis on the Adherence Gap between Standards and Tools in SBOM

TL;DR

The paper tackles the problem of ensuring SBOMs reliably reflect standard specifications by introducing SAP, a three-stage framework that generates, extracts, and evaluates SBOMs from a large real-world corpus. Through a two-stage study (baseline and one-year follow-up) across SBOMs and repositories using tools, it finds persistent gaps in compliance, inter-tool consistency, and field-level accuracy, with policy fields like NTIA+ often missing and inter-tool agreement averaging as low as . The authors attribute these gaps to unclear standard constraints and divergent tool evolutions, and demonstrate SAP's utility via ground-truth construction, reproducible experiments, and open-source artifacts. The results have practical implications for SBOM interoperability, risk management in software supply chains, and guide improvements in standard conformance and tool verification processes. Overall, the work reveals systemic, volatile challenges in current SBOM ecosystems and provides a concrete framework and data to drive improvements.

Abstract

A Software Bill of Materials (SBOM) is a machine-readable artifact that systematically organizes software information, enhancing supply chain transparency and security. To facilitate the exchange and utilization of SBOMs, organizations such as the Linux Foundation and OWASP have proposed SBOM standards. Following standards, organizations have developed tools for generating and utilizing SBOMs. However, limited research has examined the adherence of these SBOM tools to standard specifications, a gap that could lead to compliance failures and disruptions in SBOM utilization. This paper presents the first large-scale, two-stage empirical analysis of the adherence gap, using our automated evaluation framework, SAP. The evaluation, comprising a baseline evaluation and a one-year longitudinal follow-up, covers 55,444 SBOMs generated by six SBOM tools from 3,287 real-world repositories. Our analysis reveals persistent, fundamental limitations in current SBOM tools: (1) inadequate compliance support with policy requirements; (2) poor tool consistencies, including inter-tool consistency rates as low as 7.84% to 12.77% for package detection across languages, and significant longitudinal inconsistency, where tools show low consistency with their own prior versions; and (3) mediocre to poor accuracy for detailed software information, e.g., accuracy of package licenses below 20%. We analyze the root causes of these gaps and provide practical solutions. All the code, replication docker image, evaluation results are open sourced at [GitHub](https://github.com/dw763j/SAP) and [Zenodo](https://doi.org/10.5281/zenodo.14998624) for further researches.
Paper Structure (51 sections, 7 equations, 5 figures, 18 tables)

This paper contains 51 sections, 7 equations, 5 figures, 18 tables.

Figures (5)

  • Figure 1: Overview pipeline of the empirical analysis based on SAP.
  • Figure 2: Compliance evaluation results across languages. The legend (top right) shows both CycloneDX and SPDX results, where the tools in CycloneDX are marked with "*" and tools in SPDX are unmarked. The "mandatory" axis includes results for all mandatory fields of each standard, while the remaining data fields are from $NTIA^+$ (the creator field is overlapped in "mandatory"). Best viewed in color.
  • Figure 3: The Kernel Density Estimate (KDE) distribution of consistency results for all paired repositories of the gh-sbom$\leftrightarrow$cdxgen tool pair in the CycloneDX standard. The distribution position with high density means high portion of repositories show the consistency score at that position. Best viewed in color.
  • Figure 4: The KDE distribution of precision and recall results for package detection across SBOM tools. The sbom-tool uses the SPDX format, while the other tools use CycloneDX. This result illustrates the relatively high proportion of mismatched packages in the SBOMs generated by SBOM tools. Best viewed in color.
  • Figure :