Table of Contents
Fetching ...

A Survey on Mapping Digital Systems with Bill of Materials: Development, Practices, and Challenges

Shuai Zhang, Minzhao Lyu, Hassan Habibi Gharakheili

TL;DR

This survey addresses the need for transparency in digital supply chains by analyzing the development and cross-domain adoption of Bills of Materials (BOMs) across software, hardware, AI models, data, and cryptographic assets. It traces the evolution from foundational HBOM/SBOM concepts to domain-specific extensions (CBOM, AIBOM, SaaSBOM) and surveys data-generation, sharing, and downstream applications such as dependency modeling, compliance, and vulnerability tracing. The study identifies four key gaps—interoperability, expressiveness, cryptographic protection, and coverage for emerging ecosystems—and outlines directions toward dynamic runtime dependency modeling, trustworthy distribution, and lifecycle-aware BOM frameworks. Overall, the findings highlight BOMs as a critical tool for governance, risk management, and security across modern digital ecosystems, with practical implications for regulatory compliance and resilience of digital supply chains.

Abstract

Modern digital ecosystems, spanning software, hardware, learning models, datasets, and cryptographic products, continue to grow in complexity, making it difficult for organizations to understand and manage component dependencies. Bills of Materials (BOMs) have emerged as a structured way to document product components, their interrelationships, and key metadata, improving visibility and security across digital supply chains. This survey provides the first comprehensive cross-domain review of BOM developments and practices. We start by examining the evolution of BOM frameworks in three stages (i.e., pre-development, initial, and accelerated) and summarizing their core principles, key stakeholders, and standardization efforts for hardware, software, artificial intelligence (AI) models, datasets, and cryptographic assets. We then review industry practices for generating BOM data, evaluating its quality, and securely sharing it. Next, we review practical downstream uses of BOM data, including dependency modeling, compliance verification, operational risk assessment, and vulnerability tracking. We also discuss academic efforts to address limitations in current BOM frameworks through refinements, extensions, or new models tailored to emerging domains such as data ecosystems and AI supply chains. Finally, we identify four key gaps that limit the usability and reliability of today's BOM frameworks, motivating future research directions.

A Survey on Mapping Digital Systems with Bill of Materials: Development, Practices, and Challenges

TL;DR

This survey addresses the need for transparency in digital supply chains by analyzing the development and cross-domain adoption of Bills of Materials (BOMs) across software, hardware, AI models, data, and cryptographic assets. It traces the evolution from foundational HBOM/SBOM concepts to domain-specific extensions (CBOM, AIBOM, SaaSBOM) and surveys data-generation, sharing, and downstream applications such as dependency modeling, compliance, and vulnerability tracing. The study identifies four key gaps—interoperability, expressiveness, cryptographic protection, and coverage for emerging ecosystems—and outlines directions toward dynamic runtime dependency modeling, trustworthy distribution, and lifecycle-aware BOM frameworks. Overall, the findings highlight BOMs as a critical tool for governance, risk management, and security across modern digital ecosystems, with practical implications for regulatory compliance and resilience of digital supply chains.

Abstract

Modern digital ecosystems, spanning software, hardware, learning models, datasets, and cryptographic products, continue to grow in complexity, making it difficult for organizations to understand and manage component dependencies. Bills of Materials (BOMs) have emerged as a structured way to document product components, their interrelationships, and key metadata, improving visibility and security across digital supply chains. This survey provides the first comprehensive cross-domain review of BOM developments and practices. We start by examining the evolution of BOM frameworks in three stages (i.e., pre-development, initial, and accelerated) and summarizing their core principles, key stakeholders, and standardization efforts for hardware, software, artificial intelligence (AI) models, datasets, and cryptographic assets. We then review industry practices for generating BOM data, evaluating its quality, and securely sharing it. Next, we review practical downstream uses of BOM data, including dependency modeling, compliance verification, operational risk assessment, and vulnerability tracking. We also discuss academic efforts to address limitations in current BOM frameworks through refinements, extensions, or new models tailored to emerging domains such as data ecosystems and AI supply chains. Finally, we identify four key gaps that limit the usability and reliability of today's BOM frameworks, motivating future research directions.
Paper Structure (64 sections, 3 figures)

This paper contains 64 sections, 3 figures.

Figures (3)

  • Figure 1: Key topics covered in this survey.
  • Figure 2: Development of BOM concepts across three stages (1910s---2025), moving from hardware-focused use-cases to software, AI/data, cryptographic, and SaaS-specific implementations. Dashed lines indicate pre-standardization developments, and solid lines represent periods of formalized BOM standards.
  • Figure 3: The structures of current BOM frameworks including SBOM, CBOM, AIBOM, HBOM and SaaSBOM, with common data fields in blue color and domain-specific fields in green color.