Search papers, labs, and topics across Lattice.
This paper investigates the accuracy of Software Bills of Material (SBOMs) in representing software dependencies and component identities, focusing on hidden code-level dependencies and component variants. They find that these mismatches lead to inconsistent vulnerability reporting and handling of VEX statements across popular SBOM-based vulnerability scanners. The study highlights limitations in current SBOM production and consumption practices, advocating for richer dependency representation and component identity schemes.
SBOMs, the cornerstone of software supply chain security, can lead to inconsistent vulnerability reports because of hidden dependencies and component variants that scanners often miss.
Software Bills of Material (SBOMs) have emerged as an important technology for vulnerability management amid rising supply-chain attacks. They represent component relationships within a software product and support software composition analysis (SCA) by linking components to known vulnerabilities. However, the effectiveness of SBOM-based analysis depends on how accurately SBOMs represent component identities and actual dependencies in software. This paper studies two mismatch patterns: hidden code-level dependencies that are not represented as component-level dependencies, and component variants (clones) that cannot be identified consistently by scanners. We show that these mismatches can lead to inconsistent vulnerability reporting and inconsistent handling of VEX statements across popular SBOM-based vulnerability scanners. These results highlight limitations in current SBOM production and consumption and motivate richer dependency representation and component identity.
