A comprehensive study on software bill of materials tools, challenges and adoption barriers
Sarwar, Mohammad Wasee (2024)
Diplomityö
2024
School of Engineering Science, Tietotekniikka
Kaikki oikeudet pidätetään.
Julkaisun pysyvä osoite on
https://urn.fi/URN:NBN:fi-fe2024120298437
https://urn.fi/URN:NBN:fi-fe2024120298437
Tiivistelmä
In recent days software supply chain attacks are increasing continuously, exposing a significant threat to modern software systems. To mitigate these security risks, the U.S. government has mandated the use of Software Bill of Materials (SBOMs) for organizations doing business with them. SBOMs provide an extensive inventory that consist lists of software components and dependencies, enabling transparency and helps to take effective decisions regarding security, risk management, and compliance. However, challenges remain in the aspects of accuracy, completeness, and adoption of SBOMs. Following established SLR guidelines, the research involved a comprehensive search across four major databases (IEEE Xplore, ACM Digital Library, Scopus, and Web of Science) to identify relevant literature published between 2020 and October 2024. After a careful screening and selection process, 30 research papers were chosen for in-depth analysis.
The analysis identified ten widely used open-source SBOM tools, including Syft, SPDX SBOM Generator, and others, each with varying capabilities and limitations. While these tools offer a variety of features, challenges remain in accurately capturing dependencies, ensuring metadata completeness, and meeting specific standards. Additionally, the research identifies several barriers to SBOM adoption, including tool immaturity, lack of standardization, limited awareness, and concerns about time and resource constraints.
This thesis contributes to the understanding of SBOMs by identifying key challenges and proposing potential solutions to enhance SBOM tool accuracy and promote wider adoption. The findings have implications for improving software supply chain security and fostering a more transparent and trustworthy software ecosystem. Despite the challenges, the growing recognition of SBOMs’ importance and ongoing efforts to improve tooling and standardization suggest a promising future for SBOM adoption and its contribution to a more secure software supply chain.
This thesis conducts a systematic literature review (SLR) to analyze the current widely used SBOM tools and identify key challenges and opportunities for enhancing their accuracy and adoption.
The analysis identified ten widely used open-source SBOM tools, including Syft, SPDX SBOM Generator, and others, each with varying capabilities and limitations. While these tools offer a variety of features, challenges remain in accurately capturing dependencies, ensuring metadata completeness, and meeting specific standards. Additionally, the research identifies several barriers to SBOM adoption, including tool immaturity, lack of standardization, limited awareness, and concerns about time and resource constraints.
This thesis contributes to the understanding of SBOMs by identifying key challenges and proposing potential solutions to enhance SBOM tool accuracy and promote wider adoption. The findings have implications for improving software supply chain security and fostering a more transparent and trustworthy software ecosystem. Despite the challenges, the growing recognition of SBOMs’ importance and ongoing efforts to improve tooling and standardization suggest a promising future for SBOM adoption and its contribution to a more secure software supply chain.
This thesis conducts a systematic literature review (SLR) to analyze the current widely used SBOM tools and identify key challenges and opportunities for enhancing their accuracy and adoption.