Litcius/Paper detail

On the Correctness of Metadata-Based SBOM Generation: A Differential Analysis Approach

Sheng Yu, Wei Song, Xunchao Hu, Heng Yin

202418 citationsDOIOpen Access PDF

Abstract

Amidst rising concerns of software supply chain attacks, the Software Bill of Materials (SBOM) has emerged as a pivotal tool, offering a detailed listing of software components to manage vulnerabilities, dependencies, and licensing. While many SBOM generation tools are extensively used in both commercial and open-source realms, the correctness of these tools remains largely unscrutinized. To date, there has not been a systematic study addressing the correctness of contemporary SBOM generation solutions. In this paper, we conduct a large-scale differential analysis of the correctness of four popular SBOM generators. Surprisingly, our evaluation reveals all four SBOM generators exhibit inconsistent SBOMs and dependency omissions, leading to incomplete and potentially inaccurate SBOMs. Moreover, we construct a parser confusion attack against these tools, introducing a new attack vector to conceal malicious, vulnerable, or illegal packages within the software supply chain. Drawing from our analysis, we propose best practices for SBOM generation and introduce a benchmark to steer the development of more robust SBOM generators.

Topics & Concepts

Computer scienceCorrectnessMetadataInformation retrievalProgramming languageWorld Wide WebSoftware Engineering ResearchWikis in Education and CollaborationOpen Source Software Innovations
On the Correctness of Metadata-Based SBOM Generation: A Differential Analysis Approach | Litcius