Litcius/Paper detail

Impacts of Software Bill of Materials (SBOM) Generation on Vulnerability Detection

Eric O’Donoghue, Brittany Boles, Clemente Izurieta, Ann Marie Reinhold

202313 citationsDOIOpen Access PDF

Abstract

The software supply chain (SSC) continues to face cybersecurity threats. To assist in securing SSCs, Software Bill of Materials (SBOM) has emerged as a pivotal technology. Despite the increasing use of SBOMs, the influence of SBOM generation on vulnerability detection was unaddressed. We created four corpora of SBOMs from 2,313 Docker images by varying SBOM generation tool (Syft, Trivy) and SBOM format (CycloneDX, SPDX). Using three common SBOM analysis tools (Trivy, Grype, CVE-bin-tool), we investigated how the reported vulnerabilities for the same software artifact varied when we changed only the SBOM generation tool and format. With the complex nature of SBOM generation and analysis, we expected some variation in reported vulnerabilities. However, we found high variability in vulnerability reporting attributed to SBOM generation. The variation in the quantity of vulnerabilities discovered in the same software artifact highlights the need for rigorous validation and enhancement of SBOM technologies to best secure SSCs.

Topics & Concepts

Vulnerability (computing)Computer scienceSoftwareVulnerability assessmentComputer securityOperating systemPsychotherapistPsychologyPsychological resilienceSoftware Engineering ResearchSoftware Testing and Debugging TechniquesSoftware Reliability and Analysis Research
Impacts of Software Bill of Materials (SBOM) Generation on Vulnerability Detection | Litcius