Saved in:
Bibliographic Details
Main Authors: Wang, Chengjie, Wu, Jingzheng, Lyu, Hao, Ling, Xiang, Luo, Tianyue, Wu, Yanjun, Zhao, Chen
Format: Preprint
Published: 2026
Subjects:
Online Access:https://arxiv.org/abs/2601.05622
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866911387650883584
author Wang, Chengjie
Wu, Jingzheng
Lyu, Hao
Ling, Xiang
Luo, Tianyue
Wu, Yanjun
Zhao, Chen
author_facet Wang, Chengjie
Wu, Jingzheng
Lyu, Hao
Ling, Xiang
Luo, Tianyue
Wu, Yanjun
Zhao, Chen
contents A Software Bill of Materials (SBOM) is a machine-readable artifact that systematically organizes software information, enhancing supply chain transparency and security. To facilitate the exchange and utilization of SBOMs, organizations such as the Linux Foundation and OWASP have proposed SBOM standards. Following standards, organizations have developed tools for generating and utilizing SBOMs. However, limited research has examined the adherence of these SBOM tools to standard specifications, a gap that could lead to compliance failures and disruptions in SBOM utilization. This paper presents the first large-scale, two-stage empirical analysis of the adherence gap, using our automated evaluation framework, SAP. The evaluation, comprising a baseline evaluation and a one-year longitudinal follow-up, covers 55,444 SBOMs generated by six SBOM tools from 3,287 real-world repositories. Our analysis reveals persistent, fundamental limitations in current SBOM tools: (1) inadequate compliance support with policy requirements; (2) poor tool consistencies, including inter-tool consistency rates as low as 7.84% to 12.77% for package detection across languages, and significant longitudinal inconsistency, where tools show low consistency with their own prior versions; and (3) mediocre to poor accuracy for detailed software information, e.g., accuracy of package licenses below 20%. We analyze the root causes of these gaps and provide practical solutions. All the code, replication docker image, evaluation results are open sourced at [GitHub](https://github.com/dw763j/SAP) and [Zenodo](https://doi.org/10.5281/zenodo.14998624) for further researches.
format Preprint
id arxiv_https___arxiv_org_abs_2601_05622
institution arXiv
publishDate 2026
record_format arxiv
spellingShingle A Large Scale Empirical Analysis on the Adherence Gap between Standards and Tools in SBOM
Wang, Chengjie
Wu, Jingzheng
Lyu, Hao
Ling, Xiang
Luo, Tianyue
Wu, Yanjun
Zhao, Chen
Software Engineering
A Software Bill of Materials (SBOM) is a machine-readable artifact that systematically organizes software information, enhancing supply chain transparency and security. To facilitate the exchange and utilization of SBOMs, organizations such as the Linux Foundation and OWASP have proposed SBOM standards. Following standards, organizations have developed tools for generating and utilizing SBOMs. However, limited research has examined the adherence of these SBOM tools to standard specifications, a gap that could lead to compliance failures and disruptions in SBOM utilization. This paper presents the first large-scale, two-stage empirical analysis of the adherence gap, using our automated evaluation framework, SAP. The evaluation, comprising a baseline evaluation and a one-year longitudinal follow-up, covers 55,444 SBOMs generated by six SBOM tools from 3,287 real-world repositories. Our analysis reveals persistent, fundamental limitations in current SBOM tools: (1) inadequate compliance support with policy requirements; (2) poor tool consistencies, including inter-tool consistency rates as low as 7.84% to 12.77% for package detection across languages, and significant longitudinal inconsistency, where tools show low consistency with their own prior versions; and (3) mediocre to poor accuracy for detailed software information, e.g., accuracy of package licenses below 20%. We analyze the root causes of these gaps and provide practical solutions. All the code, replication docker image, evaluation results are open sourced at [GitHub](https://github.com/dw763j/SAP) and [Zenodo](https://doi.org/10.5281/zenodo.14998624) for further researches.
title A Large Scale Empirical Analysis on the Adherence Gap between Standards and Tools in SBOM
topic Software Engineering
url https://arxiv.org/abs/2601.05622