Hidden Dependencies and Component Variants in SBOM-Based Software Composition Analysis
Shawn Rasheed, Max McPhee, Lisa Patterson, Stephen MacDonell, Jens Dietrich
TLDR
This paper reveals how hidden dependencies and component variants in SBOMs lead to inconsistent vulnerability reporting across scanners.
Key contributions
- Identifies two critical SBOM mismatches: hidden code-level dependencies and component variants.
- Demonstrates how these mismatches cause inconsistent vulnerability reporting by scanners.
- Reveals inconsistent handling of VEX statements due to these SBOM inaccuracies.
- Highlights the need for richer dependency representation and consistent component identity in SBOMs.
Why it matters
This research is crucial because SBOMs are vital for software supply chain security, yet their current limitations lead to unreliable vulnerability management. By exposing these flaws, the paper guides improvements for more accurate and trustworthy software composition analysis.
Original Abstract
Software Bills of Material (SBOMs) have emerged as an important technology for vulnerability management amid rising supply-chain attacks. They represent component relationships within a software product and support software composition analysis (SCA) by linking components to known vulnerabilities. However, the effectiveness of SBOM-based analysis depends on how accurately SBOMs represent component identities and actual dependencies in software. This paper studies two mismatch patterns: hidden code-level dependencies that are not represented as component-level dependencies, and component variants (clones) that cannot be identified consistently by scanners. We show that these mismatches can lead to inconsistent vulnerability reporting and inconsistent handling of VEX statements across popular SBOM-based vulnerability scanners. These results highlight limitations in current SBOM production and consumption and motivate richer dependency representation and component identity.
📬 Weekly AI Paper Digest
Get the top 10 AI/ML arXiv papers from the week — summarized, scored, and delivered to your inbox every Monday.