On the Way to SBOMs: Investigating Design Issues and Solutions in Practice-Reference-Cited by-同舟云学术

On the Way to SBOMs: Investigating Design Issues and Solutions in Practice

Published:2024-06-27 Issue:6 Volume:33 Page:1-25
ISSN:1049-331X
Container-title:ACM Transactions on Software Engineering and Methodology
language:en
Short-container-title:ACM Trans. Softw. Eng. Methodol.

Author:

Bi Tingting¹^ORCID,Xia Boming²^ORCID,Xing Zhenchang³^ORCID,Lu Qinghua⁴^ORCID,Zhu Liming⁴^ORCID

Affiliation:

1. Data61, CSIRO, Melbourne, Australia and The University of Western Australia, Perth, Australia

2. Data61, CSIRO and The University of New South Wales, Eveleigh, Australia

3. Data61, CSIRO and Australian National University, Canberra, Australia

4. Data61, CSIRO, Sydney, Australia

Abstract

The increase of software supply chain threats has underscored the necessity for robust security mechanisms, among which the Software Bill of Materials (SBOM) stands out as a promising solution. SBOMs, by providing a machine-readable inventory of software composition details, play a crucial role in enhancing transparency and traceability within software supply chains. This empirical study delves into the practical challenges and solutions associated with the adoption of SBOMs through an analysis of 4,786 GitHub discussions across 510 SBOM-related projects. Through repository mining and analysis, this research delineates key topics, challenges, and solutions intrinsic to the effective utilization of SBOMs. Furthermore, we shed light on commonly used tools and frameworks for SBOM generation, exploring their respective strengths and limitations. This study underscores a set of findings, for example, there are four phases of the SBOM life cycle, and each phase has a set of SBOM development activities and issues; in addition, this study emphasizes the role SBOM play in ensuring resilient software development practices and the imperative of their widespread adoption and integration to bolster supply chain security. The insights of our study provide vital input for future work and practical advancements in this topic.

Publisher

Association for Computing Machinery (ACM)

Link

https://dl.acm.org/doi/pdf/10.1145/3654442

Reference46 articles.

1. The State of Software Bill of Materials (SBOM) and Cybersecurity Readiness. (n.d.). Retrieved from https://www.linuxfoundation.org/tools/the-state-of-software-bill-of-materials-sbom-and-cybersecurity-readiness/

2. 2021. Executive Order on Improving the Nation’s Cybersecurity. Retrieved from https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/

3. 2023. The Minimum Elements for a Software Bill of Materials (SBOM). Retrieved from https://www.ntia.doc.gov/files/ntia/publications/sbom_minimum_elements_report.pdf

4. 2023. Types of Software Bill of Materials (SBOM). Retrieved from https://www.cisa.gov/resources-tools/resources/types-software-bill-materials-sbom

5. Challenges of producing software bill of materials for Java;Balliu Musard;arXiv preprint arXiv:2303.11102,2023