Software Bills of Material (SBOMs) are becoming a consolidated, often enforced by governmental regulations, way to describe software composition. However, based on recent studies, SBOMs suffer from limited support for their consumption and lack information beyond simple dependencies, especially regarding software vulnerabilities. This paper reports the results of a preliminary study in which we augmented SBOMs of 40 open-source projects with information about Common Vulnerabilities and Exposures (CVE) exposed by project dependencies. Our augmented SBOMs have been evaluated by submitting pull requests and by asking project owners to answer a survey. Although, in most cases, augmented SBOMs were not directly accepted because owners required a continuous SBOM update, the received feedback shows the usefulness of the suggested SBOM augmentation.
翻译:软件物料清单(SBOM)正逐渐成为描述软件构成的标准化方法,且常受政府法规强制要求。然而,近期研究表明,SBOM在消费端支持有限,且缺乏超越简单依赖关系的信息,特别是在软件漏洞方面。本文报告了一项初步研究的结果:我们通过为40个开源项目的依赖项所暴露的通用漏洞披露(CVE)信息进行增强,扩展了其SBOM内容。我们通过提交拉取请求并邀请项目所有者参与问卷调查的方式,对所增强的SBOM进行了评估。尽管在多数情况下,由于项目所有者要求持续更新SBOM,增强后的SBOM未被直接采纳,但所获反馈证明了所建议的SBOM增强方案具有实际价值。