The Software Supply Chain (SSC) security is a critical concern for both users and developers. Recent incidents, like the SolarWinds Orion compromise, proved the widespread impact resulting from the distribution of compromised software. The reliance on open-source components, which constitute a significant portion of modern software, further exacerbates this risk. To enhance SSC security, the Software Bill of Materials (SBOM) has been promoted as a tool to increase transparency and verifiability in software composition. However, despite its promise, SBOMs are not without limitations. Current SBOM generation tools often suffer from inaccuracies in identifying components and dependencies, leading to the creation of erroneous or incomplete representations of the SSC. Despite existing studies exposing these limitations, their impact on the vulnerability detection capabilities of security tools is still unknown. In this paper, we perform the first security analysis on the vulnerability detection capabilities of tools receiving SBOMs as input. We comprehensively evaluate SBOM generation tools by providing their outputs to vulnerability identification software. Based on our results, we identify the root causes of these tools' ineffectiveness and propose PIP-sbom, a novel pip-inspired solution that addresses their shortcomings. PIP-sbom provides improved accuracy in component identification and dependency resolution. Compared to best-performing state-of-the-art tools, PIP-sbom increases the average precision and recall by 60%, and reduces by ten times the number of false positives.

翻译：软件供应链（SSC）安全是用户和开发者共同关注的关键问题。近期事件（如SolarWinds Orion系统遭入侵）证明，受污染软件的分发会造成广泛影响。现代软件大量依赖开源组件，这进一步加剧了此类风险。为加强SSC安全，软件物料清单（SBOM）被推广为提升软件组成透明度和可验证性的工具。然而，尽管前景可期，SBOM仍存在局限性。当前SBOM生成工具在识别组件和依赖关系时经常出现偏差，导致生成的SSC表征存在错误或不完整。尽管已有研究揭示了这些局限，但其对安全工具漏洞检测能力的影响仍属未知。本文首次对以SBOM为输入的工具的漏洞检测能力进行安全性分析。我们通过将SBOM生成工具的输出提供给漏洞识别软件，对其进行了全面评估。基于实验结果，我们揭示了现有工具失效的根本原因，并提出PIP-sbom——一种受pip启发的新型解决方案，旨在解决现有缺陷。PIP-sbom在组件识别和依赖关系解析方面实现了更高的准确性。与性能最优的现有工具相比，PIP-sbom将平均精确率和召回率提升了60%，并将误报数量降低至十分之一。