The Software Bill of Materials (SBOM) is a critical tool for securing the software supply chain (SSC), but its practical utility is undermined by inaccuracies in both its generation and its application in vulnerability scanning. This paper presents a large-scale empirical study on 2,414 open-source repositories to address these issues from a practical standpoint. First, we demonstrate that using lock files with strong package managers enables the generation of accurate and consistent SBOMs, establishing a reliable foundation for security analysis. Using this high-fidelity foundation, however, we expose a more fundamental flaw in practice: downstream vulnerability scanners produce a staggering 92.0\% false positive rate in our case study. We pinpoint the primary cause as the flagging of vulnerabilities within unreachable code. We then demonstrate that function call analysis can effectively prune 61.9\% of these false alarms. Our work validates a practical, two-stage approach for SSC security: first, generate an accurate SBOM using lock files and strong package managers, and second, enrich it with function call analysis to produce actionable, low-noise vulnerability reports that alleviate developers' alert fatigue.
翻译:软件物料清单(SBOM)是保障软件供应链安全的关键工具,但其在生成环节及漏洞扫描应用中的不准确性严重削弱了实际效用。本文通过对2,414个开源代码仓库开展大规模实证研究,从实践角度解决上述问题。首先,我们证明使用强包管理器配合锁文件可生成精确且一致的SBOM,为安全分析奠定可靠基础。然而借助这一高保真基础,我们揭示了实践中更根本的缺陷:下游漏洞扫描器在案例研究中产生了高达92.0%的误报率。经定位,根本原因在于对不可达代码中的漏洞标记。继而证明函数调用分析可有效消除61.9%的误报。本研究验证了一种实用的两阶段软件供应链安全方案:首先通过锁文件和强包管理器生成精确SBOM,其次结合函数调用分析生成可操作、低噪声的漏洞报告,从而缓解开发者的告警疲劳。