Modern software applications heavily rely on diverse third-party components, libraries, and frameworks sourced from various vendors and open source repositories, presenting a complex challenge for securing the software supply chain. To address this complexity, the adoption of a Software Bill of Materials (SBOM) has emerged as a promising solution, offering a centralized repository that inventories all third-party components and dependencies used in an application. Recent supply chain breaches, exemplified by the SolarWinds attack, underscore the urgent need to enhance software security and mitigate vulnerability risks, with SBOMs playing a pivotal role in this endeavor by revealing potential vulnerabilities, outdated components, and unsupported elements. This research paper conducts an extensive empirical analysis to assess the current landscape of open-source and proprietary tools related to SBOM. We investigate emerging use cases in software supply chain security and identify gaps in SBOM technologies. Our analysis encompasses 84 tools, providing a snapshot of the current market and highlighting areas for improvement.

翻译：现代软件应用程序高度依赖来自不同供应商和开源仓库的各种第三方组件、库和框架，这给软件供应链安全带来了复杂挑战。为应对这一复杂性，采用软件物料清单（SBOM）作为解决方案应运而生，它能集中记录应用程序中使用的所有第三方组件及其依赖关系。近期发生的供应链安全事件（如SolarWinds攻击）凸显了加强软件安全、降低漏洞风险的紧迫性，而SBOM通过揭示潜在漏洞、过时组件和不被支持的要素在此过程中发挥着关键作用。本研究通过广泛的实证分析，评估了当前与SBOM相关的开源及专有工具现状。我们探究了软件供应链安全领域新兴的应用场景，并识别了SBOM技术存在的不足。研究涵盖了84种工具，呈现了当前市场概况，并指出了需要改进的方向。