A Software Bill of Materials (SBOM) is a machine-readable artifact that systematically organizes software information, enhancing supply chain transparency and security. To facilitate the exchange and utilization of SBOMs, organizations such as the Linux Foundation and OWASP have proposed SBOM standards. Following standards, organizations have developed tools for generating and utilizing SBOMs. However, limited research has examined the adherence of these SBOM tools to standard specifications, a gap that could lead to compliance failures and disruptions in SBOM utilization. This paper presents the first large-scale, two-stage empirical analysis of the adherence gap, using our automated evaluation framework, SAP. The evaluation, comprising a baseline evaluation and a one-year longitudinal follow-up, covers 55,444 SBOMs generated by six SBOM tools from 3,287 real-world repositories. Our analysis reveals persistent, fundamental limitations in current SBOM tools: (1) inadequate compliance support with policy requirements; (2) poor tool consistencies, including inter-tool consistency rates as low as 7.84% to 12.77% for package detection across languages, and significant longitudinal inconsistency, where tools show low consistency with their own prior versions; and (3) mediocre to poor accuracy for detailed software information, e.g., accuracy of package licenses below 20%. We analyze the root causes of these gaps and provide practical solutions. All the code, replication docker image, evaluation results are open sourced at [GitHub](https://github.com/dw763j/SAP) and [Zenodo](https://doi.org/10.5281/zenodo.14998624) for further researches.

翻译：软件物料清单（SBOM）是一种可机器读取的制品，它系统化地组织软件信息，以增强供应链的透明度和安全性。为促进SBOM的交换与利用，Linux基金会和OWASP等组织提出了SBOM标准。遵循这些标准，各组织开发了用于生成和利用SBOM的工具。然而，目前对这些SBOM工具遵循标准规范程度的考察研究有限，这一差距可能导致合规性失败并干扰SBOM的利用。本文首次利用我们开发的自动化评估框架SAP，对遵循性差距进行了大规模、两阶段的实证分析。该评估包括基线评估和为期一年的纵向跟踪，覆盖了来自3,287个真实世界代码仓库、由六款SBOM工具生成的55,444个SBOM。我们的分析揭示了当前SBOM工具存在持续且根本性的局限：（1）对策略要求的合规性支持不足；（2）工具一致性差，包括跨语言软件包检测的跨工具一致性率低至7.84%至12.77%，以及显著的纵向不一致性，即工具与其自身先前版本的一致性也较低；（3）对于详细软件信息的准确性表现平庸甚至较差，例如软件包许可证的准确率低于20%。我们分析了这些差距的根本原因，并提供了实用的解决方案。所有代码、复现Docker镜像及评估结果已在[GitHub](https://github.com/dw763j/SAP)和[Zenodo](https://doi.org/10.5281/zenodo.14998624)开源，以供进一步研究。