https://www.cs.ucr.edu/~heng/pubs/sbom-dsn24.pdf
Security researchers at the University of California, Riverside and Deepbits Technology have uncovered significant vulnerabilities in four widely-used Software Bill of Materials (SBOM) generation tools, revealing that these critical supply chain security instruments are producing incomplete and potentially inaccurate inventories of software components. The comprehensive study analyzed Trivy, Syft, Microsoft SBOM Tool, and GitHub Dependency Graph across 7,876 open-source projects, finding that all four tools exhibit inconsistent outputs and systematic dependency omissions that could leave organizations vulnerable to undetected security risks.
The researchers employed a differential analysis approach to evaluate SBOM generation accuracy, discovering alarming discrepancies between tools when analyzing identical software projects. Their findings revealed that SBOM generators frequently miss over 90% of dependencies in common configuration files like Python’s requirements.txt, primarily due to incomplete syntax support and failure to resolve transitive dependencies. The tools also demonstrated inconsistent package naming conventions, with some using colons while others use dots to separate compound package names, potentially compromising vulnerability detection accuracy across different security platforms.
Perhaps most concerning, the research team successfully demonstrated a “parser confusion attack” that exploits the custom metadata parsers used by these SBOM tools. By crafting malicious dependency declarations using unsupported syntax patterns, attackers can inject vulnerable or malicious packages into software projects while evading detection by SBOM generators. The attack leverages the tools’ tendency to silently ignore dependencies with unsupported syntax, creating a new vector for supply chain compromise that could allow adversaries to conceal dangerous components within software inventories.
The study’s implications are particularly significant given the increasing regulatory emphasis on SBOM adoption following President Biden’s executive order on cybersecurity and rising software supply chain attacks, which increased by 742% between 2019 and 2022. To address these vulnerabilities, researchers recommend implementing package manager dry runs for lockfile generation, adopting standardized package identification formats, and deploying specialized security scanners designed for SBOM validation. The team has released a benchmark dataset to help improve future SBOM generation tools and is working with the cybersecurity community to develop more robust supply chain security solutions.