Thursday 13 March 2025
The software supply chain has long been a vulnerable link in the global network of technology, and it’s no secret that malicious actors have exploited this weakness time and again. But a new study sheds light on an often-overlooked aspect of software development: the publication of Software Bills of Materials (SBOMs). In an effort to improve transparency and security, developers are increasingly including SBOMs with their software releases.
Researchers at the University of Montreal and KTH Royal Institute of Technology have been studying the adoption of SBOMs in open-source projects. They analyzed a dataset of over 14,000 SBOMs from Maven Central, a popular package registry for Java-based projects. Their findings suggest that while the concept of SBOMs has been around since the early 2000s, it’s only recently gained widespread acceptance.
The study reveals that in 2021, the White House issued an executive order calling for improved cybersecurity practices, including the publication of SBOMs. This move likely contributed to a surge in adoption, as developers began to see the value in providing transparency about their software components. Today, nearly half of all open-source projects on Maven Central include SBOMs.
So what do these SBOMs look like? Essentially, they’re detailed lists of software components used in a project, including dependencies and version information. This information is crucial for identifying vulnerabilities and ensuring the integrity of the software supply chain. By making this data publicly available, developers can help security researchers identify potential weaknesses and prevent attacks.
The study also highlights some challenges associated with SBOM publication. For example, many SBOMs still lack accurate dependency information, which can make it difficult to track down vulnerabilities. Additionally, there’s a need for more automation in the SBOM generation process, as manual creation is time-consuming and prone to errors.
Despite these hurdles, the researchers argue that the benefits of SBOM publication far outweigh the costs. By increasing transparency and providing valuable information about software components, developers can help build trust with their users and improve the overall security posture of the software supply chain.
As the tech industry continues to grapple with the complexities of software development, it’s clear that SBOMs will play a critical role in ensuring the integrity of our digital infrastructure. By shedding light on this often-overlooked aspect of software development, researchers are helping to pave the way for a more secure and transparent future.
Cite this article: “Unlocking Transparency: The Rise of Software Bills of Materials in Open-Source Projects”, The Science Archive, 2025.
Software Bills Of Materials, Sboms, Cybersecurity, Open-Source Projects, Maven Central, Software Supply Chain, Vulnerability Identification, Security Researchers, Dependency Information, Automation.
