Related papers: SBOMproof: Beyond Alleged SBOM Compliance for Supply Chain Security of Container Images

SBOMproof: Beyond Alleged SBOM Compliance for Supply Chain Security of Container Images

URL: http://arxiv.org/abs/2510.05798v1
Date: Tue, 07 Oct 2025 11:17:51 GMT
Title: SBOMproof: Beyond Alleged SBOM Compliance for Supply Chain Security of Container Images
Authors: Jacopo Bufalino, Mario Di Francesco, Agathe Blaise, Stefano Secci,
Abstract summary: Governments have recently introduced cybersecurity regulations that require vendors to share a software bill of material with end users or regulators.<n>An SBOM can be employed to identify the security vulnerabilities of a software component even without access to its source code.<n>This work evaluates this issue through a comprehensive study of tools for SBOM generation and vulnerability scanning.
Score: 3.101218489580587
License: http://creativecommons.org/publicdomain/zero/1.0/
Abstract: Supply chain security is extremely important for modern applications running at scale in the cloud. In fact, they involve a large number of heterogeneous microservices that also include third-party software. As a result, security vulnerabilities are hard to identify and mitigate before they start being actively exploited by attackers. For this reason, governments have recently introduced cybersecurity regulations that require vendors to share a software bill of material (SBOM) with end users or regulators. An SBOM can be employed to identify the security vulnerabilities of a software component even without access to its source code, as long as it is accurate and interoperable across different tools. This work evaluates this issue through a comprehensive study of tools for SBOM generation and vulnerability scanning, including both open-source software and cloud services from major providers. We specifically target software containers and focus on operating system packages in Linux distributions that are widely used as base images due to their far-reaching security impact. Our findings show that the considered tools are largely incompatible, leading to inaccurate reporting and a large amount of undetected vulnerabilities. We uncover the SBOM confusion vulnerability, a byproduct of such fragmented ecosystem, where inconsistent formats prevent reliable vulnerability detection across tools.

Related papers

MalTool: Malicious Tool Attacks on LLM Agents [52.01975462609959]
MalTool is a coding-LLM-based framework that synthesizes tools exhibiting specified malicious behaviors.<n>We show that MalTool is highly effective even when coding LLMs are safety-aligned.
arXiv Detail & Related papers (2026-02-12T17:27:43Z)
Cascaded Vulnerability Attacks in Software Supply Chains [1.628589561701473]
We propose a novel approach to SBOM-driven security analysis methods and tools.<n>We model vulnerability relationships over dependency structure rather than treating scanner outputs as independent records.<n>We then train a Heterogeneous Graph Attention Network (HGAT) to predict whether a component is associated with at least one known vulnerability.
arXiv Detail & Related papers (2026-01-28T01:31:09Z)
A Large Scale Empirical Analysis on the Adherence Gap between Standards and Tools in SBOM [54.38424417079265]
A Software Bill of Materials (SBOM) is a machine-readable artifact that organizes software information.<n>Following standards, organizations have developed tools for generating and utilizing SBOMs.<n>This paper presents the first large-scale, two-stage empirical analysis of the adherence gap, using our automated evaluation framework, SAP.
arXiv Detail & Related papers (2026-01-09T08:26:05Z)
UniBOM -- A Unified SBOM Analysis and Visualisation Tool for IoT Systems and Beyond [0.23332469289621785]
This paper introduces UniBOM, an advanced tool for Software Bill of Materials generation, analysis, and visualisation.<n>UniBOM integrates binary, vulnerability, and source code analysis, enabling fine-grained vulnerability detection and risk management.<n>Key features include historical tracking, AI-based classification by severity and memory safety, and support for non-package-managed C/C++ dependencies.
arXiv Detail & Related papers (2025-11-27T11:50:58Z)
Enabling Security on the Edge: A CHERI Compartmentalized Network Stack [42.78181795494584]
CHERI provides strong security from the hardware level by enabling fine-grained compartmentalization and memory protection.<n>Our case study examines the trade-offs of isolating applications, TCP/IP libraries, and network drivers on a CheriBSD system deployed on the Arm Morello platform.
arXiv Detail & Related papers (2025-07-07T09:37:59Z)
CyberGym: Evaluating AI Agents' Cybersecurity Capabilities with Real-World Vulnerabilities at Scale [46.76144797837242]
Large language model (LLM) agents are becoming increasingly skilled at handling cybersecurity tasks autonomously.<n>Existing benchmarks fall short, often failing to capture real-world scenarios or being limited in scope.<n>We introduce CyberGym, a large-scale and high-quality cybersecurity evaluation framework featuring 1,507 real-world vulnerabilities.
arXiv Detail & Related papers (2025-06-03T07:35:14Z)
A Virtual Cybersecurity Department for Securing Digital Twins in Water Distribution Systems [39.58317527488534]
Digital twins (DTs) help improve real-time monitoring and decision-making in water distribution systems.<n>Their connectivity makes them easy targets for cyberattacks such as scanning, denial-of-service (DoS), and unauthorized access.<n>We present a Virtual Cybersecurity Department (VCD), an affordable and automated framework designed for SMEs.
arXiv Detail & Related papers (2025-04-28T21:14:48Z)
Supply Chain Insecurity: The Lack of Integrity Protection in SBOM Solutions [0.0]
The Software Bill of Materials (SBOM) is paramount in ensuring software supply chain security.<n>Under the Executive Order issued by President Biden, the adoption of the SBOM has become obligatory within the United States.<n>We present an in-depth and systematic investigation of the trust that can be put into the output of SBOMs.
arXiv Detail & Related papers (2024-12-06T15:52:12Z)
The Impact of SBOM Generators on Vulnerability Assessment in Python: A Comparison and a Novel Approach [56.4040698609393]
Software Bill of Materials (SBOM) has been promoted as a tool to increase transparency and verifiability in software composition. Current SBOM generation tools often suffer from inaccuracies in identifying components and dependencies. We propose PIP-sbom, a novel pip-inspired solution that addresses their shortcomings.
arXiv Detail & Related papers (2024-09-10T10:12:37Z)
A Landscape Study of Open Source and Proprietary Tools for Software Bill of Materials (SBOM) [3.1190983209295076]
Software Bill of Materials (SBOM) is a repository that inventories all third-party components and dependencies used in an application. Recent supply chain breaches underscore the urgent need to enhance software security and vulnerability risks. This research paper conducts an empirical analysis to assess the current landscape of open-source and proprietary tools related to SBOM.
arXiv Detail & Related papers (2024-02-17T00:36:20Z)
SliceLocator: Locating Vulnerable Statements with Graph-based Detectors [33.395068754566935]
SliceLocator identifies the most relevant taint flow by selecting the highest-weighted flow path from all potential vulnerability-triggering statements.<n>We demonstrate that SliceLocator consistently performs well on four state-of-the-art GNN-based vulnerability detectors.
arXiv Detail & Related papers (2024-01-05T10:15:04Z)
On the Security Blind Spots of Software Composition Analysis [46.1389163921338]
We present a novel approach to detect vulnerable clones in the Maven repository. We retrieve over 53k potential vulnerable clones from Maven Central. We detect 727 confirmed vulnerable clones and synthesize a testable proof-of-vulnerability project for each of those.
arXiv Detail & Related papers (2023-06-08T20:14:46Z)

This list is automatically generated from the titles and abstracts of the papers in this site.