Trust but Verify: Uncovering the Hidden Risks of Inaccurate SBOMs with JBomAudit

Software supply chain attacks have surged in recent years, posing significant threats to organizations. In response, Software Bill of Materials (SBOMs)—structured inventories that document software components—have been proposed to enhance supply chain transparency, track dependencies, and manage vulnerabilities. Despite increasing adoption, their correctness and completeness in real-world open-source ecosystems remain largely unexamined. Incomplete SBOMs can result in overlooked vulnerabilities, while incorrect dependency may waste resources on non-existent issues.

This talk introduces JBomAudit, an open-source tool to automatically verify Java SBOMs by systematically assessing their correctness and completeness against NTIA minimum requirements. We will cover the technical details of JBomAudit, demonstrate how it examines missing and incorrect dependencies, and present findings from our large-scale analysis of over 25,000 Java SBOMs, highlighting the prevalence of non-compliant SBOMs and security implications. We will also discuss common pitfalls in SBOM generation, analyze the root causes of non-compliance, and provide actionable recommendations to improve SBOM quality.