{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,9]],"date-time":"2026-04-09T12:16:15Z","timestamp":1775736975814,"version":"3.50.1"},"reference-count":46,"publisher":"Association for Computing Machinery (ACM)","issue":"6","license":[{"start":{"date-parts":[[2024,6,27]],"date-time":"2024-06-27T00:00:00Z","timestamp":1719446400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["ACM Trans. Softw. Eng. Methodol."],"published-print":{"date-parts":[[2024,7,31]]},"abstract":"<jats:p>The increase of software supply chain threats has underscored the necessity for robust security mechanisms, among which the Software Bill of Materials (SBOM) stands out as a promising solution. SBOMs, by providing a machine-readable inventory of software composition details, play a crucial role in enhancing transparency and traceability within software supply chains. This empirical study delves into the practical challenges and solutions associated with the adoption of SBOMs through an analysis of 4,786 GitHub discussions across 510 SBOM-related projects. Through repository mining and analysis, this research delineates key topics, challenges, and solutions intrinsic to the effective utilization of SBOMs. Furthermore, we shed light on commonly used tools and frameworks for SBOM generation, exploring their respective strengths and limitations. This study underscores a set of findings, for example, there are four phases of the SBOM life cycle, and each phase has a set of SBOM development activities and issues; in addition, this study emphasizes the role SBOM play in ensuring resilient software development practices and the imperative of their widespread adoption and integration to bolster supply chain security. The insights of our study provide vital input for future work and practical advancements in this topic.<\/jats:p>","DOI":"10.1145\/3654442","type":"journal-article","created":{"date-parts":[[2024,3,26]],"date-time":"2024-03-26T12:14:44Z","timestamp":1711455284000},"page":"1-25","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":15,"title":["On the Way to SBOMs: Investigating Design Issues and Solutions in Practice"],"prefix":"10.1145","volume":"33","author":[{"ORCID":"https:\/\/orcid.org\/0000-0003-2748-1249","authenticated-orcid":false,"given":"Tingting","family":"Bi","sequence":"first","affiliation":[{"name":"Data61, CSIRO, Melbourne, Australia and The University of Western Australia, Perth, Australia"}]},{"ORCID":"https:\/\/orcid.org\/0009-0003-7385-4023","authenticated-orcid":false,"given":"Boming","family":"Xia","sequence":"additional","affiliation":[{"name":"Data61, CSIRO and The University of New South Wales, Eveleigh, Australia"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-7663-1421","authenticated-orcid":false,"given":"Zhenchang","family":"Xing","sequence":"additional","affiliation":[{"name":"Data61, CSIRO and Australian National University, Canberra, Australia"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-9466-1672","authenticated-orcid":false,"given":"Qinghua","family":"Lu","sequence":"additional","affiliation":[{"name":"Data61, CSIRO, Sydney, Australia"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-5839-3765","authenticated-orcid":false,"given":"Liming","family":"Zhu","sequence":"additional","affiliation":[{"name":"Data61, CSIRO, Sydney, Australia"}]}],"member":"320","published-online":{"date-parts":[[2024,6,27]]},"reference":[{"key":"e_1_3_2_2_2","unstructured":"The State of Software Bill of Materials (SBOM) and Cybersecurity Readiness. (n.d.). Retrieved from https:\/\/www.linuxfoundation.org\/tools\/the-state-of-software-bill-of-materials-sbom-and-cybersecurity-readiness\/"},{"key":"e_1_3_2_3_2","unstructured":"2021. Executive Order on Improving the Nation\u2019s Cybersecurity. Retrieved from https:\/\/www.whitehouse.gov\/briefing-room\/presidential-actions\/2021\/05\/12\/executive-order-on-improving-the-nations-cybersecurity\/"},{"key":"e_1_3_2_4_2","unstructured":"2023. The Minimum Elements for a Software Bill of Materials (SBOM). Retrieved from https:\/\/www.ntia.doc.gov\/files\/ntia\/publications\/sbom_minimum_elements_report.pdf"},{"key":"e_1_3_2_5_2","unstructured":"2023. Types of Software Bill of Materials (SBOM). Retrieved from https:\/\/www.cisa.gov\/resources-tools\/resources\/types-software-bill-materials-sbom"},{"key":"e_1_3_2_6_2","article-title":"Challenges of producing software bill of materials for Java","author":"Balliu Musard","year":"2023","unstructured":"Musard Balliu, Benoit Baudry, Sofia Bobadilla, Mathias Ekstedt, Martin Monperrus, Javier Ron, Aman Sharma, Gabriel Skoglund, C\u00e9sar Soto-Valero, and Martin Wittlinger. 2023. Challenges of producing software bill of materials for Java. arXiv preprint arXiv:2303.11102 (2023).","journal-title":"arXiv preprint arXiv:2303.11102"},{"key":"e_1_3_2_7_2","doi-asserted-by":"crossref","unstructured":"Iain Barclay Alun D. Preece Ian J. Taylor Swapna Krishnakumar Radha and Jarek Nabrzyski. 2023. Providing assurance and scrutability on shared data and machine learning models with verifiable credentials. Concurr. Comput. Pract. Exp. 35 18 (2023).","DOI":"10.1002\/cpe.6997"},{"key":"e_1_3_2_8_2","article-title":"Towards traceability in data ecosystems using a bill of materials model","author":"Barclay Iain","year":"2019","unstructured":"Iain Barclay, Alun Preece, Ian Taylor, and Dinesh Verma. 2019. Towards traceability in data ecosystems using a bill of materials model. arXiv preprint arXiv:1904.04253 (2019).","journal-title":"arXiv preprint arXiv:1904.04253"},{"key":"e_1_3_2_9_2","doi-asserted-by":"publisher","DOI":"10.1145\/3503508"},{"key":"e_1_3_2_10_2","article-title":"Toward trustworthy AI development: Mechanisms for supporting verifiable claims","author":"Brundage Miles","year":"2020","unstructured":"Miles Brundage, Shahar Avin, Jasmine Wang, Haydn Belfield, Gretchen Krueger, Gillian Hadfield, Heidy Khlaaf, Jingying Yang, Helen Toner, Ruth Fong, et\u00a0al. 2020. Toward trustworthy AI development: Mechanisms for supporting verifiable claims. arXiv preprint arXiv:2004.07213 (2020).","journal-title":"arXiv preprint arXiv:2004.07213"},{"key":"e_1_3_2_11_2","doi-asserted-by":"publisher","DOI":"10.1038\/s41746-021-00403-w"},{"key":"e_1_3_2_12_2","doi-asserted-by":"publisher","DOI":"10.1145\/2786805.2786854"},{"key":"e_1_3_2_13_2","doi-asserted-by":"publisher","DOI":"10.1145\/1370720.1370723"},{"key":"e_1_3_2_14_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.compind.2014.04.006"},{"key":"e_1_3_2_15_2","doi-asserted-by":"publisher","DOI":"10.1109\/EITCE47263.2019.9094817"},{"key":"e_1_3_2_16_2","doi-asserted-by":"crossref","unstructured":"Steve Easterbrook Janice Singer Margaret-Anne D. Storey and Daniela E. Damian. 2008. Selecting empirical methods for software engineering research. Guide to Advanced Empirical Software Engineering (2008) 285\u2013311.","DOI":"10.1007\/978-1-84800-044-5_11"},{"key":"e_1_3_2_17_2","volume-title":"Evaluating and Mitigating Software Supply Chain Security Risks","author":"Ellison Robert J.","year":"2010","unstructured":"Robert J. Ellison, John B. Goodenough, Charles B. Weinstock, and Carol Woody. 2010. Evaluating and Mitigating Software Supply Chain Security Risks. Technical Report. Carnegie-Mellon University, Software Engineering Institute, Pittsburgh, PA."},{"key":"e_1_3_2_18_2","doi-asserted-by":"publisher","DOI":"10.1109\/MSEC.2022.3142338"},{"key":"e_1_3_2_19_2","doi-asserted-by":"publisher","DOI":"10.1145\/3395363.3397388"},{"key":"e_1_3_2_20_2","article-title":"Vulnerability disclosure and management for AI\/ML systems: A working paper with policy recommendations","author":"Grotto A. J.","year":"2021","unstructured":"A. J. Grotto and James Dempsey. 2021. Vulnerability disclosure and management for AI\/ML systems: A working paper with policy recommendations. ML Systems: A Working Paper with Policy Recommendations (November 15, 2021) (2021).","journal-title":"ML Systems: A Working Paper with Policy Recommendations (November 15, 2021)"},{"key":"e_1_3_2_21_2","volume-title":"Case Study Research in Software Engineering: Guidelines and Examples","author":"Host Martin","year":"2012","unstructured":"Martin Host, Austen Rainer, Per Runeson, and Bjorn Regnell. 2012. Case Study Research in Software Engineering: Guidelines and Examples. John Wiley & Sons."},{"key":"e_1_3_2_22_2","doi-asserted-by":"publisher","DOI":"10.1145\/3475716.3475769"},{"key":"e_1_3_2_23_2","doi-asserted-by":"publisher","DOI":"10.1145\/2735399.2735408"},{"key":"e_1_3_2_24_2","doi-asserted-by":"publisher","DOI":"10.1002\/9781119710783.ch6"},{"key":"e_1_3_2_25_2","first-page":"1","volume-title":"Consortium for Information and Software Quality","author":"Krasner Herb","year":"2021","unstructured":"Herb Krasner. 2021. The Cost of Poor Software Quality in the US: A 2020 Report. Consortium for Information and Software Quality.1\u201346."},{"key":"e_1_3_2_26_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP46215.2023.10179304"},{"key":"e_1_3_2_27_2","doi-asserted-by":"publisher","DOI":"10.4324\/9781003128939"},{"key":"e_1_3_2_28_2","doi-asserted-by":"publisher","DOI":"10.1016\/S1353-4858(18)30032-1"},{"key":"e_1_3_2_29_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.csi.2016.10.001"},{"key":"e_1_3_2_30_2","doi-asserted-by":"publisher","DOI":"10.1145\/3565384.3565889"},{"key":"e_1_3_2_31_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICSME58846.2023.00016"},{"key":"e_1_3_2_32_2","first-page":"23","volume-title":"Proceedings of the 17th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA\u201920)","author":"Ohm Marc","year":"2020","unstructured":"Marc Ohm, Henrik Plate, Arnold Sykosch, and Michael Meier. 2020. Backstabber\u2019s knife collection: A review of open source software supply chain attacks. In Proceedings of the 17th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA\u201920). Springer, 23\u201343."},{"key":"e_1_3_2_33_2","doi-asserted-by":"publisher","DOI":"10.1109\/MC.2020.3011082"},{"key":"e_1_3_2_34_2","unstructured":"OpenAI. 2023. March 20 ChatGPT outage: Here\u2019s what happened. (2023). Retrieved from https:\/\/openai.com\/blog\/march-20-chatgpt-outage"},{"issue":"1","key":"e_1_3_2_35_2","first-page":"112","article-title":"Evolving a new model (SDLC Model-2010) for software development life cycle (SDLC)","volume":"10","author":"Ragunath P. K.","year":"2010","unstructured":"P. K. Ragunath, S. Velmourougan, P. Davachelvan, S. Kayalvizhi, and R. Ravimohan. 2010. Evolving a new model (SDLC Model-2010) for software development life cycle (SDLC). Int. J. Comput. Sci. Netw. Secur. 10, 1 (2010), 112\u2013119.","journal-title":"Int. J. Comput. Sci. Netw. Secur."},{"key":"e_1_3_2_36_2","doi-asserted-by":"publisher","DOI":"10.1145\/2597073.2597121"},{"key":"e_1_3_2_37_2","doi-asserted-by":"publisher","DOI":"10.1007\/s10664-008-9102-8"},{"key":"e_1_3_2_38_2","article-title":"Every part of the supply chain can be attacked","author":"Schneier Bruce","year":"2019","unstructured":"Bruce Schneier. 2019. Every part of the supply chain can be attacked. New York Times (2019). Retrieval from https:\/\/www.nytimes.com\/2019\/09\/25\/opinion\/huaweiinternet-security.html","journal-title":"New York Times"},{"key":"e_1_3_2_39_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.dss.2011.09.003"},{"key":"e_1_3_2_40_2","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.2021.3092692"},{"key":"e_1_3_2_41_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-55309-7"},{"key":"e_1_3_2_42_2","article-title":"BOMs away! Inside the minds of stakeholders: A comprehensive study of bills of materials for software systems","author":"Stalnaker Trevor","year":"2023","unstructured":"Trevor Stalnaker, Nathan Wintersgill, Oscar Chaparro, Massimiliano Di Penta, Daniel M. German, and Denys Poshyvanyk. 2023. BOMs away! Inside the minds of stakeholders: A comprehensive study of bills of materials for software systems. arXiv preprint arXiv:2309.12206 (2023).","journal-title":"arXiv preprint arXiv:2309.12206"},{"key":"e_1_3_2_43_2","volume-title":"Grounded Theory in Practice","author":"Strauss Anselm","year":"1997","unstructured":"Anselm Strauss and Juliet M. Corbin. 1997. Grounded Theory in Practice. Sage."},{"key":"e_1_3_2_44_2","doi-asserted-by":"publisher","DOI":"10.1145\/2635868.2635882"},{"key":"e_1_3_2_45_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE48619.2023.00219"},{"key":"e_1_3_2_46_2","article-title":"Trust in software supply chains: Blockchain-enabled SBOM and the AIBOM future","author":"Xia Boming","year":"2023","unstructured":"Boming Xia, Dawen Zhang, Yue Liu, Qinghua Lu, Zhenchang Xing, and Liming Zhu. 2023. Trust in software supply chains: Blockchain-enabled SBOM and the AIBOM future. arXiv preprint arXiv:2307.02088 (2023).","journal-title":"arXiv preprint arXiv:2307.02088"},{"issue":"3","key":"e_1_3_2_47_2","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1145\/3503509","article-title":"Predictive models in software engineering: Challenges and opportunities","volume":"31","author":"Yang Yanming","year":"2022","unstructured":"Yanming Yang, Xin Xia, David Lo, Tingting Bi, John Grundy, and Xiaohu Yang. 2022. Predictive models in software engineering: Challenges and opportunities. ACM Trans. Softw. Eng. Methodol. 31, 3 (2022), 1\u201372.","journal-title":"ACM Trans. Softw. Eng. Methodol."}],"container-title":["ACM Transactions on Software Engineering and Methodology"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3654442","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3654442","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,18]],"date-time":"2025-06-18T23:57:14Z","timestamp":1750291034000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3654442"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2024,6,27]]},"references-count":46,"journal-issue":{"issue":"6","published-print":{"date-parts":[[2024,7,31]]}},"alternative-id":["10.1145\/3654442"],"URL":"https:\/\/doi.org\/10.1145\/3654442","relation":{},"ISSN":["1049-331X","1557-7392"],"issn-type":[{"value":"1049-331X","type":"print"},{"value":"1557-7392","type":"electronic"}],"subject":[],"published":{"date-parts":[[2024,6,27]]},"assertion":[{"value":"2023-08-22","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2024-03-13","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2024-06-27","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}