Beyond Compliance: A Large Scale Study on the Completeness and Consistency of the GitHub SBOMs
2026-07-06 • Software Engineering
Software Engineering
AI summaryⓘ
The authors studied how well GitHub's automatic software bills of materials (SBOMs) list components, versions, and licenses compared to three other tools. They found that GitHub SBOMs often miss some compliance standards but usually include basic needed info. The quality of version and license details depends a lot on the programming language used. Overall, GitHub's tool performs similarly or better than some alternatives in these areas. They also point out that differences in how programming ecosystems handle dependencies affect the SBOMs' completeness.
SBOMsoftware supply chainopen-source componentsGitHubsoftware vulnerabilitiessoftware licensesdependency managementNTIA complianceprogramming ecosystemssoftware metadata
Authors
Kawsar Ahmed Bhuiyan, Mohamed Bilel Besbes, Rachna Raj, Adam Al Assil, Diego Elias Costa
Abstract
Modern software development relies heavily on open-source components. Reusing components accelerates innovation but increases exposure to supply-chain attacks exploiting known vulnerabilities. Software Bills of Materials (SBOMs) improve software supply chain transparency by enumerating components, their versions, and their provenance. GitHub, the largest open-source development hosting platform, now automatically generates SBOMs for repositories, providing valuable metadata for risk assessment. Yet, it is unclear whether GitHub SBOMs can serve as a reliable source for vulnerability and license analysis, and how incomplete or inconsistent metadata may affect different programming ecosystems. To address this, we conduct a large-scale analysis of 10,000 GitHub repositories across ten programming language ecosystems, evaluating GitHub SBOMs against three other popular SBOM generators: Syft, Trivy, and the Microsoft SBOM Tool. Our study finds a lack of NTIA compliance in GitHub SBOMs, though core metadata is consistently present. We also find that component version and license information availability is highly dependent on the programming ecosystem. Compared with the other three tools, GitHub yields results similar to the Microsoft SBOM Tool and often outperforms Syft and Trivy in providing version and license information. Finally, we discuss potential shortcomings of the GitHub SBOM Tool, directly related to how each ecosystem manages its dependencies.