JBomAudit: Assessing the Landscape, Compliance, and Security Implications of Java SBOMs
Yue Xiao
Network and Distributed System Security (NDSS) Symposium 2025 · Day 3 · Software Security: Applications & Policies
In an era increasingly defined by complex software supply chain attacks, the talk "JBomAudit: Assessing the Landscape, Compliance, and Security Implications of Java SBOMs" by Yue Xiao at the NDSS Symposium presented critical research on the state of Software Bills of Materials (SBOMs) in the Java ecosystem. This presentation highlighted a pervasive lack of transparency in software components, a vulnerability that high-profile incidents like SolarWinds, Log4j, and XZ Utils have dramatically exposed. The core problem addressed is that while SBOMs are widely advocated as a solution to enhance visibility and mitigate risks, their real-world implementation often falls short of essential compliance and accuracy standards.
AI review
Solid academic measurement study with real engineering behind it — JBomAudit and JPK-tax show genuine methodological rigor, and the 25K-SBOM dataset gives the findings actual weight. The work is competent and the problem is real, but the core insight (metadata-only SBOM generators produce garbage SBOMs) won't surprise anyone who's spent time in the supply chain security trenches.