August 11, 2025—A software bill of materials (SBOM) records the details and supply chain relationships of a software product’s components. Different SBOM tools often produce SBOMs with different content for a piece of software at a given point in its lifecycle. This divergence of SBOMs can undermine confidence in these important documents, which help ensure software quality and security. The SEI recently released the findings of a study on how and why SBOMs diverge and how they can be made more consistent.

“If an SBOM is intended to objectively represent the contents of a software project, then differences in SBOMs for the same software would imply differences in content, which shouldn't be the case,” said David Tobar, a senior cybersecurity engineer in the SEI’s CERT Division. “Any software content not captured in an SBOM could represent a vulnerability with potential security implications for critical infrastructure and national security applications making use of that software.”

To increase SBOM quality and trustworthiness, the Cybersecurity and Infrastructure Security Agency (CISA) asked the SEI to uncover the causes of SBOM divergence, such as imprecise definitions or standards, how uncertainty is addressed, or other implementation decisions.

Last November, Tobar and his SEI colleagues Jessie Jamieson, Sasank Vishnubhatla, Mark Priest, and Jason Fricke ran a virtual SBOM Harmonization Plugfest. The Plugfest, named after electronics and software interoperability testing events, brought together 21 SBOM tool vendors, standards producers, and others in the SBOM community. The participants submitted 243 sample SBOMs for nine software targets representing a variety of programming languages.

Using automated tools and expert review, the researchers analyzed the submitted SBOMs. They checked for consistency across minimum required elements such as SBOM type, component name, and component unique identifier. They examined the reported software dependencies on third-party components and evaluated each SBOM according to five criteria, aligned with SBOM quality attributes defined by the U.S. National Telecommunications and Information Administration (NTIA): completeness, accuracy, pedigree, provenance, and integrity. They also compared the submitted SBOMs to a control set they generated. Finally, they calculated each SBOM’s depth and breadth.

The researchers found “significant variance in both the number of components and the content of the minimum required elements,” according to the report Software Bill of Materials (SBOM) Harmonization Plugfest 2024.

The study found that some SBOMs documented many more component dependencies than other SBOMs. Another cause of variance was a lack of normalization in how content was written, such as version 2.0 versus just 2.0. Plugfest participants also differed in their interpretation of dependency and in the SBOM’s expected level of transparency. Participants’ differing approaches to generating SBOMs for their software’s build environment and source code also contributed to divergence.

The study validates and quantifies the divergence of SBOMs seen by those who produce and use them. While the artificial circumstances of the Plugfest may have contributed to some of the variance, Tobar believes that with the high number of SBOM samples submitted, the results accurately represent many of the causes of SBOM divergence in the wild.

The study’s authors offer recommendations to help the software community generate more consistent SBOMs. These include ways to populate SBOM minimum elements more completely and methods for harmonizing SBOMs overall.

Tobar does not expect this study to be the final word in SBOM harmonization. Rather, it offers the software community a quantified baseline of the causes of SBOM divergence. “The study makes visible the issues that stand in the way of harmonization between SBOMs,” said Tobar. “Now the SBOM community can work to solve those problems together, leading to SBOMs that accurately reflect the content of software across the industry.”

Among the report’s recommendations are avenues for further research and improvements in SBOM harmonization. To advance this field of study, Tobar and his team created a GitHub repository of Plugfest artifacts, including most of the submitted SBOMs and the code used to analyze them.

To learn more, download the Software Bill of Materials (SBOM) Harmonization Plugfest 2024 report from the SEI’s Digital Library.