Securing the Software Supply Chain with Software Bill of Materials (SBOMs): An Empirical Evaluation of Open-Source Tools in Enterprise IT Environments

Abstract: The growing adoption of open source software (OSS) has transformed modern software development but has also introduced significant challenges in managing the security and transparency of the software supply chain. Traditional software asset inventories often fail to detect complex and dynamically integrated components. Software bill of materials (SBOMs) has emerged as a promising solution, offering greater visibility into software components and their dependencies. This study presents an empirical evaluation of open-source SBOM generation tools across diverse enterprise IT environments. The evaluation explores their ability to enhance visibility, identify OSS components installed outside package managers, capture hidden dependencies, and operate across modern and legacy systems. Our findings highlight the trade-offs between accuracy, system compatibility, and resource consumption (CPU, RAM, and execution time). Our study also examines the feasibility of leveraging existing software inventory data to streamline SBOM creation. By providing actionable insights into the effectiveness and limitations of SBOM tools, our work contributes to the ongoing efforts to secure the software supply chain through increased transparency and automation.