[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"doc-detail-82835-en":3,"doc-seo-82835-105":29,"detail-sidebar-cat-0-en-105":91},{"code":4,"msg":5,"data":6},0,"success",{"doc_id":7,"user_id":8,"nickname":9,"user_avatar":10,"doc_module":4,"category_id":11,"category_name":12,"doc_title":13,"doc_description":14,"doc_content":15,"file_id":16,"file_url":17,"file_type":18,"file_size":19,"view_count":20,"is_deleted":4,"is_public":20,"is_downloadable":20,"audit_status":20,"page_count":21,"language":22,"language_code":23,"site_id":24,"html_lang":23,"table_of_contents":25,"faqs":26,"seo_title":13,"seo_description":14,"update_tm":27,"read_time":28},82835,5909877438554,"Maeve","https://ap-avatar.wpscdn.com/avatar/5600025385ad2bf12a7?_k=1778553567797529272",8,"Research & Report","Beyond Compliance: A Large Scale Study on the Completeness and Consistency of the GitHub SBOMs","Modern software development increasingly reuses open-source components, which accelerates innovation while heightening exposure to supply-chain attacks through known vulnerabilities. Software Bills of Materials (SBOMs) strengthen transparency by enumerating components, versions, and provenance. GitHub’s automated SBOM generation for repositories promises useful metadata for risk assessment, yet reliability for vulnerability and license analysis remains uncertain. A large-scale evaluation of 10,000 repositories compares GitHub SBOMs with Syft, Trivy, and a Microsoft tool.","arXiv :2607 .046 14v 1 [ cs . SE] 6 Jul 2026  \nNoname manuscript No.  \n(will be inserted by the editor)  \nBeyond Compliance: A Large Scale Study on the Completeness and Consistency of the GitHub SBOMs  \nKawsar Ahmed Bhuiyan · Mohamed Bilel Besbes · Rachna Raj · Adam Al  \nAssil · Diego Elias Costa  \nReceived: date / Accepted: date  \nAbstract Modern software development relies heavily on open-source components. Reusing components accelerates innovation but increases exposure to supply-chain attacks exploiting known vulnerabilities. Software Bills of Materials (SBOMs) improve software supply chain transparency by enumerating components, their versions, and their provenance. GitHub, the largest opensource development hosting platform, now automatically generates SBOMs for repositories, providing valuable metadata for risk assessment. Yet, it is unclear whether GitHub SBOMs can serve as a reliable source for vulnerability and license analysis, and how incomplete or inconsistent metadata may affect different programming ecosystems. To address this, we conduct a largescale analysis of 10,000 GitHub repositories across ten programming language ecosystems, evaluating GitHub SBOMs against three other popular SBOM generators: Syft, Trivy, and the Microsoft SBOM Tool. Our study finds a lack of NTIA compliance in GitHub SBOMs, though core metadata is consistently present. We also find that component version and license information availability is highly dependent on the programming ecosystem. Compared with  \nKawsar Ahmed Bhuiyan  \nREALISE Lab, Concordia University, Montr´eal, Canada E-mail: [kawsarahmed.bhuiyan@mail.concordia.ca](kawsarahmed.bhuiyan@mail.concordia.ca)  \nMohamed Bilel Besbes  \nREALISE Lab, Concordia University, Montr´eal, Canada [E-mail: mohamedbilel.besbes@mail.concordia.ca](E-mail: mohamedbilel.besbes@mail.concordia.ca)  \nRachna Raj  \nREALISE Lab, Concordia University, Montr´eal, Canada E-mail: [rachna.raj@mail.concordia.ca](rachna.raj@mail.concordia.ca)  \nAdam Al Assil  \nREALISE Lab, Concordia University, Montr´eal, Canada E-mail: [adam.alassil@concordia.ca](adam.alassil@concordia.ca)  \nDiego Elias Costa  \nREALISE Lab, Concordia University, Montr´eal, Canada E-mail: [diego.costa@concordia.ca](diego.costa@concordia.ca)  \nthe other three tools, GitHub yields results similar to the Microsoft SBOM Tool and often outperforms Syft and Trivy in providing version and license information. Finally, we discuss potential shortcomings of the GitHub SBOM Tool, directly related to how each ecosystem manages its dependencies.  \nKeywords Software bill of materials · Software supply chain · Empirical study · SBOM Generators  \n1 Introduction  \nThe increasing reliance on third-party and open-source software components has become a defining characteristic of contemporary software development [64] . While this trend enables faster innovation and reduces engineering costs, it also increases the risk of exploitation, as attackers may target known vulnerabilities in these components, potentially undermining system integrity, exposing sensitive data, or causing significant operational and economic damage [26][16][42] . These challenges are intensified by the growing scale and complexity of software dependency networks, which often span thousands of interrelated packages [29][48] .  \nTo address these concerns, the Software Bill of Materials (SBOM) has emerged as a key mechanism for enhancing transparency in the software supply chain. An SBOM provides a structured inventory of all software components, including open-source and proprietary modules, along with their dependencies and relationships [54] [67] . By making this information transparent, SBOMs allow downstream users to assess potential cybersecurity and licensing risks [10] [21] . The strategic importance of SBOMs was recognized in the U.S. Executive Order on Improving the Nation’s Cybersecurity, issued in May 2021, which mandated the use of SBOMs in federal software procurement [62] . To p","cbCaitvz3bObHnLF","https://ap.wps.com/l/cbCaitvz3bObHnLF","pdf",2054966,1,43,"English","en",105,"# Introduction\n## Motivation and background\n## SBOM transparency and standards\n# Research questions and study design\n## Compliance and completeness evaluation\n## Version and license information analysis","[{\"question\":\"What problem does the study investigate about GitHub SBOMs?\",\"answer\":\"The study investigates whether GitHub-generated SBOMs reliably provide complete and consistent metadata for vulnerability and license analysis, and how missing or inconsistent information affects different ecosystems.\"},{\"question\":\"How large is the empirical analysis and what ecosystems are covered?\",\"answer\":\"The study analyzes SBOM data from 10,000 GitHub repositories across ten programming language ecosystems: C, C++, C#, Python, PHP, Java, JavaScript, Go, Swift, and Rust.\"},{\"question\":\"Which SBOM generators are compared against GitHub?\",\"answer\":\"GitHub SBOMs are compared with Syft, Trivy, and the Microsoft SBOM Tool to assess compliance, completeness, and availability of version and license metadata.\"}]",1784183292,108,{"code":4,"msg":30,"data":31},"ok",{"site_id":24,"language":23,"slug":32,"title":13,"keywords":33,"description":14,"schema_data":34,"social_meta":86,"head_meta":88,"extra_data":90,"updated_unix":27},"beyond-compliance-a-large-scale-study-on-the-completeness-and-consistency-of-the-github-sboms","",{"@graph":35,"@context":85},[36,53,68],{"@type":37,"itemListElement":38},"BreadcrumbList",[39,43,47,50],{"item":40,"name":41,"@type":42,"position":20},"https://docshare.wps.com","Home","ListItem",{"item":44,"name":45,"@type":42,"position":46},"https://docshare.wps.com/document/","Document",2,{"item":48,"name":12,"@type":42,"position":49},"https://docshare.wps.com/document/research-report/",3,{"item":51,"name":13,"@type":42,"position":52},"https://docshare.wps.com/document/beyond-compliance-a-large-scale-study-on-the-completeness-and-consistency-of-the-github-sboms/82835/",4,{"url":51,"name":13,"@type":54,"author":55,"headline":13,"publisher":57,"fileFormat":60,"inLanguage":23,"description":14,"dateModified":61,"datePublished":62,"encodingFormat":60,"isAccessibleForFree":63,"interactionStatistic":64},"DigitalDocument",{"name":9,"@type":56},"Person",{"url":40,"name":58,"@type":59},"DocShare","Organization","application/pdf","2026-07-17","2026-07-16",true,{"@type":65,"interactionType":66,"userInteractionCount":20},"InteractionCounter",{"@type":67},"ViewAction",{"@type":69,"mainEntity":70},"FAQPage",[71,77,81],{"name":72,"@type":73,"acceptedAnswer":74},"What problem does the study investigate about GitHub SBOMs?","Question",{"text":75,"@type":76},"The study investigates whether GitHub-generated SBOMs reliably provide complete and consistent metadata for vulnerability and license analysis, and how missing or inconsistent information affects different ecosystems.","Answer",{"name":78,"@type":73,"acceptedAnswer":79},"How large is the empirical analysis and what ecosystems are covered?",{"text":80,"@type":76},"The study analyzes SBOM data from 10,000 GitHub repositories across ten programming language ecosystems: C, C++, C#, Python, PHP, Java, JavaScript, Go, Swift, and Rust.",{"name":82,"@type":73,"acceptedAnswer":83},"Which SBOM generators are compared against GitHub?",{"text":84,"@type":76},"GitHub SBOMs are compared with Syft, Trivy, and the Microsoft SBOM Tool to assess compliance, completeness, and availability of version and license metadata.","https://schema.org",{"og:url":51,"og:type":87,"og:title":13,"og:site_name":58,"og:description":14},"article",{"robots":89,"canonical":51},"index,follow",{"doc_id":7,"site_id":24},{"code":4,"msg":5,"data":92},[93,97,101,105,110,115,120,123,128,131,135],{"id":20,"doc_module":4,"doc_module_name":45,"category_name":94,"show_sort_weight":95,"slug":96},"Story & Novel",90,"story-novel",{"id":46,"doc_module":4,"doc_module_name":45,"category_name":98,"show_sort_weight":99,"slug":100},"Literature",80,"literature",{"id":52,"doc_module":4,"doc_module_name":45,"category_name":102,"show_sort_weight":103,"slug":104},"Exam",70,"exam",{"id":106,"doc_module":4,"doc_module_name":45,"category_name":107,"show_sort_weight":108,"slug":109},5,"Comic",60,"comic",{"id":111,"doc_module":4,"doc_module_name":45,"category_name":112,"show_sort_weight":113,"slug":114},6,"Technology",50,"technology",{"id":116,"doc_module":4,"doc_module_name":45,"category_name":117,"show_sort_weight":118,"slug":119},7,"Healthcare",40,"healthcare",{"id":11,"doc_module":4,"doc_module_name":45,"category_name":12,"show_sort_weight":121,"slug":122},30,"research-report",{"id":124,"doc_module":4,"doc_module_name":45,"category_name":125,"show_sort_weight":126,"slug":127},9,"Religion & Spirituality",20,"religion-spirituality",{"id":126,"doc_module":4,"doc_module_name":45,"category_name":129,"show_sort_weight":126,"slug":130},"World Cup","world-cup",{"id":132,"doc_module":4,"doc_module_name":45,"category_name":133,"show_sort_weight":132,"slug":134},10,"Lifestyle","lifestyle",{"id":136,"doc_module":4,"doc_module_name":45,"category_name":137,"show_sort_weight":106,"slug":138},19,"General","general"]