Chaire Cyber CNI

Chaire Cyber CNI – Cybersecurity for Critical Networked Infrastructures

Luis Soeiro and the challenge of public SBOMs !

By Dylan Massieux Publications / Research

Luis Soeiro is a doctoral student at IMT Atlantique within the Cyber CNI Chair. His subject : the security of software chains. He recently turned his attention to a little-studied but crucial tool for cybersecurity : SBOMs – Software Bills of Materials.

What is an SBOM?

A Software Bills of Materials (SBOM) is a list. It lists everything a piece of software contains:

  • open source components,
  • versions,
  • their origin,
  • and sometimes verification elements.

It’s a bit like a food label. It lets you know what you’re installing. So you can react better in the event of a fault. But today, what do we really know about the SBOMs used in open source projects? Very little. And even less systematically.

Very large-scale research

To answer this question, Luis Soeiro launched an ambitious exploration.

He first searched the Software Heritage (https://www.softwareheritage.org/) archive, the largest collection of source code that there is, with over 24 billion source files, for files which could likely be a SBOM. Then, he downloaded over 21 million candidates and tested them to find over 78,000 unique SBOM files.

The result is the world’s largest database of public SBOMs.
Each file was evaluated according to several criteria :

  • format used (CycloneDX, SPDX…),
  • overall quality,
  • provenance,
  • and available metadata.

This project was presented at the MSR 2025 conference, an international event organized by the IEEE (Institute of Electrical and Electronics Engineers) and the ACM (Association for Computing Machinery).

What these SBOMs reveal

The results are highly instructive. Firstly, more and more SBOMs are being found in public depots. This is a good sign. It shows a growing awareness. But quality still varies widely: some files are complete and well formatted. Others are incomplete or even unusable. Finally, there is a wide diversity of formats. This complicates automation and verification. This makes it difficult to rely on these files for reliable security analyses.

Why is this important?

Numerous recent attacks have demonstrated this. The software supply chain is a target.
It is essential to know what software contains.

A reliable SBOM makes it possible to :

  • detect vulnerable versions,
  • assess component confidence,
  • check software dependencies.

Thanks to Luis Soeiro’s work, the community finally has a set of concrete data. It will be useful for research, developers and cybersecurity managers alike.

A project at the crossroads of research and practice

This project is a fine example of applied research. It combines the analysis of massive data, the understanding of standards, and the perspective of cybersecurity issues.

The Cyber CNI Chair and ITM Atlantique support this approach, which aims to produce concrete tools to respond to real challenges. Here, by shedding light on the SBOM ecosystem, it is helping to improve transparency in the software world.

Dylan Massieux
Latest posts by Dylan Massieux (see all)

Related Posts

MSR 2025: recognition for Luis Soeiro and the CNI Cyber Chair
June 5, 2025
MSR 2025 : une belle reconnaissance pour Luis Soeiro et la Chaire Cyber CNI
June 5, 2025
Manage-IoT 2025: 5th IEEE/IFIP International Workshop on Internet of Things Management
January 16, 2025

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Subscribe to receive our updates directly via mail.

Get Free Email Updates!

Follow Us

Get Free Email Updates!

Copyright All Right Reserved 2020
Proudly powered by WordPress | Theme: Lili Blog by ThemeMiles.