NDSS 2025 – JBomAudit: Assessing The Landscape, Compliance, And Security Implications Of Java SBOMS
嗯,用户让我帮忙总结一篇文章的内容,控制在100个字以内,而且不需要特定的开头。我得先仔细阅读文章内容,找出关键信息。 文章标题是“JBomAudit: Assessing the Landscape, Compliance, and Security Implications of Java SBOMs”,看起来是关于Java软件物料清单(SBOM)的研究。作者们来自IBM和Indiana大学。 文章提到SBOM的重要性,包括漏洞管理、许可证合规和软件完整性。NTIA制定了最低要求,但实际中这些要求是否得到满足呢?研究者开发了一个工具来评估SBOM的完整性和准确性,分析了25,882个SBOM和JAR文件,发现7,907个SBOM没有披露直接依赖项,其中有4.97%的遗漏依赖项存在漏洞。 总结时要突出研究对象、工具名称、分析结果以及安全影响。控制在100字以内,所以需要简洁明了。 可能的结构:研究Java SBOM合规性问题,开发工具分析大量数据,发现大量不合规情况及其安全风险。 最后检查字数是否符合要求,并确保没有使用“这篇文章”等开头。 </think> 研究Java软件物料清单(SBOM)的合规性与安全性问题,揭示其在漏洞管理和许可证风险中的重要性。通过开发工具分析25,882个SBOM和JAR文件,发现7,907个SBOM未披露直接依赖项,其中4.97%存在漏洞,凸显非合规SBOM的安全风险。 2026-2-28 16:0:0 Author: securityboulevard.com(查看原文) 阅读量:15 收藏

Session 14A: Software Security: Applications & Policies

Authors, Creators & Presenters: Yue Xiao (IBM Research), Dhilung Kirat (IBM Research), Douglas Lee Schales (IBM Research), Jiyong Jang (IBM Research), Luyi Xing (Indiana University Bloomington), Xiaojing Liao (Indiana University)
PAPER
JBomAudit: Assessing the Landscape, Compliance, and Security Implications of Java SBOMs
A Software Bill of Materials (SBOM) is a detailed inventory that lists the dependencies that make up a software product. Accurate, complete, and up-to-date SBOMs are essential for vulnerability management, reducing license compliance risks, and maintaining high software integrity. The US National Institute of Standards and Technology (NTIA) has established minimum requirements for SBOMs to comply with, especially the correctness and completeness of listed dependencies in SBOMs. However, these requirements remain unexamined in practice. This paper presents the first systematic study on the landscape of SBOMs, including their prevalence, release trends, and characteristics in the Java ecosystem. We developed an end-to-end tool to evaluate the completeness and accuracy of dependencies in SBOMs. Our tool analyzed 25,882 SBOMs and associated JAR files, identifying that 7,907 SBOMs failed to disclose direct dependencies, highlighting the prevalence and severity of SBOM noncompliance issues. Furthermore, 4.97% of these omitted dependencies were vulnerable, leaving software susceptible to potential exploits. Through detailed measurement studies and analysis of root causes, this research uncovers significant security implications of non-compliant SBOMs, especially concerning vulnerability management. These findings, crucial for enhancing SBOM compliance assurance, are being responsibly reported to relevant stakeholders.
ABOUT NDSS
The Network and Distributed System Security Symposium (NDSS) fosters information exchange among researchers and practitioners of network and distributed system security. The target audience includes those interested in practical aspects of network and distributed system security, with a focus on actual system design and implementation. A major goal is to encourage and enable the Internet community to apply, deploy, and advance the state of available security technologies.

Our thanks to the Network and Distributed System Security (NDSS) Symposium for publishing their Creators, Authors and Presenter’s superb NDSS Symposium 2025 Conference content on the Organizations’ YouTube Channel.

Permalink

*** This is a Security Bloggers Network syndicated blog from Infosecurity.US authored by Marc Handelman. Read the original post at: https://www.youtube-nocookie.com/embed/jDvSTm-_w9A?si=coT5ovjTVAiLYi2M


文章来源: https://securityboulevard.com/2026/02/ndss-2025-jbomaudit-assessing-the-landscape-compliance-and-security-implications-of-java-sboms/
如有侵权请联系:admin#unsafe.sh