NDSS 2025 – JBomAudit: Assessing The Landscape, Compliance, And Security Implications Of Java SBOMS

The rise of Software Bill of Materials (SBOM) has become a cornerstone of modern software risk management. By cataloguing every component, license, and version used in an application, SBOMs enable organizations to trace vulnerabilities back to their source and satisfy regulatory mandates such as the U.S. National Institute of Standards and Technology (NIST) guidelines. In the Java world, where dependency trees can span thousands of artifacts, maintaining an accurate SBOM is especially challenging. Yet, without reliable inventories, enterprises face blind spots that can be exploited by attackers or trigger compliance penalties.

The JBomAudit study, presented at NDSS 2025, delivers the first large‑scale measurement of Java SBOM health. An automated pipeline examined 25,882 SBOMs paired with their corresponding JAR files, uncovering that 7,907—roughly 30%—failed to list direct dependencies. Among the omitted entries, 4.97% were linked to known CVEs, effectively hiding exploitable code from security teams. The research attributes most gaps to tooling limitations, inconsistent build practices, and a lack of verification steps before SBOM publication, highlighting a systemic compliance shortfall.

These findings send a clear signal to developers, vendors, and policy makers: SBOM generation must be treated as a security control, not a documentation afterthought. Automated validation tools like JBomAudit can be integrated into CI/CD pipelines to flag missing components before release, ensuring NIST‑aligned completeness. Regulators may soon require proof of SBOM accuracy, prompting a shift toward signed, tamper‑evident inventories. As the software supply chain threat landscape intensifies, robust SBOM practices will become a competitive differentiator for organizations seeking to safeguard their Java‑based products.