The rapid growth of software supply chain attacks has attracted considerable attention to software bill of materials (SBOM). SBOMs are a crucial building block to ensure the transparency of software supply chains that helps improve software supply chain security. Although there are significant efforts from academia and industry to facilitate SBOM development, it is still unclear how practitioners perceive SBOMs and what are the challenges of adopting SBOMs in practice. Furthermore, existing SBOM-related studies tend to be ad-hoc and lack software engineering focuses. To bridge this gap, we conducted the first empirical study to interview and survey SBOM practitioners. We applied a mixed qualitative and quantitative method for gathering data from 17 interviewees and 65 survey respondents from 15 countries across five continents to understand how practitioners perceive the SBOM field. We summarized 26 statements and grouped them into three topics on SBOM's states of practice. Based on the study results, we derived a goal model and highlighted future directions where practitioners can put in their effort.
翻译:软件供应链攻击的迅速增长引起了对软件材料帐单(SBOM)的极大关注。SBOM是确保软件供应链透明度的重要基石,有助于改进软件供应链安全。尽管学术界和工业界为促进SBOM开发做出了重大努力,但尚不清楚从业人员如何看待SBOM,实际中采用SBOM的挑战是什么。此外,现有的SBOM相关研究往往是临时性的,缺乏软件工程重点。为弥补这一差距,我们进行了第一次经验研究,访谈和调查SBOM从业人员。我们采用了一种混合的定性和定量方法,从来自五大洲15个国家的17名受访者和65名受访者收集数据,以了解SBOM实地的从业人员的看法。我们总结了26份声明,将其归为关于SBOM实践状况的三个专题。我们根据研究结果得出了一个目标模型,并着重指出了实践者在他们工作中可以遵循的未来方向。