AI-Assisted Verification of SBOM Accuracy and Drift in Software Supply Chains

Karthikeyan Thirumalaisamy

doi:https://doi.org/10.14445/22312803/IJCTT-V73I12P103

Research Article | Open Access | Download PDF

Volume 73 | Issue 12 | Year 2025 | Article Id. IJCTT-V73I12P103 | DOI : https://doi.org/10.14445/22312803/IJCTT-V73I12P103

AI-Assisted Verification of SBOM Accuracy and Drift in Software Supply Chains

Karthikeyan Thirumalaisamy

Received	Revised	Accepted	Published
23 Oct 2025	28 Nov 2025	08 Dec 2025	27 Dec 2025

Citation :

Karthikeyan Thirumalaisamy, "AI-Assisted Verification of SBOM Accuracy and Drift in Software Supply Chains," International Journal of Computer Trends and Technology (IJCTT), vol. 73, no. 12, pp. 13-21, 2025. Crossref, https://doi.org/10.14445/22312803/IJCTT-V73I12P103

Abstract

Modern supply chain security depends on Software Bills of Materials (SBOMs), which provide transparency and compliance verification and component origin tracking for complex software systems. The fast-paced nature of DevSecOps operations causes SBOM accuracy to deteriorate rapidly. The actual software artifact contents differ from the declared SBOM because dependencies change, build environments transform, and automatic updates occur. The software supply chain becomes vulnerable to version spoofing, dependency confusion, and unintentional untrusted component usage because of this metadata accuracy decline. The paper presents an AI-based system that detects SBOM drift and measures the extent of discrepancies between declared and actual software content. The system uses machine learning to compare software build artifacts with dependency graphs and component metadata to detect any discrepancies between declared SBOM information and actual software components. The system evaluates each discrepancy through a four-level severity assessment, which ranges from Critical to Low. The system blocks deployment of builds that show High or Critical issues until developers fix the underlying problems. The system performs continuous automated checks to enhance supply-chain security while minimizing human inspection requirements and maintaining development pipeline compliance standards. The system enables organizations to maintain a dependable software supply chain that supports fast-paced development methods.

Keywords

SBOM, Software Bills of Materials, Vulnerability Management, Supply Chain Security, AI Security, DevSecOps.

References

[1] Lennard Helmer, Lisa Fink, and Maximilian Poretschkin, “Utilizing SBOM for Transparent AI Risk Communication,” Proceedings of the AAAI Symposium Series, vol. 7, no. 1, pp. 185-189, 2025.
[CrossRef] [Google Scholar] [Publisher Link]

[2] Rio Kishimoto et al., “A Dataset of Software Bill of Materials for Evaluating SBOM Consumption Tools,” IEEE/ACM 22^nd International Conference on Mining Software Repositories, Ottawa, ON, Canada, pp. 576-580, 2025.
[CrossRef] [Google Scholar] [Publisher Link]

[3] Wataru Otoda et al., “SBOM Challenges for Developers: From Analysis of Stack Overflow Questions,” IEEE/ACIS 22^nd International Conference on Software Engineering Research, Management and Applications, Honolulu, HI, USA, pp. 43-46, 2024.
[CrossRef] [Google Scholar] [Publisher Link]

[4] Menghan Wu et al., “More Than Meets the Eye: On Evaluating SBOM Tools in Java,” ACM Transactions on Software Engineering and Methodology, pp. 1-28, 2025.
[CrossRef] [Google Scholar] [Publisher Link]

[5] Serena Cofano, Giacomo Benedetti, and Matteo Dell’Amico, “SBOM Generation Tools in the Python Ecosystem: An In-Detail Analysis,” IEEE 23^rd International Conference on Trust, Security and Privacy in Computing and Communications, Sanya, China, pp. 427-434, 2024.
[CrossRef] [Google Scholar] [Publisher Link]

[6] Hamed Okhravi, Nathan Burow, and Fred B. Schneider, “Software Bill of Materials as a Proactive Defense,” IEEE Security & Privacy, vol. 23, no. 2, pp. 101-106, 2025.
[CrossRef] [Google Scholar] [Publisher Link]

[7] Priyanshu Anand, Why Automated SBOM & Continuous Validation are Mission-Critical, 2025. [Online]. Available: https://technologymatch.com/blog/why-automated-sbom-continuous-validation-are-mission-critical

[8] Swaroop Sham, SBOMs: The Foundation of Software Supply Chain Security, 2025. [Online]. Available: https://www.wiz.io/academy/software-bill-of-material-sbom

[9] Joshua Burgin, The Top 6 Open-Source SBOM Tools. [Online]. Available: https://www.upwind.io/glossary/the-top-6-open-source-sbom-tools

[10] Flashpoint, SBOM 102: How to Operationalize SBOM Data into Real-Time Vulnerability Management, 2025. [Online]. Available: https://flashpoint.io/blog/sbom-operationalize-vulnerability-management/

[11] Microsoft, Code Integrity Checking, 2023. [Online]. Available: https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/code-integrity-checking

[12] ZJYLWL, Understanding SBOM Drift: What it is, Why it Matters, and How to Address it, 2025. [Online]. Available: https://zjylwl.com/archives/153

[13] interlynk-io, sbomqs: The Comprehensive SBOM Quality & Compliance Tool. [Online]. Available: https://github.com/interlynk-io/sbomqs?tab=readme-ov-file

[14] Josh Bressers, Fast and Furious: Doubling Down on SBOM Drift, 2022. [Online]. Available: https://thenewstack.io/fast-and-furious-doubling-down-on-sbom-drift/

[15] Scribe, Identifying Vulnerabilities with a Software Bill of Materials: Ensuring Security, Transparency, and Compliance. [Online]. Available: https://scribesecurity.com/blog/recent-software-supply-chain-attacks-lessons-and-strategies/

[16] Finite State, SBOM The Best SBOM Generation Tools Compared (& How to Pick the Right One), 2024. [Online]. Available: https://finitestate.io/blog/best-tools-for-generating-sbom

[17] Amazon, Amazon Inspector SBOM Generator. [Online]. Available: https://docs.aws.amazon.com/inspector/latest/user/sbom-generator.html