Software Bill of Materials (SBOM) documents have become a cornerstone of modern software supply chain security, mandated by regulatory frameworks such as US Executive Order 14028 and the EU Cyber Resilience Act. The CycloneDX standard has evolved rapidly from version 1.4 to version 1.7, introducing richer evidence layers, copyright notices, and formulation blocks designed to enable automated policy enforcement. However, the extent to which real-world open-source projects and the tooling ecosystem have adopted these capabilities remains largely uncharted. We present the first large-scale empirical study of CycloneDX SBOM quality across 50 prominent open-source repositories spanning five programming language ecosystems (Go, Java, JavaScript, Python, Rust), encompassing 42,541 total software components. Using Syft v1.44.0 the most widely deployed open-source SBOM generation tool we measure 14 quality metrics per repository and evaluate compliance against 10 security policies derived from real-world DevSecOps requirements. Our study reveals three critical findings. First, SBOM quality is alarmingly low: mean license coverage across all 50 repositories is only 19.01%, copyright coverage is 0% universally, and 54% of repositories carry zero license information for any component. Second, quality varies dramatically by ecosystem: Go projects achieve a mean license coverage of 66.76% while Rust projects average just 0.14%, suggesting that package management architecture significantly influences SBOM richness. Third, and most critically, we discover a tooling readiness gap: Syft v1.44.0 does not support CycloneDX 1.7 output format, failing 100% of generation attempts demonstrating that the gap between standard publication and ecosystem adoption is not merely in project metadata, but in the tools themselves. Under a simulated set of 10 security policies, 100% of repositories fail 9 out of 10 policies, passing only the trivial metadata-presence check. These findings have direct implications for compliance mandates, tool vendors, and ongoing efforts such as FOSSology's CycloneDX 1.7 migration.
Krrish Biswas (Tue,) studied this question.