SBOM reliability structural failure
SBOMs from six ecosystems all miss indirect dependencies—and npm averages hundreds per package All Things OpenTL;DW
- Indirect dependencies often outnumber direct dependencies by orders of magnitude—npm projects average huge counts; Docker containers can exceed 10,000 packages from just a base image plus 20 selected packages
- Different package ecosystems (pip, npm, maven, go, cargo, gradle) generate SBOMs with fundamentally different metadata quality and dependency capture—tool selection matters significantly
- Dependencies are not static: version pinning behavior, build environment (Windows/Mac/Linux), CI/CD tool injection, and build timing all alter which dependencies actually get included in your software
- For Python, use pip-licenses and cyclone-dx-pip; for npm, use npm-license-checker and cyclone-dx; for Go, must run go-licenses inside containers; for Gradle/Maven, convert SBOM XML to legal notices via OSS attribution tools
- Running package managers inside containers is essential for accurate metadata—container analysis tools (Syft) may miss native language dependencies unless tools run in the container environment
- Developers significantly underestimate their dependency count and typically know only first-order dependencies, missing second and deeper order dependencies that may carry restrictive licenses or security vulnerabilities
- SBOM generation timestamps matter: SBOMs created months ago may be obsolete if dependency versions have changed, making historical SBOMs unreliable for compliance or security
- When distributing software externally, compliance obligations increase substantially compared to internal use—SBOMs alone are insufficient; convert to human-readable legal notices for distribution
- Use package manager lock files to prevent dependency tree changes; audit dependencies with tools like npm-check or maven-dependency-tree; test after version changes to catch breaking dependency updates
- Multiple package managers on the same system create blind spots—npm might not capture pip-installed CSVKit, so use matching package managers for complete inventory visibility
TL;DW
- Indirect dependencies often outnumber direct dependencies by orders of magnitude—npm projects average huge counts; Docker containers can exceed 10,000 packages from just a base image plus 20 selected packages
- Different package ecosystems (pip, npm, maven, go, cargo, gradle) generate SBOMs with fundamentally different metadata quality and dependency capture—tool selection matters significantly
- Dependencies are not static: version pinning behavior, build environment (Windows/Mac/Linux), CI/CD tool injection, and build timing all alter which dependencies actually get included in your software
- For Python, use pip-licenses and cyclone-dx-pip; for npm, use npm-license-checker and cyclone-dx; for Go, must run go-licenses inside containers; for Gradle/Maven, convert SBOM XML to legal notices via OSS attribution tools
- Running package managers inside containers is essential for accurate metadata—container analysis tools (Syft) may miss native language dependencies unless tools run in the container environment
- Developers significantly underestimate their dependency count and typically know only first-order dependencies, missing second and deeper order dependencies that may carry restrictive licenses or security vulnerabilities
- SBOM generation timestamps matter: SBOMs created months ago may be obsolete if dependency versions have changed, making historical SBOMs unreliable for compliance or security
- When distributing software externally, compliance obligations increase substantially compared to internal use—SBOMs alone are insufficient; convert to human-readable legal notices for distribution
- Use package manager lock files to prevent dependency tree changes; audit dependencies with tools like npm-check or maven-dependency-tree; test after version changes to catch breaking dependency updates
- Multiple package managers on the same system create blind spots—npm might not capture pip-installed CSVKit, so use matching package managers for complete inventory visibility
Walks through SBOM generation for Python, npm, Maven, Go, Cargo, and Gradle plus Docker using pip-licenses, CycloneDX, and Syft. Each tool only sees its own ecosystem, lock file discipline is inconsistent, and CI/CD tooling injects unlisted deps—so an SBOM from three months ago is likely already wrong.
