Comparative analysis: Software bill of materials generation tooling for large scale medical software

Thumbnail Image

Files

master_Nicholson_Kohdy_2026.pdf (1.28 MB)

URL

Journal Title

Journal ISSN

Volume Title

School of Science | Master's thesis
Unless otherwise stated, all rights belong to the author. You may download, display and print this publication for Your own personal use. Commercial use is prohibited.

Authors

Date

2025-12-24

Department

Major/Subject

Software and Service Engineering

Mcode

Degree programme

Master's Programme in Computer, Communication and Information Sciences
Master's Programme in Computer, Communication and Information Sciences
Master's Programme in Computer, Communication and Information Sciences

Language

en

Pages

55

Series

Abstract

Modern software systems rely heavily on open source and third-party components, making software supply chains increasingly complex and difficult to secure. For organizations operating in regulated domains such as medical device development, maintaining visibility into these components is essential for meeting cybersecurity requirements. Software Bills of Materials (SBOMs) have emerged as a core mechanism for achieving this visibility, yet relatively little research has examined the effectiveness of SBOM generation tools within the .NET ecosystem, despite its widespread industrial use. This thesis investigates the performance and automation usability of four SBOM generation tools across six .NET microservice projects. The study evaluates each tool (syft, cdxgen, cyclonedx-dotnet, sbom-tool) using quantitative metrics derived from comparisons against a Source of Truth generated using the dotnet CLI. Complementing this analysis, the thesis also assesses the developer experience of automating each tool, focusing on portability, installation requirements, command-line flexibility, and suitability for continuous integration pipelines. The findings reveal differences between general-purpose and ecosystem-specific tooling. CycloneDX-Dotnet achieved perfect accuracy due to its usage of the dotnet CLI, while syft produced extensive false positives by including runtime assemblies. Sbom-tool demonstrated strong component detection performance, though nothing notably better than other tools. Cdxgen showed consistent, balanced results; strong component detection and versatility, however, it presented minor automation challenges due to some execution constraints. Based on these findings, cdxgen is identified as the most suitable option for Varian, offering strong component detection, integration with our in-house license clearance solution, and long-term vision to support a varied technology stack. The thesis concludes by outlining opportunities for future research, including standardized evaluation frameworks and SBOM integration into broader vulnerability management workflows.

Description

Supervisor

Haaranen, Lassi

Thesis advisor

Cuccarro, Will
Nagy, Attila

Keywords

software bill of materials, SBOM, cybersecurity, software supply chain, risk management, C-SCRM

Other note

Citation

Permanent link to this item

https://urn.fi/URN:NBN:fi:aalto-202601221904

Collections

[dipl] Perustieteiden korkeakoulu / SCI