Current SBOMs commonly lack vulnerability information, undermining security operability. To address this, we propose an automated SBOM vulnerability enrichment method that integrates CVE database lookups with SPDX/Syft-based dependency parsing to precisely associate known CVE descriptions with dependencies of 40 real-world GitHub open-source projects, generating human-readable, auditable enriched SBOMs. We further validate practicality via automated pull request submissions and a developer survey (N=92% affirming its value for security operations). This work represents the first systematic, real-project deployment of SBOM vulnerability enrichment, revealing critical insights: the necessity of continuous SBOM updates and persistent human adoption bottlenecks. It contributes a reproducible methodology and empirical evidence to support the establishment of dynamic, trustworthy software supply chain security baselines.

Software Bills of Material (SBOMs) are becoming a consolidated, often enforced by governmental regulations, way to describe software composition. However, based on recent studies, SBOMs suffer from limited support for their consumption and lack information beyond simple dependencies, especially regarding software vulnerabilities. This paper reports the results of a preliminary study in which we augmented SBOMs of 40 open-source projects with information about Common Vulnerabilities and Exposures (CVE) exposed by project dependencies. Our augmented SBOMs have been evaluated by submitting pull requests and by asking project owners to answer a survey. Although, in most cases, augmented SBOMs were not directly accepted because owners required a continuous SBOM update, the received feedback shows the usefulness of the suggested SBOM augmentation.