Software Bill of Materials (SBOM) generation and consumption pipelines widely lack integrity protection mechanisms, enabling insider attackers to stealthily tamper with dependency relationships and vulnerability information—undetectable by existing tooling. Method: We systematically characterize the SBOM integrity attack surface across its full lifecycle via dynamic taint analysis, package manager behavior auditing, and reverse engineering of multi-language SBOM generation chains. Contribution/Results: Our analysis reveals that four widely used SBOM consumption tools and SBOM generation workflows across seven programming languages all omit integrity verification. To address this gap, we propose a lightweight, decentralized integrity assurance framework leveraging IPFS and blockchain-based hash attestation, enabling trustless, verifiable SBOM validation. This work is the first to identify and mitigate end-to-end SBOM integrity vulnerabilities, establishing a foundational mechanism for zero-trust SBOM assurance.

The SolarWinds attack that exploited weaknesses in the software update mechanism highlights the critical need for organizations to have better visibility into their software dependencies and potential vulnerabilities associated with them, and the Software Bill of Materials (SBOM) is paramount in ensuring software supply chain security. Under the Executive Order issued by President Biden, the adoption of the SBOM has become obligatory within the United States. The executive order mandates that an SBOM should be provided for all software purchased by federal agencies. The main applications of SBOMs are vulnerability management and license management. This work presents an in-depth and systematic investigation into the integrity of SBOMs. We explore different attack vectors that can be exploited to manipulate SBOM data, including flaws in the SBOM generation and consumption phases in the SBOM life cycle. We thoroughly investigated four SBOM consumption tools and the generation process of SBOMs for seven prominent programming languages. Our systematic investigation reveals that the tools used for consumption lack integrity control mechanisms for dependencies. Similarly, the generation process is susceptible to integrity attacks as well, by manipulating dependency version numbers in package managers and additional files, resulting in incorrect SBOM data. This could lead to incorrect views on software dependencies and vulnerabilities being overlooked during SBOM consumption. To mitigate these issues, we propose a solution incorporating the decentralized storage of hash values of software libraries.