This study addresses the inaccuracies inherent in Software Bill of Materials (SBOMs) when characterizing component identities and actual dependencies, particularly their inability to reliably capture code-level hidden dependencies and consistently identify component variants. These limitations lead to inconsistencies between vulnerability reports and Vulnerability Exploitability eXchange (VEX) statements. Through SBOM-driven software composition analysis, evaluation using multiple vulnerability scanners, and consistency checks of VEX assertions, the work systematically reveals significant discrepancies and shortcomings among current mainstream SBOM generation tools in handling these challenges. The findings underscore the need for enhanced mechanisms for dependency representation and component identification, offering critical directions for improving the reliability of vulnerability management practices.

Software Bills of Material (SBOMs) have emerged as an important technology for vulnerability management amid rising supply-chain attacks. They represent component relationships within a software product and support software composition analysis (SCA) by linking components to known vulnerabilities. However, the effectiveness of SBOM-based analysis depends on how accurately SBOMs represent component identities and actual dependencies in software. This paper studies two mismatch patterns: hidden code-level dependencies that are not represented as component-level dependencies, and component variants (clones) that cannot be identified consistently by scanners. We show that these mismatches can lead to inconsistent vulnerability reporting and inconsistent handling of VEX statements across popular SBOM-based vulnerability scanners. These results highlight limitations in current SBOM production and consumption and motivate richer dependency representation and component identity.