Modern cloud-native applications rely on heterogeneous microservices and third-party components, often built atop Linux-based container images. However, format incompatibilities between Software Bill of Materials (SBOM) generators and vulnerability scanners lead to high false-negative rates and reporting inconsistencies in vulnerability detection. Method: This paper conducts a systematic interoperability evaluation of mainstream SBOM tools (e.g., Syft, Trivy) and vulnerability scanners (e.g., Grype, OSV) on Linux base images. It introduces the novel concept of “SBOM confusion vulnerabilities”—security blind spots arising from inconsistent package identification, version parsing, and provenance mapping. Through multi-tool comparison, fine-grained OS-package-level SBOM extraction, and cross-source vulnerability matching, we quantify detection gaps. Contribution/Results: We find that, on average, 32.7% of known CVEs remain undetected by any evaluated toolchain. Based on these findings, we propose a verifiable SBOM compliance interoperability framework, providing empirical foundations and a standardization pathway for trustworthy software supply chains.

Supply chain security is extremely important for modern applications running at scale in the cloud. In fact, they involve a large number of heterogeneous microservices that also include third-party software. As a result, security vulnerabilities are hard to identify and mitigate before they start being actively exploited by attackers. For this reason, governments have recently introduced cybersecurity regulations that require vendors to share a software bill of material (SBOM) with end users or regulators. An SBOM can be employed to identify the security vulnerabilities of a software component even without access to its source code, as long as it is accurate and interoperable across different tools. This work evaluates this issue through a comprehensive study of tools for SBOM generation and vulnerability scanning, including both open-source software and cloud services from major providers. We specifically target software containers and focus on operating system packages in Linux distributions that are widely used as base images due to their far-reaching security impact. Our findings show that the considered tools are largely incompatible, leading to inaccurate reporting and a large amount of undetected vulnerabilities. We uncover the SBOM confusion vulnerability, a byproduct of such fragmented ecosystem, where inconsistent formats prevent reliable vulnerability detection across tools.