SBOMs are everywhere. They are still not telling you what you think.
We pulled SBOMs from forty production deployments. Half were stale. A quarter were wrong. The useful ones had something in common.
The Software Bill of Materials has become a checkbox. That is good for procurement and bad for security, because a checkbox SBOM does not tell you whether the library a vendor shipped six months ago is the library running in production today.
We pulled, parsed, and compared forty real SBOMs against the binaries actually deployed. The gap is wider than the marketing suggests.
