• Some open source project SBOMs are low quality. For instance, when applying the SBOM Scorecard tool, nearly four-fifths of the SBOMs lacked package license information and two-fifths lacked any package version information.
  • None of the SBOMs conformed to the standards of the National Telecommunications and Information Administration's (NTIA) “minimum elements” framework. The SPDX community’s NTIA Conformance Checker tool, when applied to this SBOM dataset, revealed that the minimum elements appear to be a high bar.
  • Some open source projects do have high quality SBOMs. Several SBOMs investigated contained a wide variety of helpful information, especially package IDs (via PURL or CPEs), package versions, and licenses.