Department of Computer Science: MSc Thesis Presentations

SBOM Adoption as a Process-Oriented Problem: A Structured Framework

Author: Beatriz Glaser
Supervisor: Lachlan Gunn
Advisor: Janne Taponen

Abstract: Modern software systems depend on complex and evolving software supply chains. The use of open-source components introduces opaque dependency structures that complicate vulnerability management and regulatory compliance. Software Bills of Materials (SBOMs) provide a mechanism for increasing transparency into software composition; however, their practical adoption remains difficult due to fragmented tooling and unclear organizational practices.

This thesis presents a structured and reusable framework for operationalizing
SBOM adoption across the software life cycle. The framework defines clear process modules, roles, and SBOM variants, and organizes them into a sequential pipeline that supports validation, transformation, and governance activities. The approach provides a concrete way to structure responsibilities, define quality expectations, and manage SBOM evolution over time.

The framework is instantiated through a reference implementation integrated into an existing development project and evaluated in a real-world setting. The results demonstrate that SBOM quality can be made explicit and systematically governed through process design. The proposed model improves traceability across SBOM operations, supports consistent handling over time, and clarifies practical trade-offs related to validation strictness and organizational overhead.

By providing a technology-agnostic and adaptable process model, this work enables organizations to adopt SBOMs in a systematic, traceable, and sustainable manner.

The thesis shows that SBOM adoption can be made cognitively and organizationally manageable when approached as a structured process rather than a tooling exercise.