Replication Package: "The SBOM Gap: Adoption and Compliance in Open Source Software"

Replication Package Structure:The replication package contains all data and scripts necessary to reproduce the analyses and results presented in this study.<br>replication_package/│├── data/│ ├── sbom_repo_paths.csv # Repository paths and metadata for analyzed projects│ ├── sbom_project_features.csv # Extracted features for SBOM projects│ ├── non_sbom_project_features.csv # Extracted features for non-SBOM projects│ └── SBOM_files/ # Raw SBOM files collected from selected repositories│└── code/ ├── RQ1_regression/ # Scripts for regression analysis (RQ1) │ ├── regression.R # Main regression analysis script │ └── common.R # Shared functions for data filtering and formatting │ └── RQ2_compliance/ # Scripts for compliance and coverage checks (RQ2) ├── check_component_name.py ├── check_component_version.py ├── check_supplier.py ├── check_unique_identifiers.py ├── check_sbom_author.py ├── check_timestamp.py ├── check_dependency.py ├── check_hash.py ├── check_lifecycle_phase.py ├── check_license.py ├── check_vex.py ├── check_transitive_dependency.py ├── check_circular_dep.py └── check_all_7_min_req_files.py<br><br><br>Folder Descriptions:<br>data/: Contains datasets and raw SBOM files used in the analysis. - sbom_repo_paths.csv: Maps each SBOM file to its corresponding GitHub repository. - sbom_project_features.csv: Contains 23 extracted features for each SBOM-using project. - non_sbom_project_features.csv: Contains the same 23 features for matched non-SBOM projects. - SBOM_files/: Includes all valid SBOM files collected from open-source projects, in SPDX or CycloneDX formats.<br>code/: Contains source code for reproducing both research questions. - RQ1_regression/: - regression.R: Runs multivariate logistic regression across 100 bootstrapped samples. - common.R: Defines helper functions for feature selection, multicollinearity removal, and LaTeX formatting of regression outputs. - RQ2_compliance/: - 14 Python scripts that check SBOM compliance against NTIA's minimum elements and best practices.