Replication Package: "The SBOM Gap: Adoption and Compliance in Open Source Software"

Replication Package Structure:The replication package contains all data and scripts necessary to reproduce the analyses and results presented in the paper:M. F. Rabbi, A. K. Turzo, A. I. Champa, and M. Zibran, “The SBOM Gap: Adoption and Compliance in Open Source Software,” in <i>2026 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER)</i>, Limassol, Cyprus, 2026, pp. 1–12.<br>replication_package/├── data/│ ├── sbom_repo_paths.csv # Repository paths and metadata for analyzed projects│ ├── sbom_project_features.csv # Extracted features for SBOM projects│ ├── non_sbom_project_features.csv # Extracted features for non-SBOM projects│ └── SBOM_files/ # Raw SBOM files collected from selected repositories│└── code/├── RQ1_regression/ # Scripts for regression analysis (RQ1)│ ├── regression.R # Main regression analysis script│ └── common.R # Shared functions for data filtering and formatting│└── RQ2_compliance/ # Scripts for compliance and coverage checks (RQ2)├── check_component_name.py├── check_component_version.py├── check_supplier.py├── check_unique_identifiers.py├── check_sbom_author.py├── check_timestamp.py├── check_dependency.py├── check_hash.py├── check_lifecycle_phase.py├── check_license.py├── check_vex.py├── check_transitive_dependency.py├── check_circular_dep.py└── check_all_7_min_req_files.py<br><br>Folder Descriptions:data/: Contains datasets and raw SBOM files used in the analysis.- sbom_repo_paths.csv: Maps each SBOM file to its corresponding GitHub repository.- sbom_project_features.csv: Contains 21 extracted features for each SBOM-using project.- non_sbom_project_features.csv: Contains the same 21 features for matched non-SBOM projects.- SBOM_files/: Includes all valid SBOM files collected from open-source projects, in SPDX or CycloneDX formats.<br>code/: Contains source code for reproducing both research questions.- RQ1_regression/:- regression.R: Runs multivariate logistic regression across 100 bootstrapped samples.- common.R: Defines helper functions for feature selection, multicollinearity removal, and LaTeX formatting of regression outputs.- RQ2_compliance/:- 14 Python scripts that check SBOM compliance against NTIA's minimum elements and best practices.<br>CitationIf you use this dataset or replication package, please cite:@inproceedings{rabbi2026sbomgap, author = {Md Fazle Rabbi and Asif Kamal Turzo and Arifa Islam Champa and Minhaz Zibran}, title = {The SBOM Gap: Adoption and Compliance in Open Source Software}, booktitle = {2026 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER)}, year = {2026}, pages = {1--12}, address = {Limassol, Cyprus}, publisher = {IEEE}}<br>