Why can I not know if what is running matches what my SBOM declared?
Opportunity
SBOMs are generated at build time and describe what a build claimed to contain. By the time software is deployed and running, dependencies may have drifted, statically linked libraries leave no runtime trace, and there is no standard primitive to verify that a live process matches its declared bill of materials. IBM's 2025 analysis of over 35,000 SBOMs found 7,907 failed to disclose direct dependencies, and ENISA's December 2025 implementation guide calls runtime drift one of the core open gaps. The gap between a signed SBOM and a running container is currently bridged by trust alone.
Why it matters
Regulations in the EU and US now mandate SBOMs, but without runtime attestation they are an audit artifact, not a security control.
機会をどう評価するか
The Opportunity Score is my own read, not a measurement: how much it hurts, how often it bites, and how little exists to solve it today. Higher means I think it is more worth building.
How much pain it causes when it shows up.
How often people actually run into it.
How little good tooling exists for it today.
解決する価値のある問題をもっと見る
最も依存しているソフトウェアが、最も使いにくいのはなぜか?
Techなぜ自分が生み出したデータを、自分はまだ何も所有していないのか?
Techデータが実際に削除されたことを証明するレシートを、なぜ受け取ることができないのか?
TechWhy does every C2PA provenance chain break the moment content hits social media?
TechWhy does critical open source software still depend on one exhausted maintainer?
TechWhy is there no recovery path when a breach leaks my biometrics?