Why can I not know if what is running matches what my SBOM declared?
Opportunity
SBOMs are generated at build time and describe what a build claimed to contain. By the time software is deployed and running, dependencies may have drifted, statically linked libraries leave no runtime trace, and there is no standard primitive to verify that a live process matches its declared bill of materials. IBM's 2025 analysis of over 35,000 SBOMs found 7,907 failed to disclose direct dependencies, and ENISA's December 2025 implementation guide calls runtime drift one of the core open gaps. The gap between a signed SBOM and a running container is currently bridged by trust alone.
Why it matters
Regulations in the EU and US now mandate SBOMs, but without runtime attestation they are an audit artifact, not a security control.
我如何评估机会
The Opportunity Score is my own read, not a measurement: how much it hurts, how often it bites, and how little exists to solve it today. Higher means I think it is more worth building.
How much pain it causes when it shows up.
How often people actually run into it.
How little good tooling exists for it today.
更多值得解决的问题
为什么我们最依赖的软件往往是最难用的?
Tech为什么我生成的数据,我却至今毫无所有权?
Tech为什么我无法获得证明我的数据已被实际删除的凭证?
TechWhy does every C2PA provenance chain break the moment content hits social media?
TechWhy does critical open source software still depend on one exhausted maintainer?
TechWhy is there no recovery path when a breach leaks my biometrics?