LiPSBOMaker: A Prototype of Multi-Stage Linux Distribution Package SBOM Generator

Modern software development often relies on third-party libraries and frameworks to enhance productivity and reduce costs, leading to the emergence of software supply chains and the increasing visibility of their potential risks. To enhance traceability and transparency in the software supply chain and mitigate associated risks, the concept of a Software Bill of Materials (SBOM) has been introduced. While extensive research has been conducted on SBOMs within programming language ecosystems, studies focusing on Linux distributions remain limited. Given the fundamental role and inherent complexity of Linux distributions, generating high-quality SBOMs for them is both critical and challenging. To address this issue, this paper presents a two-phase study: 1) We analyze the characteristics of Linux distribution packages and propose a multi-stage SBOM model. 2) Based on this model, we design and implement a tool for generating SBOMs for Linux distribution packages. The evaluation results imply that our approach outperforms the state-of-the-art SBOM generation tool.