SBOMs into Agentic AIBOMs: Schema Extensions, Agentic Orchestration, and Reproducibility Evaluation

📝 Paper Summary

Software Supply Chain Security Agentic AI for Cybersecurity

This paper extends static Software Bills of Materials (SBOMs) into active Agentic AIBOMs using three autonomous agents to capture runtime dependencies and reason about vulnerability exploitability in context.

Core Problem

Conventional SBOMs are passive, static inventories that fail to capture environment drift, runtime behaviors (like dynamic loading), or the actual exploitability context of dependencies.

Why it matters:

95% of vulnerabilities in SBOMs are not exploitable in the specific product, but current tools cannot distinguish presence from exploitability, wasting security resources
Static inventories cannot detect 'drift' where the running environment diverges from the documented state, invalidating reproducibility in high-assurance analytic workflows

Concrete Example: A statistical library like `sdcMicro` might be present in a container, triggering a 'Critical' vulnerability alert. However, if the specific vulnerable function is never called during execution or is mitigated by sandbox settings, a static SBOM still blocks the workflow, whereas an agentic system would flag it as 'Not Affected'.

Key Novelty

Agentic AIBOM Framework

Decomposes provenance tracking into three autonomous agents: one for baseline environment reconstruction, one for runtime drift monitoring, and one for policy-aware vulnerability reasoning
Integrates ISO/IEC 20153:2025 (CSAF) semantics directly into the provenance artifact, allowing the system to output structured 'Not Affected' or 'Mitigated' assertions based on runtime evidence

Evaluation Highlights

Removing the baseline agent (MCP) increased the False Negative Rate (FNR) of dependency capture by 14% compared to the full agentic pipeline
Demonstrates high reproducibility fidelity, maintaining semantic parity in statistical outputs within ε=1e-12 for deterministic routines

Breakthrough Assessment

7/10

Significant architectural advance in moving SBOMs from static lists to active, reasoning artifacts. The application of agentic principles to compliance and VEX is novel, though the evaluation is focused on specific analytic workflows.

⚙️ Technical Details

Problem Definition

Setting: Secure and reproducible execution of regulated analytic workflows (e.g., in Trusted Research Environments)

Inputs: Containerized software environment, execution scripts, security policies, CSAF (Common Security Advisory Framework) feeds

Outputs: Agentic AIBOM artifact containing runtime dependency graph, drift logs, and contextual VEX (Vulnerability Exploitability eXchange) assertions

Pipeline Flow

Group: Capture & Monitor: MCP (Pre-execution) → A2A (Runtime)
Group: Reasoning: A2A (Telemetry) → AGNTCY (Policy Logic)
Output Generation: AGNTCY → Structured AIBOM/VEX Artifact

System Modules

MCP (Capture & Monitor)

Reconstructs baseline environment and determines if pre-execution SBOM is complete

Model or implementation: Policy-constrained decision module (non-learning based)

A2A (Capture & Monitor)

Monitors runtime execution for drift and dynamic dependency loading

Model or implementation: Policy-constrained decision module (non-learning based)

AGNTCY

Generates VEX assertions based on runtime evidence and security policy

Model or implementation: Policy-constrained decision module (non-learning based)

Novel Architectural Elements

Three-agent architecture strictly separating baseline capture (MCP), runtime monitoring (A2A), and policy reasoning (AGNTCY)
Integration of CSAF v2.0 semantics into the agent decision output loop for standardized exploitability assertions

Comparison to Prior Work

vs. ReproZip: AIBOM adds semantic VEX assertions and active drift detection during runtime
vs. Dependency-Track [not cited in paper]: AIBOM provides runtime-contextualized assertions rather than just static inventory analysis

Limitations

Full policy-gated enforcement (blocking execution based on VEX) is scoped as future work
Evaluation is limited to controlled analytic environments (TREs), not general-purpose software
Does not yet implement end-to-end ingestion of vendor-issued CSAF advisories

Reproducibility

The paper benchmarks using standard tools (ReproZip, SciUnit) but the specific Agentic AIBOM orchestration pipeline code availability is marked as 'not provided' in the text, though it references integrating schemas into open-source data.

📊 Experiments & Results

Evaluation Setup

Regulated analytic workflows (SACRO) running on 16-core, 64GB RAM nodes

Benchmarks:

SACRO Analysis Sessions (Statistical analysis and disclosure control) [New]

Metrics:

False Negative Rate (FNR) of dependency capture
False Positive Rate (FPR)
Semantic Parity (reproducibility tolerance ε)
Statistical methodology: Descriptive statistics of SBOM characteristics; Ablation studies

Key Results

Benchmark	Metric	Baseline	This Paper	Δ
SACRO Analysis Sessions	False Negative Rate (FNR)	0	14	+14

Main Takeaways

Agentic orchestration significantly improves runtime dependency capture compared to static methods, with ablation showing the necessity of the pre-execution agent (MCP) to avoid missing dependencies.
The system maintains reproducibility with high fidelity, distinguishing between benign drift (semantic parity) and critical policy failures.
Contextual VEX reasoning allows for 'Not Affected' or 'Mitigated' assertions based on runtime evidence, reducing the noise of non-exploitable vulnerabilities common in static SBOMs.

📚 Prerequisite Knowledge

Prerequisites

Software Bill of Materials (SBOM) standards (CycloneDX, SPDX)
Vulnerability management standards (CSAF, VEX)
Container orchestration (Docker, Singularity)
Agentic AI architectures

Key Terms

_comment: REQUIRED: Define ALL technical terms, acronyms, and method names used ANYWHERE in the entire summary. After drafting the summary, perform a MANDATORY POST-DRAFT SCAN: check every section individually (Core.one_sentence_thesis, evaluation_highlights, core_problem, Technical_details, Experiments.key_results notes, Figures descriptions and key_insights). HIGH-VISIBILITY RULE: Terms appearing in one_sentence_thesis, evaluation_highlights, or figure key_insights MUST be defined—these are the first things readers see. COMMONLY MISSED: PPO, DPO, MARL, dense retrieval, silver labels, cosine schedule, clipped surrogate objective, Top-k, greedy decoding, beam search, logit, ViT, CLIP, Pareto improvement, BLEU, ROUGE, perplexity, attention heads, parameter sharing, warm start, convex combination, sawtooth profile, length-normalized attention ratio, NTP. If in doubt, define it.

SBOM: Software Bill of Materials—a nested inventory of software components and dependencies

AIBOM: Artificial Intelligence Bill of Materials—an extension of SBOMs incorporating AI reasoning and runtime context

VEX: Vulnerability Exploitability eXchange—a standard for stating whether a vulnerability is actually exploitable in a specific product

CSAF: Common Security Advisory Framework—a standard (ISO/IEC 20153:2025) for machine-readable security advisories

MCP: Baseline Environment Reconstruction Agent—responsible for pre-execution capture and completeness checks

A2A: Runtime Dependency and Drift-Monitoring Agent—monitors live telemetry for dynamic imports

AGNTCY: Policy-Aware Vulnerability Reasoning Agent—maps evidence to VEX assertions

TRE: Trusted Research Environment—a secure computing environment for analyzing sensitive data

FNR: False Negative Rate—the proportion of actual dependencies or vulnerabilities missed by the system

FPR: False Positive Rate—the proportion of dependencies incorrectly identified as present

Semantic Parity: Reproducibility where outputs are functionally equivalent within a tolerance (ε) rather than byte-identical

Drift: Unintended changes in the software environment (e.g., version updates) between executions