SBOMs suffer from limited practicality in software supply chain security due to generation inaccuracies and high false-positive rates in vulnerability scanning—e.g., 97.5% of false positives stem from vulnerabilities in unreachable code. To address this, we propose a two-stage SBOM enhancement method, validated across 2,414 open-source repositories. First, we leverage authoritative package manager lock files to generate high-fidelity SBOMs. Second, we integrate function-level call graph analysis to precisely identify and filter vulnerability alerts associated with unreachable execution paths. Our approach significantly improves the operational utility of vulnerability reports, eliminating 63.3% of false positives and mitigating developer alert fatigue. The core contribution is the first synergistic integration of lock-file fidelity and fine-grained call-context analysis for SBOM-driven vulnerability management—establishing a reproducible, low-noise, high-confidence paradigm for automated vulnerability remediation.

The Software Bill of Materials (SBOM) is a critical tool for securing the software supply chain (SSC), but its practical utility is undermined by inaccuracies in both its generation and its application in vulnerability scanning. This paper presents a large-scale empirical study on 2,414 open-source repositories to address these issues from a practical standpoint. First, we demonstrate that using lock files with strong package managers enables the generation of accurate and consistent SBOMs, establishing a reliable foundation for security analysis. Using this high-fidelity foundation, however, we expose a more fundamental flaw in practice: downstream vulnerability scanners produce a staggering 97.5% false positive rate. We pinpoint the primary cause as the flagging of vulnerabilities within unreachable code. We then demonstrate that function call analysis can effectively prune 63.3% of these false alarms. Our work validates a practical, two-stage approach for SSC security: first, generate an accurate SBOM using lock files and strong package managers, and second, enrich it with function call analysis to produce actionable, low-noise vulnerability reports that alleviate developers' alert fatigue.