A 2024 study analyzing 2,313 Docker images found that changing only the SBOM generator — while keeping the container and analyzer constant — altered vulnerability results by up to 5,456 CVEs.

Same-vendor toolchains reported more findings than mixed stacks. Certain combinations produced near-zero results. Approximately 43.7% of images triggered tool proce…