Comment by Khaine

7 hours ago

SBOMs are a solution intended to help solve a couple of problems:

1) help identify and remediate software that has been built with vulnerable packages (think log4j).

2) help protect against supply chain compromise as the SBOM contains hashes that allow packages to be verified

3 comments

Khaine

Depending on who you ask an SBOM might not need a hash. NTIA only recommend a hash.

You forgot about the important one SBOMs are created with thought about sharing them with third parties like your customers - lock files not.

Khaine 2 hours ago

Thats an important point. You can't tell if the software you use is vulnerable to something like log4j without the vendor telling you, or doing lots of manual investigation.
SBOMs are supposed to help with software composition analysis. Basically, you as an enterprise have an inventory of what software you use, and their SBOMs (i.e. dependencies). I can then use this to automatically check which software is impacted by severe vulnerabilities when they are announced.