Comment by mrweasel
2 months ago
This might not be part of HL7, but I recall working on software for a healthcare product, and simply having a list of components want not enough. Each component had to be accompanied by a risk assessment. It's a really clever way of keeping your dependency count low.
How does that work for high complexity dependencies like compression or cryptography? If HL7 wouldn’t catch xzutils is it really adding anything?
In the case of something like xzutils, you would perhaps have listed it as low risk, as it's shipped with your OS. After the backdoor incident, you'd have adjusted the risk assessment, and utilities like it. Once you hit a certain level you might question if you truly need the entire xzutils package or if you could replace it.
In other cases you might have a library you depend on, but it's no longer maintained, so it might score really high on risk, meaning that you should probably address that dependency in your next development cycle.
So the SBOM and risk assessment wouldn't necessarily catch vulnerabilities, but it makes it simple to check if you're affect and generally help you manage/reduce your attack surface.