When we talk about security related to the software supply chain and third-party software management, it’s key that the tools you use provide detailed reports on the known and unknown vulnerabilities inside applications along with the level of exploitability of those vulnerable components. Absent that, all you have is a listing of SBOM parts without much to act on.
Typically, you don’t want to co-mingle security information with an SBOM because it’s too dynamic—it’s always changing. You want an SBOM that has all of the composition and the licensing information (it’s static from version to version of your application) and then you want a separate document that’s a snapshot of the security state that cross-references the parts in the software bill of materials. To accomplish this, there are two approaches, both provided in the current release of SBOM Insights.
Read the full article here