SBOM documents without linking to vulnerabilities are ineffective, Google says


The National Institute of Standards and Technology (NIST) and other US agencies are actively promoting the so-called Software Specification (SBOM) as a way to reduce the cybersecurity risks of the supply chain for consumers.

SBOM is a detailed list of components, modules and libraries used in the creation of a software product. However, according to experts from the Google Open Source Security Team, the SBOM document itself is not an effective tool for risk assessment, and it should only be used with reference to databases of known vulnerabilities.

“By combining these two sources of information, consumers will know not only what their software consists of, but also about the risks associated with it and whether any measures are required to eliminate them,” experts say.

Google analysts told how they managed to combine the Kubernetes SBOM document with an Open Vulnerability Database (OSV). OSV provides both a standardized format for mapping across multiple databases, including Github Advisory Database (GHSA) and Global Security Database (GSD), and aggregated data from a variety of ecosystems ranging from Python and Golang to Rust.

In order to make it easier for security teams to assess the whole picture of risks, Google experts recommend that SBOM creators, using a naming convention like Purl URL, include links for all packages in the software supply chain in the documentation. Such an identification scheme will define the ecosystem and simplify the identification of packages, experts say.

Start a discussion …