So you got an SBOM from a supplier. Now, what do you do with it?
When you receive an SBOM from a supplier, the first challenge is to identify the components listed in that SBOM and map those components to your own component catalog and your relevant policies. A consistent system for identifying software components (package) is even more critical for managing the risk of software vulnerabilities because vulnerability data is a moving target spread across FOSS projects and repositories.
In this talk at Open Source Summit North America 2023, Philippe will discuss utilizing the emerging open standard for Package-URLs (PURLs) to standardize ingestion of incoming SBOMs and automate applying internal policies. He will then share how to best leverage VulnerableCode, as a public database of open vulnerability data based on PURLs, to track FOSS vulnerabilities and VEXs, all using FOSS tools and open data.