What the &#% Is in That SBOM? How to Provide Users What Software Components Are Included

What do you do with the SBOM received from a supplier?

Managing open source components – especially their licensing and provenance – is a critical part of the Software Composition Analysis (SCA) process. SCA is now a prerequisite for modern organizations to comply with mandated Software Bill of Materials (SBOM) and other regulations. If you receive an SBOM from a supplier, the first challenge is to identify the components listed in that SBOM and map those components to your own component catalog and your relevant policies. A consistent system for identifying software components (package) is even more critical for managing the risk of software vulnerabilities because vulnerability data is a moving target spread across FOSS projects and repositories.

In this talk, Philippe will discuss utilizing the emerging open standard for Package-URLs (PURLs) to standardize ingestion of incoming SBOMs and automate applying internal policies. He will then share how to best leverage VulnerableCode, as a public database of open vulnerability data based on PURLs, to track FOSS vulnerabilities and VEXs, all using FOSS tools and open data.

SPEAKER: Philippe Ombredanne,
nexB co-founder and CTO
Philippe Ombredanne is a passionate FOSS hacker on a mission to make it easier and safer to reuse FOSS code. He is the maintainer of ScanCode, the industry standard license detection tool along with other open source tools for software composition analysis and license and security compliance (aboutcode.org). Philippe contributes to several other projects including the Linux kernel SPDX-ification; the SPDX and ClearlyDefined projects, strace, several Python tools, and previously to JBoss, Eclipse and Mozilla. Philippe is also a long-time Google Summer of Code mentor and org admin. Work-wise, he is the CTO and co-founder of nexB, helping software teams track what’s in their code with DejaCode, an open source governance and compliance dashboard.

Sign up now