| ▲ | ozim 5 hours ago | |
You forgot about the important one SBOMs are created with thought about sharing them with third parties like your customers - lock files not. | ||
| ▲ | Khaine 2 hours ago | parent [-] | |
Thats an important point. You can't tell if the software you use is vulnerable to something like log4j without the vendor telling you, or doing lots of manual investigation. SBOMs are supposed to help with software composition analysis. Basically, you as an enterprise have an inventory of what software you use, and their SBOMs (i.e. dependencies). I can then use this to automatically check which software is impacted by severe vulnerabilities when they are announced. | ||