Google: SBOMs Effective Only if They Map to Known Vulns

SBOMs should be connected with vulnerability databases to fulfill their promise of reducing risk, Google security team says.

Software bills of materials (SBOMs) — a detailed list of components, modules, and libraries used to build products — are being endorsed by the National Institute of Standards and Technology (NIST) and US regulators as a way to drive down supply chain cybersecurity risks for consumers.
But Googles Open Source Security Team points out in a blog post today that
SBOM use
alone isnt an effective tool for assessing exposure. Rather, the documentation should be compared with a database of known vulnerabilities to identify any known software flaws.
By connecting these two sources of information, consumers will know not just whats in ... their software, but also its risks and whether they need to remediate any issues, the team explains.
The Google analysts detail how they were able to map a Kubernetes SBOM document using the Open Source Vulnerabilities (OSV) database. The OSV database offers both a standardized format for comparison across several databases, including the Github Advisory Database (GHSA) and Global Security Database (GSD), as well as aggregated data across multiple ecosystems, ranging from Python and Golang to Rust, according to the post.
Our example queried the OSV database, but we will soon see the same success in mapping SBOM data to other vulnerability databases and even using them with new standards like VEX (Vulnerability-Exploitability eXchange), which provides additional context around whether vulnerabilities in software have been mitigated, the blog states.
To make it easier for security teams to assess the full risk picture, the Google researchers recommend that SBOM creators begin to include a reference using a naming convention like a Purl URL for all packages in the
software supply chain
.
This type of identification scheme both specifies the ecosystem and also makes package identification easier, since the scheme is more resilient to small deviations in package descriptors like the suffix example above, they say.
SBOM Evolution
Steps toward marrying the software components with known flaws will help SBOMs fulfill their intended purpose: to help manage the prospect of cyberattack, the
Google security blog
states.
Continuing on this path of widespread SBOM adoption and tooling refinement, we will hopefully soon be able to not only request and download SBOMs for every piece of software, but also use them to understand the vulnerabilities affecting any software we consume, they said.

Last News
▸ Federal Agencies Cybersecurity Grades. ◂ Discovered: 26/12/2024 Category: security	▸ Black Hat USA 2013, talk on NAND & Windows 8 Secure Boot hacking. ◂ Discovered: 26/12/2024 Category: security	▸ Security Talk: 7 Ways To Grab Users Attention ◂ Discovered: 26/12/2024 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Google: SBOMs Effective Only if They Map to Known Vulns