P.5.1 SBOM consumption

Control Details

Objective

Utilize SBOM information to react to security incidents and to identify which components need to be updated or patched.

Definition

Obtain or generate an SBOM for a product that provides a clear and direct link to the dependencies and their versions used within a product. Ideally, the SBOM will provide signed metadata from the build process. Tools can automate analysis and obtain desired information from the SBOM, such as aligning with vulnerability data to identify vulnerabilities within the exact package contents.

Assessment Questions

1. How are SBOMs checked for information about pending security vulnerabilities?
2. How do you consume the SBOMs for your components?
3. Describe your experiences with being aided by information provided by the SBOM?
4. How do you feel about the assistance provided by tools to help you consume an SBOM?
5. If not now, do you have plans to consume SBOMs in the future?
6. How do you consider and trust the VEX information in the SBOM?
7. What expectations do you put on the component producers for the vulnerabilities identified in the SBOM?

Reference sources

1. 800-161 SR-4
2. OWASP-SCVS 5.4
3. CNCF-SSC M-V: Require SBOMs and VEX statements from third-party suppliers M-V Track dependencies between open source components
4. OSPS OSPS-QA-02