What is a SBOM in cyber security?
- SBOM (Software Bill of Materials) is a detailed inventory of all components, libraries, and dependencies used in a software application, providing visibility into potential security vulnerabilities and licensing issues
SBOM is about vulnerability prevention and management
VEX (Vulnerability Exploitability Exchange): are part of SBOM docs, or provided separately. They assert the status of a product with respect to a known vulnerability
- it connects
[status]of a[product it]with respect to[vuln id]
A VEX statement must provide an impact statement or a justification with possible values (eg., from 0 to 10)
Does a VEX really matters if the database on which it is based, is flawed?
The important Q are:
- is there any vulnerable code in my app?
- can it run in my app context?
- can it be exploited?
It is difficult to describe a vulnerability
- currently we report info about the vulnerable app (what libraries does it use? what dependencies) and the affected code
- abstract modelization of the vulnerability is not always available
OSV (open source vulnerabilities): aggregator of DB of vulnerabilities. Run by Google
Vulnerability DBs rarely provide function-level details
Fix commit are good starting point to detect the vulnerable code, but:
- commits are not always very descriptive (no info about the vulnerability being fixed)
- commits often include other irrelevant modifications to other part of the code, which create noise
Often when reporting a vulnerability, they clam that “all the previous software versions” were affected, just because:
- it can be extremely difficult to pin point the exact software version from which the vulnerability appears
Take home messages:
- fragile links between vulnerability and vulnerable code in an app
- high quality vulnerability databases require significant manual work