Open Source Summit North America 2023

So you got an SBOM from a supplier. Now, what do you do with it? Managing open source components – especially their licensing and provenance – is a critical part of the Software Composition Analysis (SCA) process. SCA is now a prerequisite for modern organizations to comply with mandated Software Bill of Materials (SBOM) and other regulations. If you receive an SBOM from a supplier, the first challenge is to identify the components listed in that SBOM and map those components to your own component catalog and your relevant policies. A consistent system for identifying software components (package) is even more critical for managing the risk of software vulnerabilities because vulnerability data is a moving target spread across FOSS projects and repositories. In this talk, Helio will discuss utilizing the emerging open standard for Package-URLs (PURLs) to standardize ingestion of incoming SBOMs and automate applying internal policies. He will then share how to best leverage VulnerableCode, as a public database of open vulnerability data based on PURLs, to track FOSS vulnerabilities and VEXs, all using FOSS tools and open data.