SBOM, Packaging, and Vulnerabilities
11-09, 19:50–20:10 (UTC), Room 4

Three years of community-oriented software bill of materials (SBOM) work under NTIA has lead to (among other things):

  • Framing of a model, architecture, and requirements for SBOMs, data, and processes
  • Formats that satisfy the framing constraints: SPDX, CycloneDX, SWID

To scale, and really to function at all, SBOM production needs to happen during software development phases such as build, packaging, and deployment.

We informally reviewed a handful of package management systems to look for commonality, differences, and alignment with the NTIA SBOM effort. One clearly identified SBOM use case, vulnerability management, stands to benefit from more and higher quality SBOM and inventory information.

What kinds of data does vulnerability management need from SBOM? To what extent do package management systems provide this data? What are the common elements that package management systems already provide?


We are looking for informed input and potential collaboration to help establish:
1. How widely does package management metadata vary across ecosystems?
2. How well does available metadata during packaging meet SBOM and vulnerability management needs?

Art Manion is a Principal Engineer and the Vulnerability Analysis Technical Manager at the CERT Coordination Center (CERT/CC), part of the Software Engineering Institute at Carnegie Mellon University. He and his team coordinate complex vulnerability disclosures, perform in-depth technical analysis, and influence practice, standards, and policy. Art co-chairs the Framing working group of the U.S. NTIA Software Component Transparency (SBOM) multistakeholder effort.