Abstract

Software Composition Analysis tools are known to generate a flood of vulnerability data in third party code. The key challenge today is determining the number of vulnerabilities that are actually exploitable in the products that are shipped. A lot of tools have started exploring this problem. However, it cannot be completely solved without internal developer context on how a third party package is being used.

Executive Order 14028 - “Improving the Nation’s Cybersecurity” (issued May 12, 2021) has compelled all critical software vendors to generate Software Bill of Materials (SBOM) and Vulnerability Exchange (VEX) documents for their products. Most of the federal agencies now mandate this requirement. Even a lot of commercial vendors now require SBOMs in order to safeguard their supply chain posture.

While SBOMs and VEX can be perceived as a pure compliance requirement, it can also be leveraged as a powerful resource to determine the exploitability of a vulnerability. By automating SBOM and VEX generation, we are trying to achieve EO Compliance in a scalable manner. Additionally, we are also using it to determine the exploitability of our findings. This way we try to minimize the false positives and enhance customer trust.