So you’ve asked a vendor for a Software Bill of Materials (SBOM) for one of their closed-source products, and they provided one to you in a JSON file. Now what?
The first thing you want to do is to see if any of the components listed inside the SBOM have security vulnerabilities and what kind of licenses these components have. This will help you identify the kind of risk you will be taking by using the product. [1]
Download the proper bomber file based on your OS and architecture.
Install the deb file via dpkg.
I will scan my SBOM file for possible vulnerabilities. You can see the detailed information regarding the provided SBOM input file.
This work has been supported in part by the Energy Transition Fund of the FPS Economy of Belgium through the CYPRESS project, and in part by the VLAIO COOCK program through the IIoT-SBOM project.
Thanks for reading.
Can Özkan
