[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

SBOM analysis types



I’ve seen a lot of scenarios that the model seems to be defining, but I haven’t seen any documentation about what forms of analysis that orgs should be able to perform against SBOMs.

IMO, the value of SBOMs isn’t just being able to produce or consume them, but being able to automatically analyze them with a high degree of accuracy. For example, these are the types of analysis that are possible with CycloneDX. Some of these types of analysis are available in Dependency-Track and others will possible in future releases.

  • Analyzing component quantity
    • Maintenance costs, etc.
  • Analyzing potential impact of coupling
    • Frameworks vs libraries for example
  • Identification and independent analysis of component assemblies (systems, subsystems, etc)
  • Identification and analysis of dependencies
    • Effective dependencies on a per application basis
    • Declared dependencies in the case of repo manifest
    • Identifying circular dependencies and associated upgrade risk
  • Vulnerability analysis
    • Assets (via CPE)
    • Libraries and Docker images (via PURL)
    • Decentralized (via external references - i.e. GitHub Advisories)
  • Out-of-date analysis
    • For managed components (maven, npm, nuget, rpm, deb, etc) via PURL
  • License analysis
    • SPDX, non-SPDX, and commercial licenses
  • File verification and component identification
    • Hash (md5, sha1, sha2, sha3)
  • Project health analysis
    • via external references to SCM, defect tracker, etc
    • # of committers, pull requests, issues, age, commit frequency, release frequency, etc
  • Signature validation of the BOM or component assembly within the BOM
  • Analysis of all the above for modified components (pedigree) without loss of fidelity


These forms of analysis are already possible today. If a standard SBOM format is created from this effort, I think these forms of automated analysis should be possible at a minimum. Otherwise, the value proposition of adoption or migration just won’t be there.


—Steve