Software Development

How are you managing Software Supply Chain Security with the new SBOM mandates in 2025?

AR Asked by Arthur Bennett · 20-11-2024
0 upvotes 12,224 views 0 comments
The question

We’re now required to provide a Software Bill of Materials (SBOM) for every release, but keeping it updated across 50+ microservices is a nightmare. How are you guys automating the scanning of open-source dependencies and "transitive" vulnerabilities? Is anyone using tools like Snyk or CycloneDX to block builds that contain "unreachable" but vulnerable code paths?

3 answers

0
DE
Answered on 15-02-2025

We’ve integrated CycloneDX directly into our GitHub Actions. Every time a PR is merged, it generates a fresh SBOM and compares it against the "Vulnerability Exploitability eXchange" (VEX) data. This is key because it tells us if a vulnerability is actually reachable in our specific code. We used to waste hundreds of hours fixing CVEs that were in unused parts of a library. Now, we only "break the build" if the vulnerability is in a function we actually call. It’s moved our focus from "compliance" to actual "risk reduction," which our devs appreciate.

0
GA
Answered on 12-03-2025

Deborah, how do you handle the "false positives" from those reachability scans? Sometimes the tool says it's unreachable, but a clever exploit might prove otherwise.

MA 22-04-2025

Gary, we have a "trust but verify" policy. If the tool flags it as unreachable, it goes to a low-priority queue for a monthly manual review by our security champions. We don't block the release, but we don't ignore it forever either. This balance keeps our velocity high without leaving us completely exposed to "black swan" exploit scenarios that the automated tools might miss.

0
SA
Answered on 01-05-2025

We’ve started using "VEX" documents to communicate to our customers which vulnerabilities are NOT applicable to us. It saves a lot of back-and-forth emails during their security audits.

AR 05-05-2025

VEX is a game-changer for transparency. It’s finally moving the conversation from "Do you have bugs?" to "Are these bugs actually a threat to my data?"

Share your thoughts

Your email address will not be published. Required fields are marked (*)

Professional Counselling Session

Still have questions?
Schedule a free counselling session

Our experts are ready to help you with any questions about courses, admissions, or career paths. Get personalized guidance from industry professionals.

Request a Call Back

Search Online

We Accept

We Accept

Follow Us

"PMI®", "PMBOK®", "PMP®", "CAPM®" and "PMI-ACP®" are registered marks of the Project Management Institute, Inc. | "CSM", "CST" are Registered Trade Marks of The Scrum Alliance, USA. | COBIT® is a trademark of ISACA® registered in the United States and other countries.

Book Free Session