Anyone that has purchased a used vehicle knows how valuable a CARFAX report is at identifying issues or concerns before buying. A CARFAX report discloses risks and issues up-front, which can prevent you from buying a lemon. Why take a chance on buying a used vehicle, without knowing what you’re getting into; get the CARFAX!
The same can be said for software.
We’ve discussed the importance of SBOM’s over the past year as a method communicate the list of “ingredients” contained in a software package. This is indeed very useful information for any software consumer to have available to assist with risk management and assessments. But, just as important, wouldn’t a software consumer also want to know the “CARFAX” for a particular software product and each of its components, before installing the software? What if we had a CARFAX report for software! FYI: We do now!
An SBOM Vulnerability Disclosure Report (SBOM VDR) is an open-source attestation of known vulnerabilities (CVE ID) that may affect one of more components in an SBOM that answers the question "What is the vulnerability status NOW of Product P, Version V from Supplier S, at the SBOM component level" before a consumer purchases or installs a software package.
An SBOM VDR is produced by a software vendor as an attestation that a software product is free of known vulnerabilities when the product, and it’s SBOM, are delivered to a customer. The SBOM VDR contains a vulnerability report for each component in an SBOM, indicating if there are any known vulnerabilities, and if so, the vendor provides information indicating if any reported CVE’s are exploitable. On day one of a product shipment, you would expect the SBOM VDR to show there are no expolitable vulnerabilities in the delivered product and all of the components in the SBOM are “clean”. The SBOM VDR is an attestation by the software vendor that they have performed a vulnerability search for all of the components in a software product and the SBOM VDR attestation serves as proof that there are no exploitable vulnerabilities in the product, on day one.
A software consumer uses the combination of an SBOM and SBOM VDR as part of a software risk assessment, before any attempt to install a software product, in order to determine if the software is safe to install (trustworthy). After determining the software is trustworthy the consumer may proceed with installation and the consumer must implement a monitoring processes to identify any risks that may arise as a result of new vulnerabilities being reported on any of the installed SBOM components.
The software vendor needs to inform their customers of any potential risk whenever a software vulnerability is reported on a software component used in a software product. The software vendor communicates this information by updating the product “CARFAX” SBOM VDR to indicate their awareness of the vulnerability and Fix Status if the vulnerability is indeed exploitable. The consumer, with this fresh knowledge of the increased software risks can take mitigating action to prevent exploitation until the software vendor provides a fix to the problem, preventing hackers from using the vulnerability to inflict harm, while a patch is being developed. Just like a CARFAX report is being updated continuously, an SBOM VDR must also be updated and timely, whenever a new vulnerability is reported. If a software vendor determines that a new reported vulnerability has no impact on their product they are still expected to update the SBOM VDR Unresolved Vulnerabilities flag to No and update the VDR create date and time showing that the most recent vulnerabilities have been checked and verified. Exploitable components need to be updated in the SBOM VDR and the Unresolved Vulnerabilities needs top be updated to "Yes", along with the create date/time of the SBOM VDR.
An SBOM VDR is similar to a CARFAX report in that it provides a consumer with an attestation of known issues and their status, i.e. a CVE is not exploitable, at a given point in time, for each component listed in an SBOM, before software is installed. The SBOM VDR, just like a CARFAX report, needs to be updated over time as new vulnerabilities are reported, in order to provide software customers with the latest vulnerability status of each installed software component. Software customers should periodically (daily) download the SBOM VDR, using an automated process, for each product installed in their ecosystem in order to detect and evaluate any new risks present with newly reported vulnerabilities, as quickly as possible.
A sample SBOM VDR is available online.
A complete use case, showing an SPDX SBOM and SBOM VDR is available online.