Log4Shell and SpringShell were reminders that a big part of the code we use in our systems is not ours and that the maintainers we rely on have a significant responsibility.

The US President’s Executive order 140028 brought to the public the need for improving the nation’s cybersecurity. It was also the start of the SBOM frenzy, which was only accentuated by the congress bill on Securing Open Source Software Act of 2022.

Great! We have the silver bullet to all supply chain issues: the Software Bill Of Materials. Are we done? Sadly no. Using SBOMs effectively requires learning about:

What an SBOM can tell us, and how can it help us?
What tools to use?
How to use them?
How do they work?
What are the related formats?

This session will respond to each of these questions. We will also look behind the scenes and explain how an SBOM helps with vulnerability resolution more effectively than dependency scanning and why SBOMs offer more general protection.

The practical examples will be focused on the following:

Syft - for SBOM generation and transformations
Grype vs bomber - for vulnerability scanning and intelligence gathering

For the examples we will look at some of the most used libraries in the JVM world to generate their SBOM and then check for vulnerabilities.