I've received a set of SBOM files from a client expecting feedback, it has been compiled with CycloneDX (which seems to be a standard tool to do this), but as far as I can see it, the xml files while well detailed, contain references to packages that seem like they are from the company themselves, i.e. nothing external (except code building tools like Maven/Jenkins).
Does anyone have any practical experience, what does one typically do with these files? (my naive assumption was looking for any external packages linked to other manufacturers/publishers and look at some of the vulnerability databases to see if anything stands out, then check with the client if they've documented any risk assessment of this etc, but if all the packages are tagged with
com.COMPANYNAME
(and even the Maven/Jenkins items have a group URL that is tailored to COMPANYNAME.)
Does anyone have any practical experience, what does one typically do with these files? (my naive assumption was looking for any external packages linked to other manufacturers/publishers and look at some of the vulnerability databases to see if anything stands out, then check with the client if they've documented any risk assessment of this etc, but if all the packages are tagged with
com.COMPANYNAME
(and even the Maven/Jenkins items have a group URL that is tailored to COMPANYNAME.)
