Assessing Security Risks of Software Supply Chains Using Software Bill of Materials

Abstract

The software supply chain is composed of a growing number of components including binaries, libraries, tools, and microservices necessary to meet the requirements of modern software. Products assembled by software vendors are usually comprised of open-source and commercial components. Software supply chain attacks are one of the largest growing categories of cybersecurity threats and the large number of dependencies of a vendor’s product makes it possible for a single vulnerability to propagate to many vendor products. Additionally, the software supply chain offers a large attack surface that allows vulnerabilities in upstream transitive dependencies to affect the core software. Software Bill Of Materials (SBOM) is an emerging technology that can be used in tandem with analysis tools to detect and mitigate security vulnerabilities in software supply chains. In this research, we use open-source tools Trivy and Grype to assess the security of 1,151 SBOMs mined from third-party software repositories of various domains and sizes. We explore the distribution of software vulnerabilities across SBOMs and look for the most vulnerable software components. We conclude that this research demonstrates the threat of security via software supply chain vulnerabilities as well as the viability of using SBOMs to help assess security in the software supply chain.