Vulnerability analysis based on SBOMs: A model proposal for automated vulnerability scanning for CI/CD pipelines


Creative Commons License

Kağızmandere Ö., Arslan H.

INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE, cilt.13, sa.2, ss.33-42, 2024 (Hakemli Dergi)

Özet

The software bill of materials (SBOM) emerged in 2018 as an important component in software security and software supply chain management. SBOM is an inventory presented as a list of the components that make up software. In recent years, whether software products contain vulnerabilities is a phenomenon that should be checked regularly by the users of that product. This paper deals with the systematic identification and vulnerability analysis of software components based on the concept of software bill of materials. The fact that a software product itself does not contain vulnerabilities does not mean that the software product is secure. Even if software projects do not contain any vulnerabilities when examined alone, there may be vulnerabilities in their components. Vulnerabilities in the dependencies or components of the product may be sufficient for cyber attackers to exploit that product. Minimizing the damage caused by vulnerabilities in software components is the basis of cyber security efforts. In this study, the necessity of automatically generating software bill of materials in software development/deployment environments and performing vulnerability analysis on this bill of materials is demonstrated and a suitable model is proposed.