analyzing-sbom-for-supply-chain-vulnerabilities

# Analyzing SBOM for Supply Chain Vulnerabilities ## When to Use - A new regulatory requirement (EO 14028, EU CRA) mandates SBOM analysis for software deliveries - Security team needs to assess third-party risk by scanning vendor-provided SBOMs - CI/CD pipeline requires automated vulnerability checks against generated SBOMs - Incident response needs to determine if a newly disclosed CVE affects deployed software - Procurement team requires supply chain risk assessment for a software acquisition **Do not use** for runtime vulnerability scanning of live systems; use container scanning tools (Trivy, Grype CLI) or host-based vulnerability scanners (Nessus, Qualys) instead. ## Prerequisites - SBOM file in CycloneDX JSON (v1.4+) or SPDX JSON (v2.3+) format - Python 3.9+ with requests, networkx, and packaging libraries installed - NVD API key (free, from https://nvd.nist.gov/developers/request-an-api-key) for higher rate limits - Network access to NVD API (https://services.nvd.nist.gov/rest/json/cves/2.0) - Optionally: syft for SBOM generation, grype for cross-validation ## Workflow ### Step 1: Generate SBOM (if not provided) Use syft to create an SBOM from a container image or project directory: ```bash # Generate CycloneDX JSON from a container image syft alpine:latest -o cyclonedx-json > sbom-cyclonedx.json # Generate SPDX JSON from a project directory syft dir:/path/to/project -o spdx-json > sbom-spdx.json # Generate from a running container syft docker:my-app-contain...