Recently identified vulnerabilities found in Log4j has made it clear that we need to be able to track how software is included and used in applications and systems. The first challenge is identifying the software element (be it an application, library, component, file, snippet) accurately when there may be multiple ways to refer to it. The next challenge is clearly articulating the dependencies between these software elements. Once a vulnerability is identified and correlated with a well identified software element, the dependency information can be used to find if any key software elements may be impacted.
This talk will go through the approaches for identifying software via external references, as well as they types of relationships that have proven useful in tools so far to map out dependencies between the elements that tools producing SPDX SBOMs have found useful to date. We will demonstrate a proof of concept utility where an SPDX document with relationship information can be used to query the OSV online vulnerability database.