SBOMs Are Not Enough

SBOM Entry (Example) { “type” : “library”, “bom-ref” : “pkg:maven/org.testng/testng@7.5.1?type=jar”, “purl” : “pkg:maven/org.testng/testng@7.5.1?type=jar”, “group” : “org.testng”, “name” : “testng”, “version” : “7.5.1”, “description” : “Testing framework for Java”, “scope” : “required”, “hashes” : [ { “alg” : “SHA-256”, “content” : “a5ac92d2362ccb3a509abe68e385ca809a7c96fcbaf851b3ee8bacb2ac899e2f” }, { “alg” : “SHA-512”, “content” : “0bdf858bd678e0887709cc2598f8857b4b86184af7a7dbb3cd20bb6b39c20587ea135fa3bbe645d9d863df78ed4cd67637edd248ed6c454db…” } ], “licenses” : [ { “license” : { “id” : “Apache-2.0” } } ], “externalReferences” : [ { “type” : “website”, “url” : “https://testng.org” }, { “type” : “issue-tracker”, “url” : “https://github.com/cbeust/testng/issues” }, { “type” : “vcs”, “url” : “https://github.com/cbeust/testng.git” } ] }, bdemers